On December 17, 2015, the FDA issued a warning letter to Sun Pharmaceuticals Industries Ltd. in Gujarat, India. Sun Pharma’s website boasts that it is the “World’s 5th Largest Specialty Generic Pharmaceutical Company” with over 2,000 products in more than 150 markets across the globe.
When an organization that large winds up with a warning letter, it’s worth taking note.
The letter detailed six findings related to cGMP violations (21 CFR 211). While many of them were disturbing, such as a lack of sterilization and quality controls, it was the sixth finding that I found the most interesting: shared passwords.
On the surface, sharing a password among “four or five individuals” pales in comparison with a lack of sterilization procedures in a drug manufacturing plant. But, the problem with “sharing” is the lack of individual accountability – the inability to trace an action back to the person who performed it. Traceability is so critical in our industry that the FDA cited the violation in the letter, right there next to the failure to “maintain floors, walls, and ceilings of smooth, hard surfaces that are easily cleanable in aseptic processing areas.” Yikes!
Of course, just issuing unique passwords isn’t enough to remedy the problem. We need established/documented procedures around who is allowed to gain access (how is “authorized” defined…and proven?), how access is controlled, and the roles and responsibilities associated with user access.
This is where things like user account request forms, training records, ink signature logs, and even standard date formats come into play. I promise – these requests from your QA and Validation colleagues aren’t just designed to annoy you. They’re all pieces of a bigger picture (think: quality management system) designed to keep patients safe from sub-par products…and life sciences companies safe from warning letters.