Why is that?  It’s because drug manufacturers and repackagers need to serialize all of their prescription drugs that enter the state of California in 2015/2016.  Can those companies make use of the FDA’s SNI guidance to comply with the serialization requirements of the California Pedigree Law?  I will answer that question in this essay, but first…

A REVIEW OF THE FDA SNI GUIDANCE

According to the FDA, an “SNI” is a unique identifier that is attached to a prescription drug by the original manufacturer.  Presumably “unique” means unique within the United States.  Specifically, an SNI is either a “serialized National Drug Code (sNDC)” or one of the existing recognized standards for identifying and labeling certain blood and blood components and certain minimally manipulated human cells, tissues and cellular and tissue-based products (HCT/Ps) which do not currently use NDC numbers.  The guidance document mentions only ISBT 128 for this latter class of SNI and implies that there may be others.  Apparently those standards always result in a unique identification number for each product package.  The important thing to realize is that an the sNDC is only one type of SNI but it is the kind that should be used on any prescription drug product that has been assigned an NDC.  In this essay I am only going to discuss the sNDC type of SNI.

The FDA defines the sNDC as being composed of the drug’s 10-digit NDC plus an alphanumeric serial number that can be up to 20 characters long.  The guidance applies to prescription drugs only so Over-The-Counter (OTC) drugs that are identified by an NDC apparently aren’t covered.  But since the guidance is non-binding anyway this distinction isn’t really significant.  Perhaps it will if the SNI guidance ever becomes a required regulation.

Example of the components of an sNDC borrowed from the FDA SNI Guidance document. March 2010. Click image to enlarge.

The SNI guidance document itself defines the SNI “for package-level identification only”, but it also makes it clear that SNIs can also exist for levels other than the package-level, like cases and pallets.  It’s just that this guidance document doesn’t cover those.  The FDA defines the “package-level” this way:

“…the smallest unit placed into interstate commerce by the manufacturer or the repackager that is intended by that manufacturer or repackager, as applicable, for individual sale to the pharmacy or other dispenser of the drug product.”

Repackagers that break the manufacturer’s package down and repackages the contents in any way must apply a new and unique SNI to the new package-level and that new SNI must be linked (in some unspecified way that I assume is a database) back to the manufacturer’s original SNI.  The guidance document contains an excellent example of a package of six drug-filled syringes that would be the lowest packaging level that the hypothetical manufacturer intended pharmacies or other dispensers to buy, but is then repackaged by another hypothetical party acting as a repackager into single syringe packages for sale to pharmacies or other dispensers.

The original hypothetical manufacturer would only need to assign an SNI to the package of six drug-filled syringes since it does not intend the syringes for individual sale.  However, the hypothetical repackager would need to assign each drug-filled syringe its own unique SNI and link those six SNI’s to the original manufacturer’s SNI that was assigned to the specific package of six that the individual packages came from.  If you repackage drugs you should study the example in the FDA SNI guidance document.  Of course, since this guidance is not binding the FDA isn’t saying that you have to do this today.

The FDA recommends that the SNI should generally “…be applied to each package in both human-readable and machine-readable forms.”  However, the FDA guidance document explicitly states that “…at this time, FDA is not specifying the means of incorporating the SNI onto the package.”  But it goes on to say that “The SNIs described in this guidance are compatible with, and flexible for, encoding into a variety of machine-readable forms of data carriers, such as 2-dimensional bar codes and radio-frequency identification (RFID)…”.  The document also explicitly doesn’t specify a location on the package where the SNI should be placed, but it does say that any human-readable form could be printed “…in a non-contiguous manner…” from the existing NDC printed on the package.

THE RELATIONSHIP BETWEEN sNDC AND GS1 sGTIN

Finally, the guidance document points out that the sNDC “…is compatible with, and may be presented within, a [GS1] GTIN…”.  GTIN is a GS1 standard for general product/service class-level identification and the letters stand for “Global Trade Item Number” (see my essays “Anatomy of a GTIN” and “Depicting An NDC Within a GTIN”).  It is quite clear that what the FDA meant to say is that the sNDC can be depicted as a serialized GS1 GTIN, or “sGTIN”.  It does not say that an sGTIN is the only way to depict an sNDC or that you must depict it that way, it simply says that it may be presented that way.

The document doesn’t identify any other way to do it but I’m pretty confident you could present an sNDC using HIBCC standards too if you wanted to.  HIBCC product identification standards are very rare in the U.S. pharmaceutical supply chain (they are much more common in the medical devices supply chain) so I’m not covering them in this essay.  For more on HIBCC standards click here.

CAN THE sNDC BE USED TO COMPLY WITH THE CALIFORNIA SERIALIZATION REQUIREMENT?

This question is frequently asked these days.  Fortunately the answer is definitively “yes” in my opinion.  You should read the source documents to convince yourself one way or the other, but here is my logic.

The text of the California pedigree law says that each drug package distributed within the state must have a “unique identification number” attached to it.  Presumable “unique” here means unique within the state of California.  The law doesn’t specify any specific characteristics of the identifier itself other than its uniqueness and that it be “…contained within a standardized nonproprietary data format and architecture, that is uniformly used by manufacturers, wholesalers, and pharmacies…“.  The FDA sNDC is a “unique identification number” and by definition it must be unique, presumably within the U.S., and it is a standardized nonproprietary data format and architecture and it is certainly capable of being uniformly used by all parties in the U.S. pharma supply chain, which fulfills the California requirement.

The language in the California law and the Questions and Answers about the law that was published by the California Board of Pharmacy in 2008 regarding who must apply a unique identifier, to what and when it must be done is comparable to the language in the FDA’s SNI guidance.  This includes the definition of the “package-level” and the need for a unique identifier attached to repackaged drugs and how that identifier must be linked to the original manufacturers unique identifier.  Of course, the language in the California documents was available to the FDA when they were constructing their language.

So far I haven’t found a single significant difference in characteristics of the unique identifier defined by California and the sNDC defined by the FDA.  This leads me to conclude that California will very likely accept the use of unique identifiers that conform to the FDA sNDC guidance for compliance with the serialization requirements of their pedigree law.  It also makes perfect sense that they would.  Again, that’s my opinion.  You form your own.

DEPICTING AN sNDC IN A BARCODE USING GS1 GTIN PLUS SERIAL NUMBER

OK, so you agree with me and you want to print an FDA-compliant sNDC on your drug packages within a machine-readable barcode using GS1 standards in advance of the compliance dates for the California pedigree law.  The way to do it is to make use of “The GS1 System”.  Here I’m referring to the GS1 Application Identifier standard and certain barcode symbologies that are documented fully in the GS1 General Specification. Search for this specification on the internet or contact your local GS1 Member Organization (MO) to obtain a copy.

The GS1 System Application Identifier standard defines a way of encoding multiple pieces of information within a string of characters in an exact way so that a reader can extract them back into their original decomposed form.  There are lots of Application Identifiers (AI) covering a wide spectrum of data types needed in a supply chain context.  An AI is a two-to-four-digit code that identifies the type of data that follows it in an “element string”.  In our particular instance, we are interested in just two AIs: one for the GTIN (AI=”01”) and one for the serial number that is associated with that GTIN (AI=”21”).

A GTIN element string is always 14 digits long when it is depicted using AI “01”.  Remember that the FDA defined their serial number as being up to 20 alphanumeric characters.  That means that it is a variable length value ranging from 1 to 20 characters.  It is a happy coincidence that GS1 defines their serial number element string for AI “21″ in exactly the same way!  Well, in fact, the FDA made the decision to specifically align their definition with that of GS1’s existing AI “21″ definition so that there wouldn’t be any conflict if people chose to use GS1 standards to implement the sNDC.

If we put together the technique I described in my essay “Depicting An NDC Within a GTIN” with the information above, we get the following shortcut for the GS1 string of elements that depict an sNDC:

sNDC to GS1 string of elements shortcut. Click image to enlarge.

Now all we need to do is encode this string of characters into one of the GS1 barcode symbologies that accommodate a GS1 string of elements.  These include GS1-128 and DataBar for linear barcodes and GS1 DataMatrix for 2D barcodes.  See the GS1 General Specification for details on how to properly construct these barcodes.

(NOTE:  According to the HDMA only a subset of the possible DataBar family of symbologies should be used on pharmaceuticals in the U.S. supply chain and they should only be used on products that are very tiny.  See my recent essay “Updated HDMA Barcode Guidance: A Must Read”.)

To construct the human readable string for an sNDC that is encoded in a GS1 string of elements you may insert spaces between the end of the GTIN and the “21” and you may set off the AIs by wrapping them in parentheses.  These “decorations” are commonly used to help make these long numbers more readable and they should never be included in the string that is encoded in the barcode.

Here is an example GS1 string of elements that uses the same data that the FDA included for an example sNDC in their guidance document (shown in the image above).  In their example they used a fictitious NDC of 55555 666 77 and a serial number of 11111111111111111111.  Applying the shortcut technique I show above the GS1 string of elements would be:

sNDC example from the FDA Guidance document encoded into a GS1 string of elements. Click image to enlarge.

The string that would be used to encode the GS1 barcode would be:

010355555666772111111111111111111111

and the human readable to be printed on the drug package might look like this:

(01) 03 55555 666 77 (21) 11111111111111111111

Notice the extra decorations I included in the human readable that are not included in the string that is encoded in the barcode.

DEPICTING AN sNDC IN AN RFID TAG USING GS1 sGTIN

In a departure from the GS1 General Specification, GS1’s RFID tag standards do not make use of AI’s when encoding an sGTIN for product identification.  In fact, in their RFID standards the concept of a GTIN and a serial number are merged together to produce a single indivisible  identifier they explicitly call a Serialized Global Trade Item Number, or SGTIN (see the GS1 Tag Data Standard for the details).

A full explanation of how to encode an SGTIN within a GS1 RFID tag is more complex than the barcode explanation above and it is beyond the scope of this essay (and of RxTrace, really) but you will find the GS1 Tag Data Standard document (now in revision 1.6) to be quite well written (see my essay “Masterpiece:  GS1 Tag Data Standard 1.5”).  And don’t miss my widely read essay “RFID Is DEAD…At Unit Level In Pharma”.

IMPLICATIONS OF THE sNDC SERIAL NUMBER DEFINITION

There are some surprising implications that result from the definition of a serial number in the way the FDA defines the sNDC.  I hope to cover those implications in a future essay.  Stay tuned.

Dirk.

