Trifarma S.p.A.

Trifarma S.p.A.
Product: active pharmaceutical ingredients (APIs)
Date: 7/7/2014

1. Failure to maintain complete data derived from all testing and to ensure compliance with established specifications and standards pertaining to data retention and management.

Your firm did not retain complete raw data from testing performed to ensure the quality of your APIs. Specifically, your firm deleted all electronic raw data supporting your high performance liquid chromatography (HPLC) testing of all API products released to the U.S. market. In addition, your firm failed to retain basic chromatographic information such as injection sequence, instrument method or integration method for the tests. Your firm?s lack of data control causes us to question the reliability of your data.

In addition, your laboratory management was unaware of, and therefore did not follow, the written procedure detailing the review of analytical data. Furthermore, your management confirmed that the review of analytical data did not include evaluating the system suitability parameters to ensure proper column performance.

Your response states that your firm has been researching backup systems since July 2013 and will have a backup system online by the third quarter of 2014. Your response also states you have begun provisionally storing backup data on each computer, including the integration method as part of that data. However, you do not address the backup of the injection sequence, the instrument method or audit trails. In addition, your response does not address how your firm will ensure that electronic files are not deleted prematurely from local computers.

In response to this letter, provide a comprehensive corrective action plan addressing the foregoing concerns. Include information regarding system-wide changes, revised procedures, and appropriate retraining of employees that will be implemented immediately to ensure retention of complete electronic raw data for all laboratory instrumentation and equipment.

2. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
Your firm did not have proper controls in place to prevent the unauthorized manipulation of your laboratory’s raw electronic data. Specifically, your laboratory systems did not have access controls to prevent deletion or alteration of raw data. The inspection noted that all laboratory employees were granted full privileges to the computer systems.

In addition, prior to January 7, 2014, HPLC and gas chromatograph (GC) computer software lacked active audit trail functions to record changes to data, including information on original results, the identity of the person making the change, and the date of the change.

Your response statesyour Agilent GC system and HPLC systems now have audit trails, with (b)(4) more GC systems to be upgraded by the second quarter of 2014. However, your response did not describe the audit trails for the processing of the data on your Agilent systems. Your response also states your firm has begun to retain electronic raw data on the local hard drive, but without proper safeguards to ensure they cannot be deleted prematurely. Such safeguards will not be implemented until the third quarter of 2014.

In response to this letter, provide your corrective action plan to prevent deletion and alteration of electronic data. In addition, describe with more detail your firm?s new archival process and provide assurance that it will consistently function to prevent the types of failures described above from recurring in the future.

We also note that your firm lacked electronic raw data supporting cleaning, method and process validations. In response to this letter, provide a corrective action plan to review all related test methods associated with products distributed to the U.S. in light of the lack of supporting raw data.

FDA District Office: CDRH

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offering: Dec 3, 4, & 5, 2024 – 12:00 pm to 5:00 pm CET

Register Now


 

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Call or email now to schedule a private, in-house class. The fall schedule is filling up!

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.