Rx-360 Supply Chain Security White Paper: Incident Management

Transcription

1 Rx-360 Supply Chain Security White Paper: Incident Management 1

2 Contents Background... 3 Scope... 3 Definitions... 4 Introduction... 5 Discovery & Investigation... 5 Incident Management... 6 Lessons Learned Analyzing Incident Data/Investigating Root Cause Continuous Improvement Concluding Remarks End Notes

3 Background The threats of intentional adulteration, cargo theft, counterfeiting, illegal diversion, and tampering are a serious problem in our global marketplace; where criminals are profiting by putting unassuming patients at risk. These threats are product security issues. No pharmaceutical company is isolated from this rising challenge; a challenge that has caught even our world leaders attention 1. Effective incident management of product security issues equips a company to respond quickly, effectively, and in the interest of patient safety. As an industry, most pharmaceutical companies can attest to having rigorous, standardized processes for handling quality incidents internally. While many pharmaceutical companies already have systems and processes in place to prevent, detect, and respond to product security issues, the maturity of these systems and processes vary from company to company. The intent of this white paper is to share good practices for the incident management of product security issues, with the ultimate goal protecting patient safety. Scope This white paper is a high level overview of process considerations for the incident management of product security issues. Product security issues in the legitimate supply chain are, once confirmed, per definition called an incident (see also definitions). While the process considerations proposed are primarily targeted for product security issues in the legitimate supply chain, they can also be applied to the illegitimate supply chain. Product security issues related to investigations in the illegitimate supply chain (e.g. illegal internet sales) do however have specific investigation techniques, which are not covered in this white paper. 3

4 Definitions Counterfeit А counterfeit medicine is one which is deliberately and fraudulently mislabeled with respect to identity and/or source. Illegal Diversion Unlawful drug diversion is the unlawful, out of channel sales of medicines. This can include: geographic diversion (illegal importation of unapproved product or illegal importation of approved product intended for another market), contract diversion (breach of own use government or contracted pricing terms), and sale of stolen, unsalable returns. Intentional Adulteration/Manipulation Intentional adulteration/manipulation incidents occur prior to manufacturing when unscrupulous suppliers of raw materials or packaging components deliberately dilute or substitute ingredients. In doing so, they compromise the product s integrity and safety. Forensics Testing completed on a material or product to determine authenticity, typically applied to materials or products to confirm a suspected counterfeit. Product Security Issue An umbrella term for any occurrence of intentional adulteration, counterfeiting, product theft, unlawful diversion or tampering. Singularly, these product security issues are often referred to as incidents. Product Theft The unlawful taking of a product/material by a person or persons with the intent to resell or distribute for personal gain. 4

5 Introduction There are several process stages companies may progress through while addressing a product security issue. The graphic below depicts these stages: discovery, investigation, incident management and lessons learned. The primary focus of this white paper is incident management; supporting information is provided for the other stages for context only. Companies should apply the content of this white paper as appropriate to their specific businesses. Discovery Investigation Incident Management Lessons Learned Discovery & Investigation Companies should have a process and tools to gather, store and analyze any reports on potential or factual threats and signals indicative of product security issues. For counterfeit and diversion, at a minimum, there should be a record of the received information of product security issues so that they can be reviewed and assessed. The record can range from a document or spreadsheet, to a sophisticated relational database that can record the threat/signal data to use in the human or automated analysis and discovery of trends/patterns that may warrant further investigation by the company. The sooner a trend/pattern or a single data point is recognized as suspect or potential counterfeit, diverted or unapproved product and reported out to the appropriate company management/functions the more value this external monitoring has for the company. Another patient safety consideration for counterfeits is the importance of forensic testing. Counterfeits may not only lack medicinal ingredients, they may contain ingredients that are harmful if ingested. Timely forensic testing can equip a company to respond more effectively to the dangers of counterfeits. See the Rx-360 Supply Chain Security White Paper on Threats and Monitoring Processes, published in May 2012 for more information on this topic. 5