The use of HIBCC standards is fairly common in the U.S. medical surgical devices supply chain but in the pharmaceutical supply chain it is very rare.  Most companies choose GS1’s barcode standards so that’s all I’m going to focus on in this essay.  If you want more information about how to do this with a HIBCC barcode find it here.

OVER-THE-COUNTER DRUGS:  GTIN-12

If your drug is sold over the counter (OTC), like aspirin and cold medications, the barcode on your packages will need to be scanned at point of sale (POS) terminals in the same way that any other consumer good is.  For that reason you need to put your National Drug Code (NDC) into a Universal Product Code (UPC) barcode in the United States.  A UPC-A barcode symbol contains a GS1 GTIN-12 data structure.  Here is what you need to do to convert your NDC into a GS1 GTIN-12:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   Recall from my previous essays that your FDA Labeler Code is either 4 or 5 digits long and a GCP can be anywhere from 6 to 10 digits depending on the fee you pay GS1 US when you register it.  In the case of FDA-regulated pharmaceuticals GS1 US will register a 4-digit FDA Labeler Code as a 6-digit GCP and a 5-digit FDA Labeler Code as a 7-digit GCP.  The reason is that they need to synchronize the length of the Item Reference portion of the resulting GTINs with the combined length of the Product Code and Package Size fields of your NDC.  This is to ensure that you are able to generate valid GTIN-based barcodes for every possible NDC that your Labeler Code enables you to generate.  You only need to register your FDA Labeler Code with GS1 US once as long as you keep up with the annual subscription fees so for subsequent drugs that use a Labeler Code that is already registered you can skip this step.  If you have multiple FDA Labeler Codes you need to register each one with GS1 US once.
   
   GS1 US has reserved GCPs that start with “03″ for owners of FDA Labeler Codes as shown in the following table.
   

   Click images to enlarge

2. From your new GS1 Company Prefix construct your U.P.C. Company Prefix
   Ah ha!  This is an esoteric step.  It is necessary because of the way GS1 merged the formerly North American-only Uniform Code Council’s (UCC) Universal Product Code (UPC) company prefixes with the European Article Numbering Association’s (EAN) European Article Number (EAN) company prefixes and made the whole combined scheme suitable for global company prefixes and yet retained backward compatibility with the UPC and EAN.  But you don’t have to follow any of that.  Here’s what you do.
   
   You take the GCP that GS1 US assigned you and you strip off the leftmost digit.  That digit is always going to end up being a zero because we are dealing with an FDA regulated pharmaceutical and GS1 US will make sure that it is a zero on your behalf.  The remaining digits make up your new U.P.C. Company Prefix, usable only for generating UPC-A barcodes  and a few other less common things (see the GS1 General Specification for what else you can do with a U.P.C. Company Prefix).  For an NDC that has a 4-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 5 total digits long.  For an NDC that has a 5-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 6 total digits long as shown below.
   

   Click images to enlarge

3. Combine your U.P.C. Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 U.P.C Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 U.P.C. Company Prefix by placing them to the right of the prefix.  You should now have a total of 11 digits regardless of the length of your Labeler Code as shown in the table below.
   

   Click images to enlarge

4. Calculate the Check Digit and add it to complete your GTIN-12
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage(although where they say to enter the “Item Reference”, they really mean for you to enter the full prefix and item reference together).  Add check digit to the right of the code constructed in step 3.  You should now have a 12-digit code as shown below.  This is the GTIN-12 that can be encoded into a UPC-A barcode and printed on your product.
   

   Click images to enlarge

If you look closely at the table above you may see a short-cut that would get you directly to your GTIN-12.  All you need to do is take your 10-digit NDC and put a “3” in front of it and put a calculated check digit at the end as shown in the following table.

Click on images to enlarge

It is true that you can get there this way but then you might be tempted to skip step #1 and not obtain your official GCP.  As I understand it, since GS1 owns a copyright on the UPC family of barcode symbologies they could make a claim against your company if you encode your NDC into the copyrighted UPC-A symbology without first registering your FDA Labeler Code with them and paying whatever fee they place on that.  Talk to GS1 US to get the full story for your particular situation.  On the other hand, if you have already registered your Labeler Code with GS1 US then this short-cut should always produce your GTIN-12 for subsequent products that share the same FDA Labeler Code.

PRESCRIPTION DRUGS:  GTIN-14

Any drug distributed in the U.S. that is regulated by the FDA as a prescription drug must be dispensed by a registered pharmacist.  In that case it will not be scanned at a retail POS station.  For that reason you do not need to encode your NDC within a GTIN-12 but should encode it into a full GTIN-14.  GTIN-14s should also be used on all case labels whether OTC or prescription (see the HDMA Bar Code Guidance for details).  You can render a GS1 GTIN-14 identifier into a GS1-128, GS1 DataMatrix, or GS1 DataBar symbology depending on the application.

Here is what you need to do to properly convert your NDC into a GS1 GTIN-14 data structure:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   This is the same as step #1 for GTIN-12 above.
   
   
2. Combine your GS1 Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 GS1 Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 GS1 Company Prefix by placing them to the right of the prefix.  You should now have a total of 13 digits regardless of the length of your Labeler Code.
   
   
3. Calculate the Check Digit and add it to complete your GTIN-14
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage.  Add check digit to the right of the code constructed in step 2.  You should now have a 14-digit code.  This is the GTIN-14 that can be encoded into a GS1 Code-128, GS1 DataMatrix, or DataBar barcode and printed on your product or case.  (NOTE:  DataBar should only be used on packages that are too small to accept one of the other symbologies.  See the HDMA Bar Code Guidelines for details.)

Finally, if you have already registered your Labeler Code with GS1 US you can use the following short-cut to construct your subsequent GTIN-14s.

Click image to enlarge

The following figure summarizes the contents of all forms of the NDC for both GTIN-12 and GTIN-14 data structures.

Click images to enlarge

IMPLICATIONS

There is an important implication stemming from the use of GS1 identifiers and barcodes to encode and render your NDC that I think needs to be explained.  This applies to any company that already possesses a GCP that does not match their FDA Labeler Code.  I can think of two ways that this might happen:

1. Any company in the U.S. that distributes non-drug products and already obtained a GCP from GS1 US for those products,
2. Any drug manufacturer that is based outside of the United States and that already possesses a GCP that was issued by their local, non-U.S. GS1 Member Organization.

Neither of these types of GCP’s can be used to encode an NDC for distribution within the U.S.  That’s because these GCPs do not match your FDA issued Labeler Code.  Only GS1 US, the U.S.-based GS1 Member Organization, can issue you a GCP that is properly based on your Labeler Code.  So these companies should contact GS1 US to register their Labeler Code, whether the company is based in the U.S. or not.

Systems and their associated databases should always be designed to accommodate the full GTIN-14 even when the application may seem to only need to deal with GTIN-12′s.  See GS1′s position paper on this topic for more explanation.

There are a few more “Anatomy of…” essays I want to write including the FDA’s Standardized Numeric Identifier (SNI), and GS-128 in the U.S. Pharma supply chain.  Watch for those essays in the near future.

Dirk.

The GTIN can be a mysterious concept.  I received an email recently from a sales person who wanted to know what this “G-ten” thing was that her customer kept claiming was so important to her future business with them.  I’ve also sometimes had difficulty convincing people that GTIN adoption is important.  “We don’t need another product identifier.  We already have the NDC!”

I hope to pull back the veil just a little bit and explain not only the anatomy of the GTIN but also why it is so important to all supply chains in all regions of the world.

WHAT EXACTLY IS A GTIN?

GS1 explains the GTIN this way:

“As the name implies, the GTIN helps automate the trading process – basically buying and selling.  GTINs are therefore assigned to any item (product or service) that may be priced, or ordered, or invoiced at any point in any supply chain.  The GTIN is then used to retrieve pre-defined information about the item.  The key benefit is that information about the item can be retrieved about the product from the GTIN whether it is read in a GS1 BarCodes symbol, exchanged via a GS1 eCom message or accessed from the Global Data Synchronisation Network.”

Hmmm…Let me try.  First, a “Trade Item” is any product or service that may be manufactured, priced, advertised, bought, sold, traded, invoiced, returned or consumed within a commercial supply chain.  GTIN (Global Trade Item Number) is a GS1 standard that defines the structure and usage rules for a numeric identifier that can be assigned to a very specific, idealized description of a “trade item” and which can then be used in any part of the world to refer to instances of trade items that conform to that description.

For another attempt at a definition, see the one on Wikipedia here.

In everyday usage “a GTIN” is the number that is encoded into the product barcodes found on pretty much every product you can find in any store.  In the U.S. you know it as the UPC, or Universal Product Code, a 12-digit number (and technically known as a GTIN-12).  In the E.U. you know it as the EAN, or European Article Number, a 13-digit number (and technically known as a GTIN-13).  The GTIN-12 and GTIN-13 are “retail” GTINs.  That is, these are the GTINs placed on products that are typically sold through a retail Point of Sale (POS) station (a store checkout counter).  This includes most over the counter (OTC), non-prescription drugs.

Today, nearly all OTC drugs and many prescription drugs in the U.S. supply chain are marked with a National Drug Code (NDC) or a Universal Product Code (U.P.C.) that is encoded in a GTIN-12 data structure and rendered on the package in a UPC-A barcode.  Non-retail products like those that are typically sold only B2B (business to business) (GS1 refers to these as “Trade Items Intended for General Distribution Scanning Only”)—including prescription pharmaceuticals—should be assigned a 14-digit GTIN (technically known as a GTIN-14).

You may yawn, but this is powerful stuff if you can get everyone on the bandwagon.  The GPOs in the U.S. and GS1 plan to do just that.

The most important aspect of the GTIN standard is that when one is properly assigned to a given product or service it is globally unique.  That means that no other product or service anywhere in the world can ever be assigned that same GTIN so that number can be used anywhere and everywhere to refer to that specific type of product or service.  This eliminates product code ambiguity globally.

Another important feature is that the GTIN standard is applied in the same way regardless of product type, service type or supply chain.  The same rules apply to all GTIN identifiers.  These rules are defined in GS1’s General Specification—the specification of “The GS1 System”, of which GTIN is just one part.  See also “GS1 GTIN Allocation Rules for Healthcare” for some of these rules in a healthcare context.  (For a great non-technical explanation of “The GS1 System” of standards, check out this great PDF:  “The Value and Benefits of the GS1 System of Standards”.)

