Focus DSCSA- Business Risks linked to Serialization Mandates

Change equates to risk. The greater the change and the complexity of it the higher the level of risk. The Drug Supply Chain Security Act (DSCSA), like most serialization mandates, includes many changes and some of them are highly complex in nature. In our previous blog post “DSCSA  – The Final Countdown“, we have outlined some milestone dates for the major areas of functionality to be implemented. Now, we can look at some risk factors in each area.

The first issue that come to notice is systems connectivity. Currently many packaging lines are isolated “closed” systems that are not connected to anything and have very little exposure from a security standpoint. That all changes now that we need to serialize things. At absolute minimum, we need to get the serial numbers off the line level and stored somewhere to report against for the next six years if the FDA requests the data. In many cases, some if not all the serial numbers are coming from a higher-level system: either plant level, enterprise level, or inter-enterprise from our customer’s systems. This level of connectivity requires planning and consideration. The lines can now be a problem that shuts down the enterprise. Equally, if there is a problem on enterprise level it can result in a complete shut-down of the lines.  Learn more on how to tackle systems security  concerns.

Looking at the changes from a process perspective all the Standard Operating Procedures (SOPs), training documents, etc. will need to be updated. This factor alone has led to the decision of many companies to aggregate ahead of schedule. They try to gain time by training the operators one time on a new SOP and new documentation for the future instead of implementing a non-aggregation solution now and then having to redo all the SOPs, operator training, etc. in 2019.

As you evaluate the inherent risks of serialization programs a greatly overlooked area is in the full lifecycle impact of these programs to your business. This is mission-critical, you cannot sell product without meeting legal requirements and therefore your solution must be available all the time as there is no manual workaround available. We can leverage some well thought out IT concepts here. We need to consider what our RTO and RPO should be. RTO, recovery time objective, can be simply stated as how long will it take to get back up and running once something breaks. Can we take a device off another non-RX line or from some distributor’s on-hand stock and get back up in 2 hours or will we be down for several days? A good example for mission-critical equipment are print-and-verify modules.

The RPO, recovery point objective, can be stated as what point from a data perspective will we recover to. Will the last lot being worked on have to be repackaged as a new lot? Can we finish were we experienced the failure? Many system implementation options will affect this particular question. Make sure you understand the ramification of your design choices in this area as it is too late once something fails to change it.

The amount of resources needed for a serialization and aggregation program across its lifecycle is the most underestimated area of all. Many people will be directly affected to different degrees through the lifespan of the solution. Many of which are not obvious upfront. This can be summed up nicely in the following quote from the IT Director of a Major Global Generics Manufacturer:

“Serialization affects all aspects of an organization, and if you think it doesn’t, you haven’t thought about it enough yet.”

With the right serialization strategy and a solution that is best adapted to your business, you can even turn serialization compliance into opportunities to optimize your supply chain, improve order fulfillment and enhance your marketing.