By David Colombo, KPMG LLP
As pharmaceutical manufacturers continue to implement serialization capabilities, there is often a failure to recognize key stakeholders within the organization who will require access to serial number data. For some organizational roles, access to serialization data will be needed on a routine basis to perform on-going activities, while for other roles the need may be required as part of an unplanned event, such as a recall, product complaint, or inquiry. To date, the majority of attention for defining requirements and qualifying solutions has resided with the serialization program/project team and has been concentrated on the data exchange between manufacturer and contract manufacturer enterprise systems and between enterprise systems and packaging site/line systems.
The Drug Supply Chain Security Act (DSCSA) introduces a new requirement for manufacturers that becomes effective November 27, 2017. Known as “requests for verification,” this requirement compels the manufacturer to respond to any authorized re-packager, distributor, or dispenser in possession of the product who makes an inquiry to the manufacturer about the product with reference to the product identifier and SNI (standardized numerical identifier).
While data access across enterprise and packaging site/line systems is a foundational need in order to execute standard serialization processes, there are numerous stakeholders across the enterprise who will require access to serialization data in order to execute business processes. In some instances, these processes are directly linked to compliance with regulations, such as the DSCSA and the European Union Falsified Medicines Directive (EU FMD).
In order to sustain controlled, ongoing operations with product serialization and compliance readiness, it is important to identify these stakeholders and include them as part of the overall solution definition and operational processes.
To get started, manufacturers need to answer the following questions:
- What processes require or potentially require the need to access serialization data?
- Who in the organization currently performs / will perform these processes in the future?
- How and when does the data need to be accessed?
- What system security and procedural controls are needed to limit access and ensure appropriate usage of the data?
The conclusions of such an assessment will establish business and system requirements, as well as provide context for updates to operational documents such as procedures and work instructions.
To illustrate this type of assessment, the following sections will present examples using two processes: batch release and DSCSA requests for verification.
Batch release can ultimately affect all other downstream processes impacted by serialization. Therefore a, it is a critical process for ensuring serial number data aligns to the batch quantity. Subsequent to completing a process order to package a batch of finished product, a usage decision is made to determine whether or not the batch can be released for distribution based on the product’s testing and inspection results against predefined criteria. When each saleable unit of a batch is serialized, it is physically marked with a two-dimensional code (called a Data Matrix) containing the product’s GTIN (Global Trade Item Number), expiration date, lot number, and a unique serial number that is never a duplicate of the GTIN.
It is important to appreciate that when a batch of finished product is serialized, each of the serial numbers that were successfully printed/inspected and therefore commissioned must be: (1) associated to the batch, (2) able to be retrieved/compiled for reporting, and (3) able to update if/when required. Updates to serial number data could include non-routine scenarios where product is damaged, destroyed, etc., and routine events such as when the serialized product is shipped, which is a future requirement of DSCSA in 2023.
Serialization, therefore, introduces a new criterion that must be included in the inspection profile: comparing the quantity of physical inventory of the batch to be released with the quantity of serial numbers electronically commissioned for the batch. If the quantity of commissioned serial numbers is less than the physical quantity being inspected for release, some portion of the batch physically marked with a serial number does not have a corresponding record in the manufacturer’s serialization system repository. This is a problem, and such a condition should trigger a quality investigation, as all SNIs of products sold/distributed are eligible for trading partner and regulatory inquiries. Failure to properly store, control, and retrieve this information could jeopardize the manufacturer’s ability to accurately respond to external requests (see below). Therefore, personnel in the quality organization with responsibilities for entering inspection results and/or conducting batch release activities must be able to access serialization data.
Requests for Verification
If a request for verification is made to the manufacturer, it could be directed to the customer service / trade accounts team that interacts with trading partners. An inquiry could also come into the manufacturer’s customer call center if the party in possession of the product is not a direct trading partner of the manufacturer. There are at least two approaches manufacturers can take to ensure that the appropriate stakeholders have access to serialization data:
- Provide the ability for customer service and call center resources to query the serial number repository in order to respond to these requests, or
- Create a process whereby such inquiries are formally documented and routed to the responsible quality department or other designated, authorized resource to investigate and formally reply.
Before presuming that any role fielding an inquiry related to an SNI requires access to the serialization data, organizations need to consider the implications. For example, the first approach may not be practical or desirable due to the potential number of users who would require system access and who would need to be trained in the steps for querying the data and responding to the inquiry in a complete, accurate, and consistent manner. The Quality unit may instead require that all such inquiries be routed to a designated, responsible group within the Quality organization and controlled in a manner similar to other pharmacovigilance processes.
The DSCSA stipulates an expectation of a turnaround time of 24-hours for responding to requests for verification; therefore, it is important that manufacturers define and implement a process that ensures all obligations are met. A formal approach that leverages a QMS (quality management system) application can support documenting the intake of the inquiry, the investigation activity, and the response, as well as manage the work flow and provide indication of any responses due / past due. Manufacturers should consider an approach similar to how other pharmacovigilance processes are managed within their organization.
As can be seen from these two examples, quality personnel who oversee any of the following areas will need access to serialization data, either as part of ongoing operations or in response to an inquiry or other event:
- Internal packaging operations
- Contract packagers
- Distribution operations
If they have not done so already, manufacturers must finalize the process impacts and update organizational responsibilities in order to determine access requirements, update system configuration and operational procedures, and train personnel. Failure to take these measures will soon become a compliance risk, when the new requirements of the DSCSA go into effect in November 2017.
About The Author:
Dave Colombo is a director within KPMG’s Life Sciences Advisory Practice, with over 25 years of experience supporting supply chain execution processes at a large global pharmaceutical company. Prior to joining KPMG, he spent six years dedicated to product coding, serialization, and traceability implementing solutions in Turkey, China, Spain, and the U.S. You can reach him at firstname.lastname@example.org or connect with him via LinkedIn.