ANATOMY OF A GTIN-14

I mentioned above that a GTIN can take form in 12, 13 or 14 digits (it can also take the form of an 8-digit value but that’s very rare in healthcare), but since my focus is primarily in the B2B healthcare supply chains I’m only going to concentrate on the 14-digit form in this essay.  This is the only form that will fit into barcodes that make use of GS1 Application Identifiers (AI) (like GS1-128 linear barcodes and GS1 DataMatrix 2D barcodes) although the other forms can always be converted into the 14-digit form (by padding with zero[s] on the left).  Note that OTC drugs at the unit-level cannot make use of the GTIN-14 structure, AIs or the barcodes that carry them because they need to be scanned at POS.

There are four components that make up a GTIN-14 and they appear in this order:

• Indicator Digit
  This digit only appears in the GTIN-14 and is primarily used to indicate standard groupings (inner pack, case, pallet, etc.) of packages of the same GTIN using values 1 through 9.  A zero indicates that the GTIN is representing a single unit.  For products where the actual units sold can be a variable measure (weight, size, volume, etc.) the indicator digit should be set to 9.  Indicator values 1 through 8 have no specific standard meaning other than that they indicate a grouping.  That is, there are no standard groupings that values 1 through 8 may indicate so you can’t assume any particular value means an inner pack, a case, a pallet or anything else.  Each company is free to choose any of these values to indicate any grouping they wish.
  
  
• GS1 Company Prefix (GCP)
  This is the variable length number that is assigned by the local GS1 Member Organization (MO) to the company that manufactures, packages or repackages the product that the GTIN represents.  This is the number that those companies must apply to GS1 for assignment.  In the U.S. the GCP ranges in length between 6 and 10 digits and the length partially determines its cost.  Shorter company prefixes cost less than longer ones (see Item Reference below for why this is so).
  
  Pharmaceutical companies who already possess an FDA Labeler Code (see my previous essay, “Anatomy Of The National Drug Code” for more on this) just need to register that code with GS1 US (the local GS1 MO in the United States) to obtain a license to use that same code as the basis for their GCP within the context of GS1’s copyrighted barcode, RFID, EDI, pedigree and track & trace standards.
  
  The GS1 Company Prefix is itself composed of a 1 to 3 digit GS1 Prefix which is assigned by the GS1 Global Office to each GS1 MO to ensure global uniqueness of all GCP-based GS1 keys (GS1 keys include GTIN, GLN, SSCC, GRAI, any EPC, GSRN, GIAI, GDTI, GSIN, etc.).  This prefix is sometimes incorrectly referred to as a “country code” although because MOs are fairly country-specific this is not too far off.  The remainder of the GCP—known as a Company Number—is assigned by the Local MO.  See the GS1 General Specification for more details.
  
  When a company is assigned a GCP by GS1 they are granted exclusive rights to use that prefix to construct any of the GS1 keys (see the list in the paragraph above) and use them in any way they see fit as long as it is within the rules established in the GS1 General Specification.  GS1 keys generated by the owner of the GCP do not need to be authorized, approved or registered with GS1.  There is no additional cost to generate new GS1 keys once a company obtains a GCP.
  
  GCPs are a company asset that should be addressed in any merger or divestiture strategy (see this topic in the GS1 General Specification).  GCP usage within a given company should ideally be controlled at a single point within an organization.  This generally isn’t an issue for smaller companies but multinational corporations should ensure that they have a strategy for centrally assigning and distributing GCP-based GS1 keys to their operations to ensure uniqueness and to ensure that the GCP resource is used to its maximum potential.
  
  Companies may obtain multiple GCPs from their local GS1 MO if they use up the available reference values in one or more GS1 keys.  They may also obtain additional GCPs (partly “used”) as the result of a merger with another company.
  
  Neither GS1 nor the MOs police adherence to any of their standards, but they carefully control the assignment of GCPs to always maintain global uniqueness.  As long as the GCP assignments are all globally unique, all of the keys generated by the owners of all GCPs will also be globally unique.  This is a very important design feature of the entire GS1 System.
  
  
• Item Reference
  The Item Reference is a variable length number that must be chosen by the owner of the GS1 Company Prefix and assigned to the specific description of a single product class.  This specific description must remain unchanged for the life of the GTIN (see the GS1 General Specifications for details and exceptions).  The combination of the owner’s GCP and the Item Reference must be exactly equal to 12 digits.  Since the length of the GCP is determined when it is obtained from the local MO, the length of the Item Reference must take up the remainder of the 12 digit space.
  
  For example, if company A obtains a 6-digit GCP, the Item Reference field within their GTIN-14′s must be 6 digits long (12 – 6 = 6).  If company B obtains a 10-digit GCP, their GTIN-14 Item References must be only 2 digits long (12 – 10 = 2).  From these two examples you can see that company A can identify up to 1,000,000 unique products or services but company B can only identify 100.
  
  There is a comparable limitation in the other GS1 keys.  Shorter GCPs result in more digit space available in the reference portion of the key which results in vastly more usable unique numbers (each extra digit represents an order of magnitude more unique values the owner can assign).  This is why GS1 charges more for the shorter GCPs than they do for longer ones and this provides a measure of affordability to smaller companies who will likely never need more than a small number of unique GTINs or other keys.
  
  
• Check Digit
  The Check Digit is a single digit that is mathematically calculated based on the contents of all of the other digits in the GTIN-14.  The purpose of the Check Digit is to help barcode readers and applications detect data entry errors.  See Section 7.10 of the GS1 General Specification for the algorithm.

EXAMPLE GTIN

Here is an example of a GTIN-14 that I found on an inner-pack of Epinephrine injectors.

Click image to enlarge. Image Copyright RxTrace 2012.

An “inner-pack” is a grouping of trade items and so we see the Indicator Digit is set to “1″, a valid value for a grouping.  We can’t tell by looking at this example exactly how long the GCP is because it could be anywhere from 6 digits to 10 digits long.  Fortunately GS1 provides a service they call Global Electronic Party Information Registry, or GEPIR.  If we select “Search by GTIN”, enter ’10304094921348′ and click “Search”, we are told that this GTIN contains a 6-digit GCP of ’030409′ and it is registered to Hospira, Inc. in Lake Forest, Illinois.  Now we know that the Item Reference that Hospira happened to choose for this GTIN must be ’492134′.  The Check Digit is calculated based on all of the previous digits as “8″.

This particular inner-pack contained about 10 or 12 unit-level packages that were shrink-wrapped together and labeled with the GTIN-14 above.  Each of the units contained a barcode with the unit-level GTIN-14 encoded in it.  It was exactly the same GTIN as the inner-pack except for the Indicator Digit which was correctly set to zero.  These were unit dose injectors.  There are probably about 4 inner-packs per casepack but I didn’t note that information.  The case GTIN would be exactly the same as the inner-pack and units except for the Indicator Digit which would have been been a value in the range of 2 to 8 to reflect that it is a standard grouping that is different than the inner-pack.

Normally we don’t need to deconstruct GTINs like this.  In fact the whole point of a GTIN is to use it as a single whole identifier and not to break it down into its constituent parts like we have done here but I wanted to show you how this one was intelligently constructed by Hospira, the owner of this particular GCP.

BENEFITS OF THE GTIN

The benefits of GTIN adoption by a supply chain are different between manufacturers and non-manufacturers (distributors, pharmacies and retailers).

Manufacturers gain because they can potentially use the same standard product/service identifier in multiple markets/countries.  Well, as long as the packaging doesn’t vary (same language, etc.) and there aren’t any regulatory reasons for using a different identifier (national numbering like the U.S FDA NDC, different units for the unit of measure, etc.).  Even when a different identifier is necessary for different markets/countries the manufacturer benefits from the use of a standardized identifier because modern Manufacturing Execution Systems (MES), Warehouse Management Systems (WMS),  Electronic Data Interchange (EDI) systems and Enterprise Resource Planning (ERP) systems should come with full GS1 System support built in (admittedly not all do yet).  This includes enforcement of many of the GS1 rules for dealing with GTINs and the other pertinent GCP-based identifiers.

Like manufacturers, non-manufacturers in the supply chain make use of WMS, EDI and ERP systems in addition to pharmacy management systems and  Hospital Materials Management Inventory Systems (HMMIS) that ought to have standardized GS1 System support built in.  These companies also benefit because they can trust that GTINs are globally unique and all product identifiers used by all of their suppliers refer to the same product or service and those identifiers are constructed using the same format.  This allows them to eliminate their own internal product codes for each manufacturer’s products and services, simplifying inventory management, sales, purchasing, order fulfillment, shipping, receiving and dispensing and thus reducing errors that generate waste and in the healthcare supply chain can cause injury or even death.  This is why the GPOs are so hot to make 2012 the year of the GTIN.

ADOPTION OF THE GTIN

Manufacturers of products or services can decide to unilaterally adopt the GS1 GTIN standard for all of their products and they can reap some small internal benefits from that decision as I’ve outlined above.  That may not offer enough of a gain to offset the cost of conversion from proprietary product identifiers.  The problem is, for the downstream trading partners to benefit from GTIN use, more than just one manufacturer has to switch to GTINs.  In fact, the benefits don’t start accruing to those companies until a significant number of manufacturers switch to GTINs, and until all manufacturers in a given supply chain switch to them the benefits do not reach their maximum potential.  For this reason, GTINs should be adopted by a supply chain as a whole and not just one company here and there.

How do you trigger a switch within an entire supply chain like that?  The GPOs may have it figured out.  Like Walmart in the fast-moving consumer goods (FMCG) supply chain and the big automakers in their supply chain, they have to start dictating the switch and they have to be hard-nosed about it.  Can the GPOs fill the role of the “800-pound gorilla” like Walmart and the automakers?  We’ll see.

There are some encouraging signs and some discouraging signs in the recently released results of a survey in a document called “GS1 Data Standards Adoption Survey, Progress toward Global Trade Item Numbers (GTINs), December 2011” conducted by the University of Arkansas Center for Innovation in Healthcare Logistics (CIHL) on behalf of the Healthcare Supply Chain Association (HSCA) (the industry association of GPOs, formerly HIGPA) and the Healthcare Industry Supply Chain Institute (HISCI).  I’ll have more to say about this paper and the results it documents in a future essay.

I’ll stop here for now.  Watch for future related essays on “Depicting an NDC Within a GTIN”, and “Anatomy of an SNI”.

I am going to attend the 2012 National Pharmacy Forum in Tampa on February 9th.  The full conference runs from the 8th through 10th and is co-hosted by HCSA and HISCI.  If you run into me there please introduce yourself and tell me what you like and don’t like about RxTrace.

Dirk.