6 For theft, potential and confirmed thefts tend to be more obvious as there is likely more readily available evidence that signals an incident. Security and Supply Chain professionals are typically involved in confirming thefts. Effective monitoring and reporting tools should help a company respond, not only to the specific incident and possible recovery of the product, but also in reporting to various agencies and for planning to replace or replenish the product within their supply chain process. See the Rx-360 Supply Chain Security White Paper on Cargo Risk Assessment, published in May 2012, for more information on the threat of theft. Initially, many product security issues fall into a suspected incident category. Depending on the type of issue, it varies who is involved in this initial investigation. As all supply chain security incidents are considered criminal, security functions should be involved in all confirmed incidents. Other applicable parties may include Quality, Regulatory, Procurement, Supply Chain, Supply Chain Security, Product Business Managers, Local/Country/Regional Leads/Managers, Legal, Medical, Crisis Management, Manufacturing, Customer Service (order taking), and Transportation depending on the type of incident and the initial perceived severity/risk. The investigation should confirm the legitimacy of the signals/alerts in the discovery phase. Often times, the trigger for starting the incident management process is when an incident is confirmed. Incident Management For the purposes of this white paper, incident management is the part of the overall process where the information needed for a risk assessment, including patient safety impact, is gathered, analyzed and reviewed. In general, companies should consider the development and deployment of an incident management protocol. The protocol should include guidelines for information needed about the incident to make good decisions, such as a summary of what happened, any available information from the investigation, actions taken to work with law enforcement or health authorities, immediate decisions or actions already taken to contain the risk or communication with external partners and any planned next steps. A list of items that many companies include in initial reports follows below. 6

7 This list is not exhaustive and availability of information often varies on an incident to incident basis: Brand name of product(s) involved, including lot number, quantity, expiry dates, batch distribution information (impacted and overall lot) Date of incident discovery/confirmed date of incident Date incident is reported Country/geographic location where incident was first discovered Law enforcement actions taken Health authority notifications/actions taken Consumer notifications Stakeholder groups notifications (partners/affiliates, internal and external) Tracking identification (linked to other documents for reference) Additional information that briefly adds context to the situation, such as a description of known events leading up to the incident, immediate actions taken to secure product integrity, the value of the product compromised, or other information that may be helpful for the risk assessment and investigation of root cause. Some considerations for which individuals or functions should be involved in the process are outlined in the table that follows. While all parts of this table are important, patient safety is unequivocally paramount in incident management decisions. 7

8 Incident Specific Roles Responsible for: Common for all Incident types Product Theft Counterfeit / Tampering Illegal Diversion Intentional Adulteration Security Considerations (Investigation Prosecution) Patient Safety Considerations (Pharmacovigilance Quality Assurance) o Investigation/Facts of the Crime o Legal/External Prosecution Review/Liability/IPRs o Communicating with Law Enforcement o Safety Risk Assessment (incl. type of product, product administration, quantity of product, market/geographic impact) o Communicating with Regulatory Authorities o Reporting requirements o Audit/CAPA analysis/lessons learned o Potential for Product Recall o Product Recovery/ Source o Storage Considerations o Distribution Flow of the Product involved o Forensics/product or package authentication o o Forensics /product or package authentication Distribution Flow of the Product involved o Storage Considerations o Product packaging/ labeling and patient information leaflet o Forensics Business Considerations (Supply Chain Business Unit) General Considerations (cross functional) o Distribution flows of the product involved product/material or touched material o Supply and Inventory Impact o Communicating w/ affected customer(s) o Quantity of Product o Potential for product recall o Audit/CAPA Analysis o Product/Brand/ Market/ Geographic Impact o Technology o o Communication o Reputation/Brand Management o Potential for product recall o Lessons Learned 8

