What is RPA and how can it become a part of DSCSA compliance strategy?

Robotic Process Automation (RPA) is quickly gaining ground in business, as it now allows tasks, which used to be handled by employees for many hours, to be reduced to automated processes that take much less time.

Automation is carried out through dedicated software bots that have been programmed to perform specific tasks according to rules and commands previously written in a computer program. This allows them to support employees that have to deal with repetitive, serial actions.

Without the need for any software integration and complicated programming, robots help fill out records and documents, and can be used to send automatic notifications, make schedule entries, transfer data between systems, create documents, as well as for reporting, controlling, or ensuring data compliance.

Especially this implementation flexibility makes RPA a good software to be used in achieving DSCSA compliance - it’s guaranteeing interoperable characteristics of the system, required by the regulator.

What does interoperability mean, according to DSCSA?

FDA defines “interoperability” as the ability to exchange the product tracing information:

• accurately,
• efficiently,
• and consistently among trading partners.

In order for any system, process, or practice to be interoperable, the subsequent purchaser must be able to successfully capture and maintain the product tracing information, regardless of whether the information is provided in a paper or electronic format.

In more general terms, interoperability is the “ability of computer systems or software to exchange and make use of information.”

Because RPA software does not require programming skills to start using robots and allows to automate tasks across any combination of applications and databases, it’s a great solution for companies that are working with a mix of legacy systems and newer solutions, have to deal with multiple manual tasks to comply with DSCSA requirements, and do not want to spend additional time and resources on complicated integrations with multiple systems.

RPA as a part of a strategy to automate processes and workflows in pharmaceutical companies

In this article, we focused on a small part of the automation strategy, which is the use of RPA software for streamlining manual and error-prone processes, which can be identified and linked with DSCSA compliance requirements.

It’s worth noting that it would be impossible to find today a pharmaceutical company that did not implement any sort of electronic document workflow. But with all the changes that are happening within the industry, it is essential to ensure that such document circulation systems still properly serve their purposes, which are most of all:

• eliminating human error from the document flow process,
• ensuring control over the document circulation processes,
• creating a central repository for documents,
• putting in order messy and unstructured processes.

Many companies have implemented an electronic document workflow without proper thought. That is why we can find even today companies that struggle with outlandish and intricate processes executed in an even more outlandish way.

To learn more about what a company should consider to assure that automation is being implemented and used in the most effective way, we invite you to read our in-depth guide on How to streamline and automate processes and workflows in your company.

What are the main DSCSA compliance requirements?

After analyzing Drug Supply Chain Security Act we can identify main areas, on which companies have to focus to assure compliance regulations:

• suppliers verification - ability to quickly confirm that trading partners licenses and registrations are in order,
• tracing documentation - potential to receive, validate, store (for 6 years), and provide product tracing records (within 48 hours),
• investigation - ability to quickly identify illegitimate drugs and properly handle such cases,
• FDA and trading partners notifications - company is obligated to process notifications within 24 hours after determining a product is illegitimate,
• audit responsiveness - as companies are required to provide key information, such as traceability data, within 2 days, they have to be searchable.

In each of those areas, we can help you to identify repetitive processes that can be streamlined with Robotic Process Automation. A good example will be combining RPA software (for example UiPath) with optical character recognition (OCR), which allows converting print or handwritten text into machine-encoded text, allowing the company to easily digitize and effectively used data that are received in paper format.

Robots are also capable to work with any technology that your company is using, not only old legacy systems but with enterprise applications including SAP, Salesforce, Oracle, Microsoft, Google, ServiceNow, and hundreds of others.

If you are unsure if robotic process automation is right for your company, get in touch with one of our experts. Book a free, 30 minutes consultation and we will break down how well RPA solutions fit into your business specifics.

Automation opportunities, according to FDA guidance on the DSCSA

As for now, FDA seems to have no intention to postpone the deadline for pharmaceutical companies - they need to be ready to comply with interoperability requirements by November 27, 2023.

As procedural works within FDA proceed, the agency publishes guidances that should help the industry to prepare accordingly. On June 3, 2021, it released one new draft guidance, two final guidances, and a revised draft guidance document regarding the Drug Supply Chain Security Act.