The updated document can be downloaded from the HDMA Marketplace web page.  It is free to HDMA members.  Non-members will need to pay a fee but don’t let that stop you from downloading a copy if you have any responsibility for applying or reading barcodes in this supply chain because you will need to make changes to keep up with the direction of the technology and the industry.

Full disclosure:  I work for a company that is a member of HDMA and I contributed to the development of this updated guideline, but this essay is not a marketing pitch for the benefit of HDMA or my pride.  Rather it is to help generate alignment around a common approach within the supply chain.

HDMA GUIDELINES FOR BAR CODING IN THE PHARMACEUTICAL SUPPLY CHAIN

The guidelines provide the reader with the industry-specific information necessary to know how to apply GS1 and HIBCC standards in the U.S. pharmaceutical supply chain.  It provides an excellent discussion of barcode standards, including some history which I made use of in my recent RxTrace essay “Anatomy Of The National Drug Code”.  It explains how those standards should be applied to identify drugs at all levels of packaging as they move through the supply chain so that companies can maximize the benefits of barcode technology.  This edition provides expanded guidance on the implementation of 2D barcodes and RFID on packages and shipping containers.

For the first time the HDMA now “…recommends investing in imaging scanners capable of reading Data Matrix and linear codes whenever auto-id procurement needs are under consideration.”  This HDMA recommendation aligns well with GS1 Healthcare’s position as published in 2009.

Both of those recommendations make sense because we are now standing on the threshold between two barcode eras in the U.S. pharma supply chain:  linear in our rear-view and 2D in our forward-view.  Any investment in linear-only barcode reading and writing equipment now probably won’t reach the end of its full depreciation still in use.

Imaging equipment manufacturers have made great strides in the last decade in nearly matching the read performance of linear barcode readers and the prices have come down.  Linear readers will probably always be cheaper than imagers but you should consider this lower cost a reflection of the fact that they are now in the “discount bin” of obsolete technologies.

Linear codes are not dead yet, but I think we are going to see a fairly rapid transition to 2D barcodes in this industry with the approach of serialization regulatory mandates here and abroad.  See my RxTrace essay “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach“ for more on this.

The development of the HDMA guideline documents over the years have benefited by the contribution of George Wright IV, Vice-president of PIPS / Product Identification & Processing Systems, Inc.  George is an automatic identification and data capture (AIDC) industry veteran and I have found him to be a bottom-less well of technical and historical knowledge in this area.  Many sections in the HDMA guidelines have a depth and quality that come directly from George’s contribution.

CHANGES

If you think you already know how to properly format and print barcodes on drugs marketed and shipped in the U.S., you need this edition of the guidelines.  There are some significant differences from the way things have been done up to now.  The first section of the updated document is a Summary of Revisions.  Here is a partial list:

• Addition of a unique serial number in the GS1-128 product identification bar code to product case labels;
• Addition of an optional but recommended 2D GS1 DataMatrix bar code symbol to drug packages and product case labels;
• Removal of ITF-14 as a Primary Data Carrier (bar code) option for product case labels;
• Removal of AI(22) as a Secondary Data structure option on product case labels.  This is a major departure from the way things are done today because AI(22) currently appears on about 75% of all product cases in the U.S. pharma supply chain.  The document provides details on what AIs to use in place of AI(22) and how to arrange them;
• Reduction in the minimum X-dimension for GS1-128 symbols.  This move enables a slightly tighter linear barcode on case labels so that serial numbers can be added to them without blowing out the available space;
• Reduction in the minimum height for GS1-128 symbols on case labels.  Another move to free up precious real estate on case labels so that serial numbers will fit in the barcodes;
• A new HDMA recommendation for adding GS1 serial numbers to units and shipping containers;
• New information on standardized numerical identifiers (SNIs).

ENFORCEMENT?

The HDMA does not enforce compliance with their guidelines.  That is, if you don’t follow their guidelines no one from the HDMA will knock on your door or send you a cease and desist letter.  The same goes for GS1.  The U.S. FDA tightly regulates everything that appears on drug primary packaging—including the linear barcode that encodes the NDC—but they don’t regulate the contents of case-level product identification or shipping labels.  While the U.S. Drug Enforcement Administration (DEA) does place certain restrictions on the information that appears on shipping labels (and they will come knocking on your door if you fail to follow them) those are limited to controlled substances.

So who enforces compliance with the HDMA guidelines?  In reality no one does and that has led to a major missed opportunity for improved efficiency, accuracy and even profitability in the supply chain.  Unfortunately very few companies follow all of the HDMA guidelines closely and that causes downstream trading partners to miss out on the opportunity to maximize the use of product case barcodes in operations like receiving, inventory management, picking and shipping.  Barcodes are certainly used extensively in all of those processes today but case-level product identification labels cannot always be trusted because there is so much variance in compliance to both GS1 standards and HDMA guidelines.  If you can’t trust the data in the barcode you can’t achieve its promise to maximize efficiency and data capture accuracy.

Some pharma manufacturers take their product case labels very seriously and have a program to ensure that they comply with the standards and with HDMA’s guidance, even without any heavy-handed enforcement.  I applaud them.  But the truth is, the majority of companies seem to take a quick stab at producing the barcodes on their case labels and then ship them out.  If no one complains, they probably think they got lucky and got it right the first time.  In other supply chains that face intense price competition these kind of inaccuracies and waste are not tolerated.

I keep thinking that something will trigger closer attention to detail in the construction of case labels in the pharma supply chain.  Maybe this newly updated guideline from HDMA is just what we need.  Do you think it will have a positive impact?  Leave a comment below.

Dirk.

HISTORY OF THE NDC

The NDC was initially a voluntary identifier (see references at the end of this essay).  We all know how that would have turned out (for more on that thought, see my recent essay “Should Regulations Dictate Technology?“) so in 1972 the FDA made the NDC mandatory for all prescription and over-the-counter (OTC) drugs.  Manufacturers were required to obtain a “Labeler Code” from the FDA, construct their NDC’s using that code as the base and print the NDC number on drug packages.  Barcodes were not required by the FDA back then.

From the quote in the first paragraph above you can see that the FDA intended the NDC to be used among the full spectrum of users who needed to unambiguously refer to specific drugs.  I can’t imagine how inefficient it must have been to refer to a specific form, size and concentration of a particular drug in every step between manufacturer, patient and insurer before the advent of the NDC.  Even from the very start the FDA intended the NDC to help with automation using computers.  Computer automation leads to greater efficiencies and much greater data accuracy–just what was needed for the drug industry and supply chain to grow in the coming decades.

The FDA recognized in the early 1970′s the automation value of encoding the NDC into barcodes, but as I said, they didn’t require them.   However, barcodes were making a big splash in the grocery industry and soon after in the consumer products goods industry around that time because of the great gains experienced in checkout efficiency and inventory control.  The Uniform Grocery Code Council (UGCC) introduced the 12-digit Universal Product Code (UPC) identifier and barcode symbology in 1974 and it quickly became the standard for all products sold at checkout counters.  Chain stores of all kinds started putting maximum pressure on manufacturers to put a UPC barcode on every product they sold.

This led to an interesting collision of mandates.  The FDA had already mandated that OTC drugs be identified by their NDC.  The UGCC mandated that the “Company Prefix” portion of the Universal Product Code that was encoded in UPC barcodes be assigned by the UGCC.  Since OTC drugs were one of the products that were being sold by chain stores, pressure was put on the UGCC to find a way to accommodate the 10-digit NDC within the 12-digit UPC.

UGCC technical experts quickly came up with a way to do it.  They came up with the scheme of pre-pending the NDC with the digit ’3′ and then adding the standard UPC checksum at the end.  The UGCC had to commit to reserving all UPC’s with a ’3′ as the first digit for drug companies and they agreed to reserve the Company Prefixes for drug companies so that they matched the FDA’s Labeler Code.  OTC drug manufacturers now had a way to satisfy both mandates and many years later that approach continued to be used as manufacturers started to apply barcodes to non-OTC drug packages.

Around that time the UGCC became the Uniform Product Code Council (UPCC), then the Uniform Code Council (UCC) in 1984, and finally became GS1 U.S. in 2005.  All along the organization has been a privately held, non-profit, tax-exempt corporation.

While the printing of the human readable NDC on drug packages was mandatory the printing of a barcode on drugs was voluntary until only relatively recently.  The FDA published a final rule  in 2004 that mandated all drug packages have a linear barcode printed on them starting in 2006.  By 2004 roughly 90% of drug packages in the supply chain already had linear barcodes on them voluntarily.  It seems odd that it took the FDA so long to mandate such a valuable automation element when it seems like it could have mandated it much earlier with little justifiable complaint from the industry.  The final rule document contains a significant amount of discussion, explanation and documentation about the benefits of barcodes on drug packages, particularly around the benefits to patient safety.

THE ANATOMY OF THE NDC

The NDC is composed of three semi-fixed-length data fields:

• FDA Labeler Code
  This is a code that is assigned by the FDA to the manufacturer, packager (“labeler”) or repackager of the drug as part of an application process.
• Product Code
  This is a code that is selected by the owner of the FDA Labeler Code.  It represents the unique combination of the drug, the dosage form and strength that will be packaged by that owner.  While the code is assigned by the owner of the Labeler Code it must be registered with the FDA.
• Package Size
  This is a code that represents the package size or package grouping of the drug.

For a short time the NDC started out in 1969 as a 9-digit code.  Initially the Labeler Code was defined as 3 alphanumeric characters long–a fixed length–but was soon changed to 4 numeric digits bringing the full code to the full 10-digits we know today.  The product code was defined as a fixed 4 digits long and the package size took up the remaining 2 digits.  But Labeler Code assignment requests came it at an alarming rate and it apparently wasn’t slowing down as they started to approach 999 sequential code assignments.

A decision had to be made.  If they crossed the border and assigned Labeler Code 1000, the NDC would forever be limited to 4 digits with a maximum of 9,999 codes and they might run out someday.  They were already approaching 10% of that number.  But if they made the fields of the NDC semi-fixed length at either 4 or 5 digits, they could continue assigning codes until a theoretical maximum of 99,999 codes.

The FDA didn’t want to expand the NDC to 11 digits so they decided to remove one digit from either the Product Code or the Package Size fields.  Rather than picking one or the other they decided to leave that choice up to each owner of the new 5 digit Labeler Codes.  Those companies could choose to have only 3 digits for the Product Code and 2 for the Package Size (written as 5-3-2), or they could choose to have 4 digits for the Product Code and only one digit for the Package Size (written 5-4-1).  The decision is made by the owner and they must register their choice and stick with it for the life of the Labeler Code.

