There is a trio of buzzwords in the Drug Supply Chain and Security Act (DSCSA) that neatly describe how compliance is to be achieved: secure, electronic, and interoperable. The first two seem like fairly obvious and easy-to-meet standards. Our world is electronic, and—while nothing is ever 100% perfect—security has always been a chief concern in our digital lives. Interoperability, on the other hand, is the one that many in the pharmaceutical industry have been fretting about. And while most of the attention on this topic has been focused on ensuring trading partners on the supply chain are able to communicate with one another—securely and electronically, of course—there is a piece to this puzzle that’s been largely ignored: the quality of the data.
With the DSCSA’s goal of making pharmaceutical distribution more secure and traceable, every entity along the supply chain is going to be responsible for generating, receiving, storing, and sharing loads of information. Ahead of the 2023 deadline for compliance, the focus for these entities is making sure they are up to standard on the technical elements. Whether their current systems and software can handle the requirements has become a main concern. Second behind this is whether their trading partners are also ready and able to continue doing business within this new paradigm. Still, this concern over a compliant backend must not come at the cost of validating all the master data they already have.
What We Mean About When We Talk About Pharma Data
For companies that find themselves affected by the DSCSA, the kind of data you’ll be concerned with is, well—pretty much all of it. It’s not just a matter of worrying about lot or unit level serial numbers, which are crucial for traceability requirements, or knowing the expiration of your partners’ licenses. Everything needs to be clean and accurate. Your customers’ and vendors’ contact information is important. As is the case with product codes, financial information, records of sales and purchases, inventory…the list goes on. Every byte of information you’re storing that’s relevant to your business—which should be every byte of information you’re storing—needs to be treated as vital information.
The implication of this is that all this data needs to be accessible, organized, and accurate. And every attempt to work with the data—whether you’re entering new information, recalling or editing old information, or recording transactions—has to be auditable and reportable. The issue is, while everyone is focused on the future and making sure their infrastructure is up to the demands of DSCSA requirements, a lot of this data exists outside core business systems and isn’t being treated with the same level of care as it should be. Data exists in spreadsheets, emails, and Word documents, in communication channels like Teams chat, or stored in shared drives in the cloud. Meanwhile, the processes to validate and/or backup the data are subject to human error: for example, someone transposes two characters in a serial number, or stores critical or active data on a low priority shared drive when hourly snapshots are called for.
These are just a few examples of how things can go awry, and even if every one of these potential problems were 100% fixable, they still take time and money away from mission critical tasks for the fix to happen. But that isn’t all. Because of the DSCSA’s interoperability requirements, inaccurate data doesn’t just adversely affect your own internal operations. Your trading partners are relying on you to provide them with consistent, accurate data, and one human error on your side could propagate its way out to several more stops along the supply chain.
Set Yourself Up For Success
With just under two years to go before the DSCSA’s final compliance deadline, now is the time to take a look at all your data and start to strategize ways to keep it all in order. Everything you’ve implemented, or will implement, toward the goal of compliance shouldn’t exist in a vacuum. As you invest in new technology, keep your existing data and processes in mind and ask how that can all be part of a more singular solution. As you race toward the DSCSA finish line, keep these pointers in mind:
- Consolidate as much as possible onto a single platform.
For most enterprises, an Enterprise Resource Planning platform, or ERP, is where the bulk of the mission-critical computing happens. This is especially true of any company that’s part of a supply chain, and ERPs have been the focus of pharma companies trying to upgrade their way to compliance. This software is the backbone of operations, and so it makes sense to get as much data as you can into the system. There was a time that consolidating like this would be considered dangerous, that such a setup would be nothing more than a Single Point of Failure. In today’s modern computing environments, with virtual servers accessible in the cloud and a large slate of backup options, these are outdated worries. Today, consolidating data onto your ERP software is more a Single Point of Truth. - For a Single Point of Truth to live up to this name, auditing and reporting capabilities are a must.
Errors happen. It’s a foregone conclusion that people will screw up from time to time, and it shouldn’t be the end of the world. Good software will drop digital breadcrumbs as actions are taken, leaving an audit trail that allows people to quickly and accurately identify how, when, and by whom data was input or changed erroneously. - Prevent mistakes before they happen by controlling access to data in accordance with people’s roles and responsibilities.
Make sure that any system you invest in has robust features around defining user roles and what data they can access. Example: your finance team doesn’t need the same info as your warehouse team; there’s no reason for them to have access to things like stock counts and pick lists. They can’t mistakenly change data they don’t have access to. - For any data or task that can’t be addressed by an ERP, ensure whatever system you use can integrate with it.
Though consolidation is the goal, it’s unrealistic to think you’ll be able to address all your IT needs with a single platform. In this case, internal interoperability becomes crucial. When scoping out potential new solutions for your tech needs, you’ll want to make sure the developers offer ready-made integrations with your other platforms—or, at the least, the software has an open Application Programming Interface (API) to facilitate a custom integration. - Data retention policies need to cover more than just what’s stored on a hard drive.
Like it or not, we are still using paper to an astonishing degree, while electronic documents that exist outside EDI- and EPCIS-enabled software are still the norm. Regulations around retention don’t just apply to the discrete bits of information found in your ERP and other systems, even that data was imported from these more old school documents. All of these documents—as well as emails—must be saved in accordance with the terms of the regulations that govern their retention, and need to be considered when you’re mapping out your processes for compliance. - Accessing and protecting data is a crucial component of your overall strategy.
As mentioned in the first tip listed, most enterprise software lives in the cloud in a virtual layer of computing that, by design, results in system availability and data protection that’s light years ahead of what was realistic even 5 years ago. This doesn’t mean you can get complacent and assume the software developers or server hosts are aiming for the same level as you’ll need. Data needs to be accessed from anywhere, safely and securely, at any time of day. Meanwhile, data backups need to be planned as if all that crucial data could suddenly disappear without notice and you won’t have lost a thing.
While all these tips are, in general, best practices for computing and not necessarily pharma specific, that doesn’t mean they are any less relevant. Passage of the DSCSA has had so many in the industry focused on the requirements of the law, but it’s important to remember that compliance is still only part of your overall IT strategy. Ignoring all these aspects in favor of meeting the 2023 deadline may speed up your efforts in the short term. But the law is meant to be a long term solution, and planning properly for it has to include all these other considerations.