A thorough analysis of the documents allows identifying some automation opportunities in them, that the pharmaceutical industry can benefit from.

RPA opportunities detailed in “Enhanced Drug Distribution Security at the Package Level Under the Drug Supply Chain Security Act: Draft Guidance for Industry”

This Draft Guidance provides recommendations for the industry on the “enhanced system” attributes necessary for secure tracing of products at the package level, which includes interoperable, electronic, package-level tracing systems and processes, recognizing a need to use proper inference and aggregation tools. Especially aggregation (collection of information strung together to complete a report or analysis) is easily automatable with RPA tools.

We identified some potential use cases of RPA in the Draft Guidance:

1. System Attributes:
   • Bots can guarantee the exchange of transaction information and transaction statements in a secure, interoperable, electronic manner, with proper governance and security frameworks in place.
   • RPA software can receive and pass transaction information that includes all product identifier data elements to and from any system.
   • Automate the process of gathering transaction information to respond to FDA, government agency, or other trading partner requests
2. Incorporation of Product Identifier in Product Tracing Information:
   • Data such as serial number, expiration date, lot number, etc. should be automatically obtained from various systems and added to the transaction information.

As stated by FDA, this requirement refers to both, Selling and Purchasing Trading Partners:

• Selling Trading Partners should “develop and use processes that automate the recording and transmission of the electronic data in the transaction information (e.g., product identifier) and transaction statement associated with the product physically shipped to the purchasing trading partner”,
• Purchasing Trading Partners are advised to “develop and use processes that automate the reconciliation of the associated electronic data in the transaction information and transaction statement with the product received.”

1. Handling Aggregation Errors and Other Discrepancies
   • If a company purchases a product and identifies the potential clerical errors or other discrepancies, they should be resolved within three business days. This may include contacting a trading partner and obtaining tracing information. This process can be largely automated with RPA software, speeding up investigation, which is crucial as FDA recommends that the product involved should not be sold to the next trading partner before the problem has been resolved.
   • Additional actions recommended by FDA that can be automated include mutual notifications of such aggregation errors between trading partners and preparation of proper documentation, proving that error was resolved (by compiling and storing data such as the nature of the error, a description of how the error was resolved, the names of the persons involved and the date of the resolution.
2. Gathering Product Tracing Information:
   • FDA recommends that systems and processes have to collect transaction information and transaction statements “in a rapid, electronic manner from all trading partners”. As trading partners should be able to respond within 1 business day, automation of such requests and replies seems to be a reasonable solution.
3. Enhanced Product Verification:
   • Trading partners should adopt processes to automate the verification of products down to the package level. As the guidance recommends that trading partners provide a response to a verification request “within 1 minute of receipt of the request”, there is really no place here for manual actions and an easily implementable solution will be preferred.
4. Illegitimate Product Alerts:
   • Systems used by trading partners should a message or alert to the supply chain. FDA recommended implementation of processes that can associate the alert with the affected product identifier (e.g., the alert is “retrieved when a trading partner scans the product identifier upon receipt or as the product is being processed for sale or shipment”), including when it is part of aggregated data - for this use case RPA is also suitable and easily configurable.

Potential automation use cases from “Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification: Guidance for Industry”

With this update, FDA earlier draft guidance, addressing how trading partners should identify a suspect product, notify the agency, and terminate the notifications in consultation. As the requirement is to notify the FDA and all trading partners who could receive the illegitimate product no later than 24 hours after discovering the issue, opportunities for automation arise in multiple areas.

FDA determined three high-risk factors that, if any is present, require the company to notify FDA and the immediate trading partners within 24 hours - RPA can be used not only to identify such cases but also to automate the notification process, by gathering the required information from various sources and compiling them.

Another use case could be creating and storing required reports, which prove that appropriate actions have been taken by the company. Such reports should be easily accessible for future controls, and as multiple examples within the industry show, companies have problems complying with this requirement.

We have analyzed cases investigated by FDA, related to DSCSA compliance and warning laters which have been issued, to see what are the most common problems, and how automation could help companies in solving these issues. As observed problems are similar, we focused on the first (and most widely discussed) warning letter, to show automation opportunities with life cases.