But there is a problem with this approach.  Given a 10-digit NDC that might have a 4-digit or a 5-digit Labeler Code there could be conflicts between the NDC’s of two different companies.  Two companies might end up generating the identical NDC for two different products.  To eliminate this potential problem they decided to never assign labeler codes 1000 through 9999 (actually there is no explicit rule published that the FDA is following this technical requirement but it appears that this is what they are doing for most new Labeler Codes).  This makes the actual maximum number of Labeler Codes available equal to 90,999…not a bad compromise.

This solution provides a well-defined rule that allows systems to easily figure out the length of the Labeler Code within a given 10-digit NDC number.  All NDCs assigned by companies who own a 4-digit Labeler Code will always have a zero in their leftmost position and all NDC’s assigned by companies who own a 5-digit Labeler Code always have a non-zero digit in their leftmost position.  But there is no easy way to figure out if the owner of a 5-digit Labeler Code is using the 5-3-2 form or the 5-4-1 form without looking it up in a database.

The Package Size field is an important field used to differentiate not only the various dosage form sizes of the packages that the manufacturer or repackager produces (i.e. 30-count, 60-count, 90-count), but also the casepack quantities of each of that same set of packages.  There are no standard values for the Package Size field so the values used for one manufacturer cannot be compared with those of another.  They are simply used to differentiate package sizes and groupings within a single product type causing considerable confusion to those who wish to make use of this field.

For example, Company A might choose to use the values ’30′, ’60′ and ’90′ to represent the Package Size codes for their 30, 60 and 90 count bottles of a given drug, and the values ’31′, 61′ and ’91′ to represent a single casepack quantity of 48 bottles for the 30 pill bottle, and 24 bottles for the 60 and 90 pill bottles.  Company B might have chosen the 5-4-1 form of the NDC so they are left with only a single digit to represent their Package Sizes and groupings.  They might choose values ’1′, ’2′, and ’3′ for their 30, 60 and 90 count bottles of a given drug, and the values ’6′, ’7′ and ’8′ to represent the single casepack quantity of 96 bottles of their 30-count bottle, 48 bottles of their 60-count bottle and 24 of their 90-count bottle.  Confused yet?

So what use is this Package Size field if there isn’t any standard?  It simply allows manufacturers and repackagers to create unique NDCs for each dosage form size and casepacks so that interested parties can use it to look up the other information in a database.  You can’t just look at an NDC and know exactly what it stands for unless you have some prior knowledge about the choices the manufacturer or repackager has made for that product.  A database lookup doesn’t care what values are chosen for each packaging level or grouping as long as they are each unique.

NCPDP STEPS IN TO REDUCE AMBIGUITY

The current design of the NDC results in a number of ambiguities that stem from the fact that the length of each of the three fields can be one of two values.  The National Council for Prescription Drug Programs (NCPDP) decided to fix the ambiguity to increase the accuracy of claims submission.  They saw that all you have to do to return to a fixed length set of fields is to add an eleventh digit.  The goal was to always end up with a 5-4-2 format for all NDC’s.  To all 4-digit labeler codes (4-4-2) they added a ’0′ on the left.  To any 3-digit Product Code fields (5-3-2) they added a ’0′ on the left.  To any 1 digit Package Size (5-4-1) they added a ’0′ on the left.  All of these resulted in a 5-4-2 format (11 total digits).

For their purposes I’m sure this works great.  But it introduces its own ambiguity when an 11-digit “pseudo-ndc” is offered where a 10-digit true NDC is needed.  Which zero is the extra zero?  You can’t always tell unless you know for a given NDC.  Incidentally, the FDA apparently doesn’t recognize the NCPDP 11-digit format so it is not a real NDC.  That’s why I’ve called it a “pseudo-ndc”.

UNIT DOSE/UNIT-OF-USE NDCs

There is one more thing I want to say about NDCs.  I think the FDA made a significant error in not defining the NDC in a way that requires all pharma manufacturers and repackagers to clearly identify which NDC is a unit dose or unit-of-use for each drug.  The NDC appears to have been conceived as a way for a manufacturer to assign a unique code for each type of package they make for a given drug.  Since most manufacturers currently do not produce packages that contain a single unit dose or unit-of-use there is theoretically no need for them to define an NDC for that level.  I am told that some manufacturers do define and register an NDC for this level even if they don’t package at that level, and the rest do not.

I imagine that this has caused serious heartburn for insurers and Pharmacy Benefit Managers (PBMs) who are probably given the NDC for the original manufacturer’s bottle that a prescription was filled from.  What does it mean for a pharmacist to claim that they filled a prescription with ’1′ of NDC 9999988882 (psuedo-ndc 99999888802 for claims submission) where that NDC describes a 30-count bottle?  Did the patient receive one 30-count bottle or did they receive a single pill that the pharmacist pulled from a 30-count bottle?  There must be some convention for limiting the ambiguity that this introduces.  Perhaps someone can leave a comment to explain what happens in this instance.

In my view all manufacturers and repackagers should always generate and register an NDC for a unit dose or unit-of-use.  Ideally you’d like to think that the Package Size values of either ’00′ or ’0′ would be reserved to indicate the unit dose or unit-of-use, but since it wasn’t defined that way you will probably have lots of drugs that assign those values to some multi-dose/-use package or even a casepack.  It would be too disruptive to force that kind of change on the industry now.

REFERENCES

Normally I provide links to all my references, but there are a couple of sources that I drew from for lots of this content and so I’d like to list them here:

• George Wright IV, Vice-president, PIPS / Product Identification & Processing Systems, Inc.
• “HDMA Guidelines for Bar Coding in the Pharmaceutical Products Supply Chain”, Healthcare Distribution Management Association (HDMA), 2005
• “History of the UPC Bar Code and The Uniform Code Council, Inc.“, by Rob Cummings, Cummings Design
• George Laurer, Inventor of the UPC

Please submit a comment if you have additional information, clarifications or corrections.

Dirk.

In a somewhat related news item, Pharmaceutical Commerce recently published an online article by Nick Basta about the Global Healthcare Exchange’s (GHX) project to build a new prototype for a track and trace data exchange hub called “GHX updates progress on a prototype data exchange for track-and-trace“.  That article was an update to a more in-depth article by Nick about the project from last April in the same online magazine called “Healthcare Exchange Bids for Prototyping a Track-and-Trace System“.  Combined, the two very interesting articles describe the prototype that is now complete and ready for piloting.

In fact, the GHX prototype implements a track and trace event data exchange hub that would allow companies in the pharmaceutical supply chain to store and exchange GS1 EPCIS event data that comprise the full chain of custody for drugs as they move down the supply chain.  Effectively, the GHX prototype implements an NCeP where GHX provides connection pooling and all of the centralized services inherent in the ePedigree model.  Larger companies would probably still want to have their own EPCIS-based applications in-house but it appears to me that smaller enterprises might only need a small data capture application that relies on the GHX service to hold all of their data.

GHX has a lot of experience with receiving, holding and sending sensitive company data between supply chain companies as an Electronic Data Interchange (EDI) exchange ecommerce hub, among many other services, primarily aimed at the U.S. medical/surgical supply chain.  According to the original Pharmaceutical Commerce article the company has an interesting history which has resulted in it being owned today by about 20 different companies who are members of that same supply chain.  A few of them are important members of the pharmaceutical supply chain as well (full disclosure:  one of them is my day-job employer).

Keep in mind, as I pointed out in the essay, “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2”, the GS1 NCeP models are not intended to meet existing ePedigee laws so the GHX service isn’t going to help with any of those today.  The apparent assumption is that the Congress and/or the FDA will embrace one of the GS1 NCeP models and pre-empt the existing state laws in the next year or so and in that case, GHX will be ahead of the game with a service that is designed to handle data volumes in the range of what social media sites like Twitter and Facebook handle.  According to Margot Drees, Director of Corporate Strategy at GHX, the service can already handle a sustained rate of more than 1,000 messages per second and burst rates of more than 5,000 per second.  I’m told they expect to go well beyond those stats in the very near future.  Contact Margot if you want more information.

WHAT DOES IT MEAN?

Pay close attention to what GHX has done with this new prototype and where they end up taking it in the future.  It will likely be significant to the industry.  The GHX prototype turns out to be a cloud-based service that they could mold into one of several of the NCeP models that have been defined by GS1, including either of the two Centralized models and at least one of the Distributed models (maybe more).  The core functions in the GHX prototype are currently setup to implement a Semi-Centralized model but they could fairly easily be tailored to one of the others if future federal regulations turn out to favor one of the others.  See my essay from last spring, “The Viability of Global Track & Trace Models” for more on pedigree models.

Because of their existing ecommerce business, GHX already has over 12,000 companies in the pharma and medical products supply chains connected to their infrastructure, according to one of the Pharmaceutical Commerce articles.  What that means is that the setup costs for those companies to begin using a GHX NCeP could be minimal.  The “pipe” to GHX—and by extension to up to 11,999 of their potential trading partners—already exists in the GHX “community”.  This represents an advantage that would likely give GHX a leg up on any competitive NCeP service provider.

It is also very likely that the companies that are joint member-owners of GHX could be counted on to purchase their future NCeP exchange services from GHX.  Take another look at the list of companies who fall into that category and you will see that they would represent a considerable portion of the transactions that would likely occur under a full, nationwide pedigree requirement.  These are probably the reasons GHX was willing to invest the significant resources it must take to develop a cloud-based service that has the performance capability in the neighborhood of modern social media sites in such a short time.

But there are risks for GHX.  First, what happens if Congress doesn’t enact a nationwide pedigree law that embraces an NCeP approach, or if they take so long to do so that the industry is forced to be ready for the California effective dates first?  While the GHX prototype is only aimed at an NCeP approach right now it may be possible for them to redesign it to help companies store, validate and exchange DPMS pedigrees if the NCeP concept doesn’t take hold.

Another risk is the possibility that the NCeP model that the government and industry settle on could be one of the fully distributed versions that do not have any need for centralized components.  In that case the value of the GHX service would be significantly decreased, but I think they could still attract customers because of the value of the connection pooling service they could offer.  (See my essay, “Impact of RxUSA v. HHS On Future Pedigree Legislation“ for my thoughts on the likely failure of a distributed pedigree model in the U.S.)

Whatever ultimately happens I think GHX is a company to watch.  What do you think?  Leave a comment below and tell us.

2012:  IT’S GOING TO BE A GREAT YEAR!

I’m planning on making this my last posting for 2011 so I can enjoy the holidays with my family and friends.  I hope you all can do the same.