9 Companies should strive for timely decision making. Confirming any suspected product security issue should be an urgent priority, as confirmation triggers the incident management process, including risk management and resulting patient safety decisions. Companies should have an established reporting method and distribution list to consistently frame the information and communicate it to all applicable parties. Many companies have established risk assessment methodologies. The considerations in this table may be helpful in building consistent risk assessment methodologies for product security issues. If a suspected product security issue is confirmed and patient safety is a concern, immediate action should be taken minimally as required in the local law. Companies should be familiar with the response requirements for the relevant local or regional board/ministry of health. This varies globally. Most companies have an existing business process that assesses product quality issues. For supply chain security incidents, companies should consider including, Quality, Supply Chain, Commercial, Medical Affairs, Regulatory, Legal, Toxicology and Security functions and/or any role that the company deems necessary to make immediate decisions in determining patient safety risk/impact. Companies should engage health authorities early with any information that can help reduce patient safety risks. When a recall is involved, follow local and regional regulatory and business procedures to notify the public. As all incidents are criminal in nature, notification to the local/regional authorities is advisable even if not required by local law. In some jurisdictions, notification to local/regional authorities is mandatory. Other business actions to consider may include written notifications to external partners also affected, such as Health Care Professionals (HCPs), suppliers, distributors or wholesalers, where applicable. While patient safety is the primary driver for all incident management, there might be other business consequences of confirmed product security issues (incidents) related to the supply chain. To read more about Rx-360 s views on other consequences, go to the Rx-360 Supply Chain Security White Paper: A Comprehensive Supply Chain Security Management System. 9

10 Lessons Learned Analyzing Incident Data/Investigating Root Cause Incidents should be tracked, trended and reported out on a periodic basis to aid the lessons learned and continual improvement process. Bringing visibility to the issues often facilitates healthy discussions of the appropriate actions to take and the right resources to engage. A crossfunctional database may be useful in enabling a company to monitor, analyze and trend incident risk analysis. Companies should take the time to identify root or probable cause of incidents where possible. It is recognized that some incidents, due to their criminal nature, may have no root cause associated with a process within a company s control. The results of the root cause investigation, or finding the source of the problem, should be turned into continuous improvement plan or be tracked in some way that the incident receives priority review and attention to closing the actions. Continuous Improvement As mentioned previously in this white paper, the incident management of product security issues has many parallels to quality systems. Confirmed product security issues, unlike many quality incidents, are often external to a company s process controls (e.g. a cargo theft involving hijackers). Companies approach continuous improvement for product security issues in varying ways and there are currently no mandatory requirements. It is good practice to review trends and implement improvements to eliminate the cause of the product security issues where possible. It is also a good practice to develop and implement strategies that seek to eliminate the potential of the incidents from happening again. Similar to quality deviations, continuous improvement plans related to product security issues should have a level of effort and formality commensurate with the level of risk. Companies should also set up a process for verifying effectiveness of the continuous improvement plans. A database may be helpful in organizing this information. 10

11 Concluding Remarks As noted throughout this white paper, there are various stakeholders involved in responding effectively and expeditiously to an incident. Transparency, collaboration, and communication cannot be stressed enough all are fundamental enablers to ensuring patient safety and brand protection. Internally, companies will likely benefit from collaborating and expanding existing processes to enable an effective incident management program that is nimble enough to respond expeditiously. As an industry, it is important to speak with one voice on the topic of supply chain security as well as on product security issues and share our incident management lessons learned. These criminal events have not yet caused wide distrust in the legitimate supply chain, but the potential exists. Compromised products and imitations of our medicines in the legitimate supply chain could destroy our business reputation. Worse, the criminals who are focused on how lucrative stealing, diverting or creating fake pharmaceuticals can be, have complete disregard for the human lives they impact or even destroy in the process. As the environmental factors continue to change and industry resources are stretched, the industry must ensure that incident management continuously improves and evolves to address emerging trends at the global, regional, and local levels. There are many risk factors that companies may want to consider when developing their incident management process. To find additional white papers and webinars published by Rx-360 that provide suggestions for prevention go to org/ and navigate to the Supply Chain Security White Papers and Webinars. Team Members Dale Schliech, Amgen, Jamie McNulty, Takeda, Kola Stucker, BMS Megan Coatesworth, Pfizer, Johannes Schoen, Boehringer Ingelheim, Lourdes Gonzales, Genentech, Ashley Goldberg, Merz Aesthetics, Sergio Mayorga, GSK, Stephan Schwarze, Bayer HealthCare Pharmaceuticals, Carin Johansson AstraZeneca, Jennifer Porter, Amgen 11

12 End Notes 1. US President Obama emphasizes support: 12