RPA use cases based on DSCSA warning letters

The first warning letter citing failure to comply with requirements of the Drug Supply Chain Security Act (DSCSA) was issued to McKesson Corporation in San Francisco on February 7, 2019. This warning letter was widely commented on within the industry, and companies analyzed what specific activity or process the FDA found objectionable, to learn what precautions they should take.

Examples when the company could benefit from RPA software to assure DSCSA compliance

According to the FDA warning letter, McKesson Corporation failed to:

• respond to illegitimate product notifications as required, which includes identifying all illegitimate products subject to such notifications [...],
• quarantine and investigate suspect product,
• keep, for not less than 6 years, records of the investigation of suspect products and the disposition of the illegitimate products.

Example 1. Missing or substituted drugs

This case describes a situation when several bottles of oxycodone hydrochloride received by pharmacies were either empty or were substituted with other pharmaceutical drugs. Upon investigation, McKesson determined it was likely that the oxycodone was replaced with other products while they were in McKesson’s control.

According to FDA, McKesson failed to:

• demonstrate that it identified all illegitimate products subject to the notification and placed the product under quarantine (through the search for a product with the same lot number or National Drug Code/NDC),
• notify immediate trading partners that may have received a product with the same lot number or NDC.
• provide records demonstrating the disposition of these illegitimate products (which should be not only created, by also stored for 6 years).

From a business perspective, each of those tasks could be automated in a way assuring effective compliance, by creating proper alerts, sending automated notifications, or compiling data for records to prove that appropriate actions have been taken.

Example 2. Missing both lot number and expiry date

Identification of Suspect Product and Notification guidance describes the lack of lot number and expiry date on a drug as an example case suggesting “the likelihood that they are suspect products”.

When such an event was reported to McKesson, it should have triggered some action or further investigation. Initial company response could be automated, to avoid delays in reaction frequently occurring when manual actions are required.

McKesson did not demonstrate that it quarantined all products and conducted an investigation to determine whether the products were confirmed as illegitimate, according to the warning letter, in particularly:

• the company provided documentation to FDA that it notified the facility involved of this event, but the facility denied receiving a quarantine notice,
• no evidence of the quarantine notification was found in McKesson’s electronic system,
• there was no evidence that other distribution centers were notified to confirm the presence of these drugs and place them under quarantine.
• paper documents provided appeared to be an inventory listing query, with handwritten notes, but they were undated and unsigned.

Automatic notifications also, in this case, could be a solution, as well as proper reports created with data aggregated from various company systems, to assure that all records from the investigation and quarantine process will be in place for future controls.

DSCSA timelines and automation opportunities for pharmaceutical companies

With many of the DSCSA elements in place, there is still a lot to be done to assure full compliance with interoperability requirements by November 27, 2023. The remaining steps of implementation from the FDA standpoint include:

Source: FDA

We should expect multiple changes, especially with further clarifications of the FDA's understanding of certain technologies that can be used to comply with DSCSA requirements.

For pharmaceutical companies, deepening the digitization and automation of processes in can be a future competitive advantage. On the other hand, the efficiency and effectiveness of digital transformation implementation largely depend on the plan and strategy.

How can we help pharmaceutical companies in Robotic Process Automation?

With our experience from working on complex projects, as RPA consultants we are able to guide a company through the entire process of RPA implementation, from creating a strategy, discovering processes, designing optimal configuration, testing, up to full-scale use, and effectiveness monitoring.

GSS IT Consulting experts can support pharmaceutical enterprises in starting digital transformation with:

• defining strategy,
• analyzing, understanding, and documenting business processes,
• setting up operating models,
• identifying technical infrastructure requirements to deploy automation solutions,
• educating employees and helping to create an “RPA-friendly” environment, where each team member looks for more automation opportunities to support company transformation,
• creating and documenting test scenarios and procedures to ensure optimal configuration,
• training team members in the building, operating, and maintaining automation solutions,
• helping to solve issues that arise in day-to-day operations with RPA software,
• further support of the implementation of any type of automation technologies by the company,
• helping to plan and set up Centers of Excellence or Process Mining Hubs, to boost up automation efforts.

If you are wondering how to start or improve the implementation of automation and digitization of processes and document flow in your company, get in touch with one of our consultants. You can book free 30 minutes consultation with us and we will help you identify your needs and pick the right technology to match your challenges.