Keep reading RxTrace in 2012.  A lot is going to happen and I will continue to provide you with my perspectives.  Here is a short list of topics that I am already planning for 2012:

• FDA UDI proposed guidance
• The real pro’s and the real con’s of DPMS
• The complexities of pedigree compliance faced by kit makers
• More about applying standards to solve pharma supply chain problems
• A history of pharma supply chain security regulations and technology

Plus, analysis of:

• Whatever the FDA decides to do about updating their barcode rule
• Any action taken by Congress on Track & Trace or ePedigree
• Action by any state on ePedigree
• Industry preparations for California pedigree compliance

HAPPY HOLIDAYS!

Dirk.

EXAMPLE:  EXISTING ePEDIGREE LAWS

The language of the U.S. Prescription Drug Marketing Act (PDMA) specified the kind of data that must be in a compliant pedigree but it did not identify any particular technology to carry that information.  Of course, compared with today, what kind of technology was available back in 1987 when the PDMA was first introduced in the U.S. House of Representatives?  Is it a paper pedigree?  Can it be electronic?  What is the format?  Can GS1’s Drug Pedigree Messaging Standard (DPMS) be used to comply?  None of these questions are definitively answered in the Food and Drug Administration (FDA) documents I have seen.  Also missing is any recognition of the concept of “interoperability” and its importance to companies across the supply chain.

The Florida Pedigree Law was originally passed in 2003.  In the text of the law the word “pedigree” was always followed by the word “papers” as in:

“The information required to be included on a legend drug’s pedigree paper must at least detail the amount of the legend drug, its dosage form and strength, its lot numbers, the name and address of each owner of the legend drug and his or her signature, its shipping information, including the name and address of each person certifying delivery or receipt of the legend drug, and a certification that the recipient has authenticated the pedigree papers.”

It is a document-based pedigree law.  The Florida law allows the records to be stored and transmitted electronically but when the “pedigree papers” are presented to an inspector, they apparently expect them to be in paper form so electronic documents would need to be printed.  The Florida Law assigns the responsibility of creating a form for use as a valid paper pedigree to the Florida Department of Health (DoH)—the only “technology” identified in the law.  The DoH created a form for wholesalers and one for repackagers that companies have used successfully since 2006 when the law went into effect.

SIDEBAR:  Ever since the Florida DoH did a major redesign of their website in the last year or so they seem to have made the paper pedigree forms inaccessible.  If you know where to find them, please leave a comment with the URL below because people frequently search for them on RxTrace.  I haven’t been able to find them.

However, the law required the DoH to produce “rules” for the industry to follow and in these rules (see also these rules) the DoH specifies that an electronic pedigree must make use of a number of Federal Information Processing Standards (FIPS) regarding digital signatures and related technology.  This is a significant technology mandate that is highly specific, but it is optional since it is only required if the company wishes to produce electronic pedigrees rather than paper.

Can you use GS1’s DPMS to comply with the Florida law?  Neither the law nor the regulations say explicitly that you can but I happen to know that many companies have been doing just that since 2006.  The DPMS standard was created after the original laws were passed and it was specifically created to help companies comply with the document-based pedigree laws known at the time.  That included PDMA, Florida, California and the “normal distribution” pedigree laws in a number of other states.

The California Pedigree Law was first enacted in 2004.  It requires the application of “…a unique identification number…” on “…the smallest package or immediate container distributed by the manufacturer…” (see the full text for additional details).  Once again, no specific technology is identified but is left up to the industry to come up with.

The California law was the first pedigree law in the U.S. to specify that “…[a] pedigree shall be created and maintained in an interoperable electronic system, ensuring compatibility throughout all stages of distribution.”  This seemingly simple statement does two things.  First, a pedigree must be electronic.  Second, the system a pedigree is created and maintained in must be interoperable throughout the supply chain.  That is, all parties in the supply chain must be able to read, understand and update the pedigree, but it avoids identifying a particular technology for doing so.  The hope was apparently that the industry would get together and select the optimum technical approach.

How’s that going?  It doesn’t look good right now.  Rather than coalescing around a single, interoperable technical approach to ePedigree it seems like companies in the supply chain are fragmenting into several camps.  Carried to its logical conclusion we may yet find that a few large companies will eventually dictate what technology everyone else will be forced to adopt regardless of the investments those other companies might have already made, but that assumes that those “few large companies” can agree on a single technology.  We’ll see.

A MORE RECENT EXAMPLE:  FDA SNI GUIDANCE

Many in the industry actually prefer that regulatory entities avoid identifying specific technologies in their laws and regulations.  For example, during the comment collection phase of what eventually became the FDA Standardized Numeric Identifier (SNI) Guidance, the SecuringPharma article, “Stakeholders respond to FDA’s track-and-trace proposals”, paraphrased that sentiment in the part of the article that described the response from UPS Supply Chain Solutions:

“UPS Supply Chain Solutions contends that the FDA should not mandate any specific technology for track-and-trace, rather define the requirements, and that industry stakeholders should develop interoperable technology themselves”.

On the surface this seem very logical.  Ultimately the FDA did just that when they published their final guidance for the SNI and did not specify a particular carrier technology or mandate a specific standard, although they did identify the GS1 Serialized Global Trade Item Number (SGTIN) as an example of something that does conform to their guidance.

A COUNTER-EXAMPLE:  FDA BAR CODE GUIDANCE

But there is an example of a time when the FDA did mandate a specific data carrier on prescription drugs and I think it warrants a closer look.  Back in 2004 the FDA published their final bar code rule that required all prescription drugs distributed in the U.S. to have a linear barcode at the unit level.  The final rule took effect in 2006.  That rule did not specify a particular linear symbology, only that the barcode had to be linear.  The final rule itself includes a lengthy section of comments submitted as part of the proposed rule and the FDA’s responses.  In that section they pointed out that,

“[m]ost comments [received] argued against the use of linear bar codes or asked us to encompass other technologies or to eliminate any reference to linear bar codes in the final rule. Many comments claimed that the rule would discourage or inhibit technological innovation, although they differed as to their preferred alternatives to a linear bar code.”

The discussion included in the final rule is lengthy and contains an excellent analysis of the trade-offs between specifying a linear barcode, specifying a different data carrier or not specifying any technology at all.  Very well thought out, interesting reading and very pertinent to this topic.  I highly recommend reading it.

The document continues:

“After reviewing the comments, we have decided to retain the linear bar code requirement, but will consider revising the rule to accommodate newer technologies as they become more mature and established.”

Apparently, that time has come.  Last month the FDA published a new request for comments (RFC) to determine if they should revise the 2004 Bar Code Final Rule by specifically reconsidering the “linear bar code” requirement.  Initial comments must be received by January 9, 2012 and reply comments by February 23, 2012.  According to the RFC…

“FDA is requesting comments and supporting information on (1) bar code labeling standards for drugs and biological products and (2) the identification of current alternative technologies for use by industry and others.”

The remainder of the RFC includes a list of specific questions that are designed to help facilitate more unified responses.

SHOULD REGULATIONS DICTATE TECHNOLOGY?

In my view the original FDA Bar Code Final Rule of 2004 did the right thing in specifying linear barcode technology, but my reasoning is slightly different from those that the FDA listed in that document.  The real value to the industry in the FDA’s mandate was that the technology was fixed on a well-know, well-established and sufficient technology for the time which led to significant efficiencies in the handling of this product in the supply chain.

In this instance I think it is laughable to think that the FDA’s mandate would stifle technical innovation as some did back then.  What that “technical innovation” would have led to if that argument had been embraced by the FDA back then is significantly reduced efficiency in handling drugs by distributors, pharmacies and hospitals who would have been forced to deploy multiple technologies and multiple business processes to deal with every “innovation”—or whim—that drug manufacturers would have chosen to invest in.  As we have seen recently in California that would have included multiple flavors of RFID, linear barcodes and 2D barcodes.  Thankfully they didn’t do that and those drugs that were serialized for California pedigree pilots also retained the linear barcode so that existing systems could still read the NDC.

Now that some time has passed and regulatory needs have evolved, with this new review the FDA can let the industry help them determine if some alternate technology has some important benefits that linear barcodes do not have.  Considering that we are now looking at the need for serialization within the U.S. supply chain because of the California pedigree law and potentially a new Federal law, a new carrier technology to replace the linear barcode seems quite timely.

Just like it did with linear barcodes in 2004, the FDA should now select a logical new carrier technology and mandate it, giving manufacturers at least two years to deploy the necessary system changes.  But once the new carrier technology mandate goes into effect, every manufacturer must use the same, single carrier technology on all saleable units.  That way the downstream supply chain organizations can invest in a single technology to read the NDC and perhaps the serial number, lot and expiration date (if so mandated now or in the future).

It is the movement by the industry in unison that is the real benefit of carefully mandating a single technology for identifying drugs in the supply chain.  It is the key to maintaining and even improving supply chain efficiencies.  This is nothing more than “interoperability”, where everyone uses the same approach to something so that the systems of all companies can understand and work with that something to its fullest extent.  Does it stifle innovation?  Yes, but it does it in a way that allows the most efficient changeover to each new innovation, which actually leads to more benefits than allowing any company to make use of any innovation at any time.

So the point is, pick the right innovation to switch to at the right time.  I think now is the right time, but what is the right innovation?  Make sure you submit your favorite one to the FDA through their docket and don’t forget to clearly explain why it is best.

CAN THIS LOGIC BE APPLIED TO FUTURE ePEDIGREE REGULATIONS TOO?

When it comes to regulating a supply chain I think it is clear that interoperability is essential to ensure lower costs for all parties.  Interoperability comes from standards, which is just another way of saying “one way of doing something”.

Consider what is happening right now in the GS1 Network Centric ePedigree (NCeP) group.  That group has published descriptions of seven different ways to create a new drug ePedigree system through a network approach.  I have been part of that effort.  Once we had a list of five NCeP models we felt like we needed to reduce the number by selecting one or two to go forward with, or by eliminating two or three.  We found that to be so hard to do that instead of the number of models being reduced it actually grew to the current seven models!

For the most part, the models are mutually exclusive.  To attempt to allow two or more models simultaneously within a given country or region would result in the same problem that multiple carrier technologies on packages of drugs would.  It might be technically possible, but it would lead to reduced interoperability, be very confusing and highly inefficient for all supply chain members.  Maximizing interoperability would come from the use of a single NCeP model at any given time within a given region and that would have the effect of maximizing efficiency for all.

I finally concluded that we shouldn’t reduce the number of NCeP models at all.  In fact, the GS1 NCeP list of models and their descriptions should be considered a “catalog” of models for use by any regulatory bodies who feel the need for a new ePedigree system, and the industry to compare and select the best model for their region and their supply chain.  Ultimately the regulatory body for that region should be expected to identify exactly one of the NCeP models that must be followed after a given date in the future as part of a new regulation.  A specific technology mandate.  The regulatory body could identify another date farther out in the future when the choice of models will be reconsidered—with industry input—so that innovation is accommodated, just like the FDA is doing with their barcode rule.

GS1 can facilitate that only so far.  They can help explain the standards behind each model, as we have already done in the NCeP group.  Once again, the final decision must be made by the regulator using the input of all stakeholders.

Do you disagree?  Should regulators allow/encourage the use of multiple carrier technologies on drugs within the U.S. supply chain?  Should they allow/encourage the use of more than one ePedigree model within a given region?  Is there some other way to get total alignment around a single technology within a supply chain of a given region without resorting to a regulatory mandate?  Explain your logic in a comment below.

Dirk.

Raising the penalties for counterfeiting drugs to the point where they adequately reflect the widespread harm they can cause the public is a very good thing.  It should have the effect of making people think twice about selling counterfeit drugs to Americans through the internet or attempting to introduce them into the legitimate supply chain (brick-and-mortar and legitimate internet pharmacies).  It may even cause more people in the legitimate supply chain to think twice about buying drugs that have prices that seem too good to be true from sources that they aren’t quite sure about, so that they don’t inadvertently get caught up in a scheme to introduce counterfeits into the supply chain and risk prison or a large fine.  Maybe.

WHAT ABOUT DRUG FACILITY/CARGO THEFT AND PHARMACY ROBBERY?

Yes, significantly higher penalties for counterfeiting drugs are a good thing, but can’t we make the same argument to also justify higher penalties for drug theft from distribution centers and trucks, and robbery of pharmacies?  These crimes are also on the rise and they also result in a high potential for widespread harm to the public when these drugs are reintroduced into the legitimate supply chain.  These crimes can result in something that is just as bad as the harm that can come from counterfeiting.

Take, for instance, the recent successful cargo theft of a truck carrying 14 pallets-worth of Oxycodone tablets from Actavis last month as reported by SecuringPharma.  The heist also netted the thieves 16 pallets of other drugs too, but I want to focus on the Oxycodone.  Nobody is going to find these bottles showing back up in the legitimate supply chain.  Oxycodone is the generic name for the opiate-based prescription pain medication that most people know better by its brand name “OxyContin” used by the brand owner.

Oxycodone abuse in the U.S. has been rising steadily for at least the last dozen years.  It results in a particularly insidious form of addiction.  One that quickly becomes a major social problem in the small and large communities where it takes hold.  Here is a quote that says it all from U.S. Attorney Joseph Famularo during a February 2001 news conference as quoted in the March 13, 2011 article “OxyContin abuse spreads from Appalachia across U.S.” by Bill Estep, Dori Hjalmarson and Halimah Abdullah of McClatchy Newspapers:

“You could leave a bag of cocaine on the street and no one would touch it, but leave one OxyContin in the back of an armored car and they’ll blow it up to get at it.”

Along with the rise in Oxycodone abuse has been a rise in serious crimes committed by addicts desperate for whatever it takes to get more Oxy.  And now we have 14 pallets-worth more of it in the hands of those who will make sure that the number of those addicts increases.  If our law enforcement organizations are unable to recover that shipment then we are all going to see more of the kind of social destruction that results from the crazy crimes these desperate Oxy addicts commit.  The U.S. Drug Enforcement Administration (DEA) has been trying to control diversion of Oxycodone, but this single cargo theft represents a huge quantity that goes well beyond the “fraudulent prescriptions, doctor shopping, over-prescribing, and pharmacy theft” diversion that the DEA is focusing on.

HOW MUCH CAN A THIEF MAKE FROM A SINGLE CARGO THEFT?  MORE THAN YOU THINK.

Let’s try to figure out the approximate street value of just the Oxycodone in this cargo theft.  According to the SecuringPharma article, the thieves got away with about 70,000 units.  That’s about 5,000 bottles per pallet which is within reason for a 100 count bottle of small tablets.  I’ll assume that this shipment was evenly divided between the 30mg dose and the 15 mg dose.  According to the National Prescription Drug Threat Assessment 2009 conducted by the U.S. Department of Justice National Drug Intelligence Center, the average street value per milligram of Oxycodone in 2008 in the U.S. was $1.15.  With this data we can calculate that the estimated 2008 street value of just the Oxycodone in this cargo theft is

( ( (15mg + 30mg)/2 )*$1.15  * 100tabs per bottle ) * 70,000 bottles = $181,125,000.

$181,125,000 !

If this were the market value of a typical drug cargo theft where the drugs only have value if they are sold back into the legitimate supply chain the thieves would probably expect to receive much less than this when they sell the drugs.  But in this case, because the drugs have a higher street value than legitimate supply chain value, they can probably expect to sell this Oxycodone for even more than this value because it is now 2011 and I assume prices on the street only go up.

The estimated street value of this stolen drug is only one aspect of this particular cargo theft.  The cost to our communities of 70,000 more doses of Oxycodone being sold to addicts across the country in terms of family breakdown, job loss, and elevated petty and serious crime, makes this particular cargo theft something that we are going to be dealing with for a long time.

Those who introduced the bipartisan bill into Congress last week recognized the critical difference between the criminal counterfeiting of watches, purses and apparel, and of the much more serious crime of counterfeiting drugs because of the widespread harm they can cause.  That is the proper justification for significantly higher criminal penalties for drug counterfeiters.  If this bill is enacted, the penalties for drug counterfeiting will reflect this greater ability to harm.  But the penalty for pharmaceutical cargo theft should likewise reflect the widespread harm it can inflict on our citizens and our communities over and above non-drug theft.  The sponsors should make these newly enhanced penalties apply to these crimes as well while the bill is still in committee.  Counterfeit drugs are a problem, but so are drug cargo theft and the prescription drug abuse that can result.

A QUESTION FOR YOU, DEAR READER

So, dear reader, I have a question for you that has been banging around in my head ever since I read about the Oxycodone cargo theft I analyzed above.  As U.S. taxpayers–as the people who will foot the bill for the devastation to our people and our communities that will come as a direct result of this $181 Million crime–what kind of security practices should we expect the owner of a shipment that has a street value of $181 Million to use on that shipment?  What kind of security practices should we demand?  Please leave your answer in a comment below.

Dirk.

In this Part of the series I want to take a closer look at the work of the Network Centric ePedigree work group of the GS1 Healthcare Traceability group.  I am one of the leaders of that group along with Dr. Mark Harrison of the Cambridge University AutoId Lab, Dr. Ken Traub, Independent Consultant, and Gena Morgan of GS1, along with strong contributions from Janice Kite of GS1 and Dr. Dale Moberg of Axway.  The larger group consists of people who work for companies in the pharmaceutical supply chain, GS1, and solution providers from around the globe, although I think the majority are from the U.S.

The NCeP group published a very interesting recording of a presentation that explains the details of their work.  It is called “NCeP – Technical Analysis Sub-Group, Event Based Pedigree”.  The purpose of this recording is to help people outside of the close-knit NCeP group to learn about the pedigree models developed there, evaluate them and provide feedback to the group about which model(s) should be considered for ePedigree and traceability regulations in the future.

WAIT…”REGULATIONS OF THE FUTURE?”  BUT WHAT ABOUT CALIFORNIA?

That’s right.  One of the first decisions the NCeP group made back when they were formed was that they would purposely avoid trying to create a solution that would specifically work in California.  The group recognized that the current California pedigree law as written leads you down a path that only ends up at a document-based approach to compliance.  If the group had chosen to go down that path, it would have only led to the creation of a duplicate of the existing GS1 Drug Pedigree Messaging Standard (DPMS).  The DPMS standard defines a document-based ePedigree model that was purposefully designed in 2006 to help companies comply with document-based ePedigree laws like the Federal Prescription Drug Marketing Act (PDMA), the Florida Pedigree Law, the California Pedigree Law and all of the “normal distribution” state pedigree laws that exist around the U.S. today.  There would be no benefit in reproducing the same kind of functionality by shoe-horning the non-document-based EPCIS standard into a document-based solution.

So instead, the group decided to focus on defining models that would allow the EPCIS standard to be used as it was designed to be used with the hope that the result could be used to persuade legislators in the U.S., the E.U. and elsewhere to produce new legislation that would embrace one of those models.  This was a much better approach because it removed the constraints imposed by the existing laws that come from their document-centric design.  In the U.S. the thinking is a new Federal pedigree law may define a network-centric approach to pedigree that aligns with one of the models defined by the NCeP group, and—most importantly—that it will pre-empt the California pedigree law so that the industry can veer away from document-based compliance before the deadline.

If Congress does not enact a new law that can be met using a network-centric approach by 2015 then companies will need to invest in DPMS-based systems.  Those systems would almost certainly also make use of the EPCIS standard to capture and hold serial number events but those events would be encapsulated in DPMS pedigree documents for exchange.  The same would occur if Congress enacts a new law but follows California’s lead and makes it document-specific.  How long can companies wait for Congress before they need to start investing in DPMS systems in preparation for California?  Maybe another 12 to 18 months I’d say.

WHAT ARE THE PEDIGREE MODELS DEFINED BY THE GS1 NCeP GROUP?

The NCeP defined seven different models that make use of EPCIS to create a network-centric pedigree system.  The best way to find out about them is to listen to the recorded presentation that the group produced, but here is a listing:

1. Single centralized model
2. Semi-centralized model
3. Distributed Push model
4. Distributed Query Model Using ASN to Push Links
5. Distributed Query Model with Discovery Services
6. Distributed Model Using Centralized Discovery and Checking Services
7. Push All Events Model

Personally I think that models 1 and 7 are equally impractical and probably shouldn’t be on the list for free-market countries.  Model 1 assumes only a single repository for pedigree data and would probably be implemented as a government-run entity.  Smaller countries might consider a model like that but because the volume of transactions would be so huge, larger countries should avoid it.  Model 7 is basically the shoe-horning of a document-model into an EPCIS-based approach.

What you are left with are the Semi-Centralized model and four distributed models.  For California compliance specifically, the distributed models have the fatal flaw that they are, well…distributed (see Part 1 of this series, “The Viability of Global Track & Trace Models”  and “Inspecting An Electronic Pedigree”).  That leaves us with the Semi-Centralized model.

COULD THE SEMI-CENTRALIZED NCeP MODEL WORK IN CALIFORNIA?

The Semi-Centralized model requires all trading partners to push their EPCIS event contributions to a drug’s pedigree up to one of multiple pedigree repositories.  From that repository a pedigree “report” (a modified DPMS pedigree message perhaps that contains an overarching digital signature applied by the central service) could be requested that could contain all of the data elements that the California law requires (see the full list in Part 1 of this series).  Only the certifications required by California would require some special extension work but that could be done.  This model can even fulfill the need for each trading partner to validate the full transaction history on the pedigrees at each transaction without downloading the full report every time (the central checking service would perform the analysis and simply notify the data owner of the results).

I think it may be possible that the Semi-Centralized model could fill the requirements of the California regulations but it would take some work to add the elements that would be necessary.  This would take some special work by technical experts to accomplish properly.  See my essay “A Semi-Centralized, Semi-Distributed Pedigree System Idea”.  At this point in time, it would require a group of people to jump right on it so that the concept definition and development work gets done quickly and decisively.

I’m not sure there is sufficient interest in formalizing a true alternative to DPMS of any kind in California now that there appears to be some chance that the Congress might act soon, which would potentially pre-empt the California law entirely.  We have a tendency in this effort to put all our eggs into one basket and hope for the best.  That’s a lot of hope on top of hope in my view.

Technically this approach would not use EPCIS-alone because the pedigree report would need to be implemented with all the same characteristics of a DPMS pedigree with some modifications.  So I believe this model would be a combination of both the EPCIS and DPMS standards—a concept I have supported for many years (see this essay from 2008 “Combining EPCIS with the Drug Pedigree Messaging Standard”).

WHERE ARE WE NOW?

This essay is Part 2 of why a pedigree solution for California’s existing law cannot be based only on EPCIS and still comply.  We found that there is at least one NCeP model that might enable compliance but it would take an effort that may not get organized because of the distraction of the work that appears to be just starting in Congress.  Maybe that work will be fruitful and any work on alternate California models would turn out to be a waste of time.  That possibility may easily dampen the interests of those who are qualified to do the work.  In that case, we’d better do more than hope that Congress is successful.  I understand that is a coalition of companies who are pursuing just that.  We’ll see if they are successful in the next 10 months or so.

Which direction do you think we should spend our time and efforts on right now?  If the lobbying effort in Congress doesn’t work by the end of this session, are we happy enough with DPMS to move forward with that document-based approach there as the effort to get action out of the next session of Congress?

Leave comments below, either named or anonymously, or just send me an email with your thoughts (I won’t publish those).

Dirk.

(The quality of the attendees is exactly why I like the HDMA Track and Trace Seminar.  BTW, this year’s HDMA event starts this Thursday).

In the case of this year’s PSM event, I rate the quality of the attendees very high, and that’s because I had a number of great conversations with some very knowledgeable people during the breaks and at the social event the evening before.  That was my interaction with the attendees, not the speakers.  One of the topics of conversation surrounded the question of what exactly it was the led to the successful challenge to the Prescription Drug Marketing Act (PDMA) pedigree provisions in the RxUSA v. HHS court case and appeal and whether or not the same thing might occur with other drug pedigree laws.

AN IMPORTANT QUESTION GOES UNANSWERED

One of the first speakers at the PSM event was U.S. Representative Jim Matheson (D-UT), sponsor of H.R.3026, the “Safeguarding America’s Pharmaceuticals Act of 2011” which was introduced into the House of Representatives on September 22, 2011.  There are some differences, but the core of this new bill is basically the same as the Buyer-Matheson-sponsored H.R.5839 “Safeguarding America’s Pharmaceuticals Act of 2008” which was referred to the Subcommittee on Health in the House Committee on Energy and Commerce back in 2008 where it was allowed to die.  H.R. 3026, the new bill, is now sitting in that same subcommittee.

Representative Matheson spoke about his latest bill.  The whole time he was speaking I kept wondering if this new bill makes any attempt to address the deficiencies in the PDMA pedigree provision that were the subject of the RxUSA v. HHS court challenge.  RxUSA, a small drug distributor, was successful in obtaining a court ordered preliminary injunction against the implementation of some of the FDA’s regulations [specifically within 21 C.F.R. § 203.50(a)].  The U.S. Food and Drug Administration (FDA) believed that those provisions were soundly based on the PDMA law.  The Department of Health and Human Services (HHS), the larger federal agency that the FDA resides within, appealed the lower court’s ruling and lost the appeal.  The FDA finally removed the enjoined provisions just this last summer.

Certainly, given that history and the resulting four-plus year delay in some protection of the supply chain, the authors of this new bill would have spent considerable effort making sure that they addressed any deficiency that existed in the PDMA that led to the successful court challenge.  In fact, these flaws in the PDMA are one of the main reasons you would even need new legislation.  And being the sponsor of that bill, certainly Representative Matheson should be aware of any effort to address those flaws.

By the end of his speech he hadn’t touched on that particular topic so I raised my hand to ask the question.  Representative Matheson had limited time and could only take three questions.  By the time the third questioner had been selected, I wasn’t one of them so I lowered my hand thinking that I wouldn’t get my question answered.  But then the person who had been chosen to ask the final question asked almost the exact same question that I had in mind.  The questioner was a VP at Pfizer.  Apparently we were thinking the same thing.  She asked if this new bill addresses the problems that apparently exist in the PDMA?

Representative Matheson’s answer:  “I don’t know”.

THE ARGUMENT UNDER THE RxUSA CHALLENGE

What was it that made RxUSA’s challenge so solid that the preliminary injunction stood up on appeal in the Federal Appellate Court?  RxUSA claimed that the FDA’s requirement that a pedigree must extend all the way back to the drug’s original manufacturer was potentially an “arbitrary and capricious” interpretation of the PDMA’s requirement that a wholesaler must provide a statement “identifying each prior sale, purchase, or trade of such drug.“  Both the District Court and the Appellate Court agreed and upheld the preliminary injunction on enforcement of that requirement.

It’s important to note that neither court determined with certainty that the PDMA or the FDA’s interpretation of it were arbitrary and capricious.  Instead, they determined that there is a “better than 50%” chance of proving them so, and that’s apparently enough to retain the preliminary injunction against enforcement until the issue can be fully determined in a different court action.  It doesn’t look likely that either party will pursue that question now.

RxUSA argued that since, under the PDMA, all Authorized Distributors of Record (ADRs) are exempt from the statute’s pedigree requirements,

“Thus, if the FDA’s regulation were put into effect as written, all lower-level distributors would be required to provide pedigree information that is currently held only by authorized distributors. The [lower] court determined that this would effectively make it impossible for lower-level distributors to comply with the law.”  (quote from the Appellate Court decision)

That is, because the ADR was not required to record and maintain any pedigree, or statements “identifying each prior sale, purchase, or trade of such drug”, it would be impossible for a lower-level distributor to acquire the information necessary to generate a pedigree that extended all the way back to the original manufacturer, which was part of the FDA’s interpretation of the PDMA.  That’s because the pedigree that the lower-level distributor needed to produce would have to include the information about the ADR’s purchase and sale of the drug–information that only the ADR could provide.  Since the ADR wasn’t required to keep that information, they could choose not to keep it, or not to provide it and then the lower-level distributor could not fulfill the requirement.

DOES THIS CASE HAVE ANY IMPACT ON THE SELECTION OF PEDIGREE MODELS?

I think it may.  First, I think it shows just how important it is for pedigree legislation to cover all the bases and leave little for interpretation.  Second I think it shows how closely the exact wording of a pedigree law must be followed.  This Court followed the letter and not merely the spirit of the law.  That’s not really surprising I suppose.

Of course, the Court did not review the entire PDMA, it looked at only the specific challenge brought by RxUSA.  But the argument that a downstream trading partner in the supply chain cannot fulfill their legal requirement because an upstream trading partner is unwilling or technically incapable of providing certain information that was necessary for them to comply, sounded familiar to me.  That’s very close to what would happen within the operation of a true “Distributed Pedigree” model.

In a distributed pedigree model, upstream trading partners (like manufacturers and the first distributor of a given drug) won’t feel threatened because their ability to obtain the information they need to comply is fairly well assured.  The farther down the supply chain you get, however (like “lower-level” distributors and pharmacies) the more complex and difficult it will be for companies to obtain the information they need at the moment it is necessary for them to prove that they can construct a pedigree.  If any one of the upstream previous owners of a drug cannot or will not provide the information that is necessary to the downstream trading partner for compliance it will be impossible for that downstream partner to comply with the law.  Fundamentally that sounds to me just like one of the arguments that RxUSA successfully made in their case.

Another thought is that it appears that none of the existing state pedigree laws have the flaw that exists within the PDMA.  None of them exempt ADR’s.  Most either exempt the pedigree entirely for certain types of supply chain movements—so called “normal distribution”—and/or they require all parties in the supply chain to update a pedigree document with all the information that downstream parties will need and passed it down the supply chain along with the drug—the so called “document pedigree” model.  In the document model downstream parties don’t have to obtain additional information from upstream parties, but the document gets larger as it moves down the chain since it is carrying all of the information contributed by prior owners.

IS A RATIONAL PHARMA SUPPLY CHAIN SECURITY LAW EVEN POSSIBLE?

I’m not a lawyer, so don’t take my theories as facts but check with your lawyer before taking any action.  The PDMA’s exemption of the ADR is at the core of the successful RxUSA challenge.  It’s pretty clear why the Congress might have preferred to make such an exemption.  Distributors who are authorized by the manufacturer to distribute their drugs are most likely to buy those drugs only from them, and in very high volumes.  To place strict record-keeping requirements on those companies would be pretty onerous because of the huge volumes of product involved, and would not likely be necessary considering that they buy almost exclusively from the manufacturer—a source generally considered safe.  So, on the surface, it seems logical to exempt them.  But that’s the flaw.

So what’s the solution?  Is it even possible to create a meaningfully protective law that doesn’t have that flaw and yet is capable of being mirrored in a technical pedigree model that is affordable for all participants?  This is the link between law, regulations, standards and technology.  All of these pieces need to fit together intelligently so that costs are minimized at the same time that protection of the supply chain against criminal activity is maximized.  Producing a pedigree or track & trace law in a vacuum without considering the all these elements is very likely to fail from some legal challenge as the PDMA pedigree has, or because the costs throughout the system are too high, or because it fails to stop criminals from gaming the system.

But I think it is possible to craft a law that meets all of these challenges.  It’s just going to take a concerted effort.  What do you think?  Leave your comments below.

Dirk.