Within conversations held during the development of standards for electronic pedigrees it is sometimes common to hear people apply the following test to any pedigree proposal:

“A state inspector arrives at your facility without prior warning, enters the warehouse, picks up any random package of drugs and asks to see ‘the pedigree’ for this package.”

The point being made is that, according to the California Pedigree Law, at the very least, supply chain members will need to be capable of producing a full pedigree for any and every package of drugs in their possession at any time in case of a surprise inspection.

This scenario is an important one when selecting a pedigree model, but it often causes me to think about exactly what the company being inspected would show the inspector, and how they would do that.  To comply with the law, ‘the pedigree’ must be electronic.  That is, it would be in the form of computer-friendly data.  The only electronic pedigree format that is known, with some confidence, to be usable for compliance in California is the GS1 Drug Pedigree Messaging Standard (DPMS) and it carries the data in an XML (eXtensible Markup Language) file.  Even GS1’s Electronic Product Code Information Services (EPCIS) –based systems that many people are hoping will comply with the law stores the data that would constitute ‘the pedigree’ in XML.

But XML isn’t really very readable to humans, with the possible exception of computer programmers.  It’s not likely that the inspector is going to want to see a printout of the pedigree XML data when he or she asks to see ‘the pedigree’.

Instead, most people I know assume that companies will need to show a fancy formatted report that represents the data that is in ‘the pedigree’ XML.  Remember that the Florida pedigree regulations stipulate a specific form that constitutes a valid paper pedigree format and, while they allow pedigrees to be held and exchanged electronically, they apparently expect the electronic pedigree to be presented to them as a printout that is formatted to look just like the paper form.  That may be what leads people to think that California will accept a formatted paper printout that contains all the same data that is in the electronic XML data that is the actual pedigree.

In fact, even the California Board of Pharmacy seems to agree with this kind of presentation of pedigree data to an inspector.  In their January 2008 draft document called “Questions and Answers Relating to the California Electronic Prescription Drug Pedigree Law(s)” the very last question and answer is:

“Q78 Can a wholesaler or pharmacy maintain/store the pedigree record electronically?

Yes. California law requires that records of the manufacture, sale, acquisition and distribution of prescription drugs be available on the licensed premises for three years from the date of making (B&P §§ 4081, 4105, and 4333.) The pedigree record may be kept electronically so long as a hard copy and an electronic copy can during that period immediately be produced (B&P § 4105.)”

The pedigree record may be kept electronically so long as a hard copy and an electronic copy can…be produced.  Hhmmm…Personally, I think the board has mis-interpreted their own law, but I’m not a lawyer and you should consult with yours to decide if you agree or not.

WHY ACCEPTING A PRINTED REPRESENTATION OF AN ELECTRONIC PEDIGREE IS A BAD IDEA

One of the whole points of pedigrees is to help detect criminal activity within the legitimate supply chain.  The California law is quite clear on the requirement that pedigrees be electronic and it doesn’t mention paper, hard copies or printouts.  The reason is fairly obvious, I think.  Electronic pedigrees can take advantage of modern electronic security mechanisms that have been developed over the last 40 years.  DPMS takes advantage of digital signatures to make even the slightest tampering plainly obvious.  But these mechanisms don’t work when they are printed out.  There is no effective protection retained from a digital signature when you print it.

In fact, a criminal wouldn’t even need to bother investing in pedigree management software if an inspector only expects to see a printed representation of an electronic pedigree.  They would simply use a word processor and maybe some simple scripts to print a very nice looking fake “pedigree” that contains a believably proper chain of custody.  It doesn’t need to be true because, unlike an electronic pedigree, with a printout the inspector can’t easily check its accuracy or consistency while he or she is on the premises.  Checking it later would provide the criminal with the time to pack up and disappear.

HOW TO INSPECT AN ELECTRONIC PEDIGREE

So if a printout is a bad idea, how should an electronic pedigree be inspected?  In my view inspectors should carry a laptop computer that has some standard pedigree checking software on it and they would ask the company to provide them with a copy of the electronic pedigree data on a USB thumb drive.  Or in a Semi-Centralized pedigree model the company would give the inspector temporary access to the pedigree data stored in the cloud-based third-party repository.  (See my essay “A Semi-Centralized, Semi-Distributed Pedigree System Idea”.)

The inspector would then use their own checking software to check the digital signatures and present the results on their screen in a format that would look just like the printout might have looked.  The difference here is that the analysis of the electronic pedigree would be performed by software, brought by the inspector, that has been certified against whatever pedigree standard is in use.  If a pedigree has been faked or tampered with, this software would easily detect it and would display that result.

WHAT IF THE INSPECTOR MAKES A SLIGHTLY DIFFERENT REQUEST?

So far in this essay I haven’t differentiated between a distributed pedigree system and a non-distributed one.  (For a discussion of various track & trace models see my essay “The Viability of Global Track & Trace Models”.)  People think that the logical pedigree-related request for an inspector to make is the one I started this essay with.  If the data necessary to produce a pedigree is distributed across multiple trading partners (the previous owners of the drug) and needs to be collected before it can be presented to the inspector, everything still works as I’ve described above (assuming those trading partners’ systems are responding at the time the inspector makes the request to see your pedigree).

But what if the inspector makes the following request instead?

“Show me the pedigree that you received from the seller at the time you acquired this drug”

This may seem like an insignificant variation of the earlier request above but it’s actually an entirely different request.  With this request the inspector is testing the requirement that, as the buyer, you “may not acquire a dangerous drug without receiving a pedigree”.  The trouble is, in a distributed pedigree model companies would not actually receive the full dataset necessary to build ‘a pedigree’ at the time they receive each drug package.  That would only occur at the time an inspector asks to see the pedigree.

If the company being inspected is using a distributed pedigree model and they respond to this request by collecting the necessary data from the previous owners and constructing the pedigree for the inspector, it seems like they are committing a form of fraud (check with your lawyer) since the resulting pedigree is not the pedigree they received at the time they acquired the drug.  It was constructed just now for the first time.

In fact, in a distributed pedigree model, they did not receive ‘a pedigree’ at all at the time they acquired the drug, which appears to be a violation of the law.  (For an explanation of what constitutes ‘a pedigree’ in California see my previous essay “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1”.)

With this logic, I contend that a true distributed pedigree model, by its nature, doesn’t comply with the California Pedigree Law.  Do you disagree with this logic?  Leave a comment below.

Dirk.

I’m pretty excited about the kickoff this Wednesday of the GS1 EPCglobal Software Action Group (SAG) Discovery Services Work Group which will take the business and technical requirements that were collected by an earlier group and turn them into an actual standard.  This will be the first new major technical standard GS1 has started for quite a few years.  The most recent kickoff I can remember was the GS1 Drug Pedigree Messaging Standard (DPMS) which kicked off back in late 2005 and completed in January 2007.  The GS1 Electronic Product Code Information Services (EPCIS) standard effort kicked off in late 2004 and completed in April 2007.  That gives you an idea of how long these things take.

The effort to create the business and technical requirements for Discovery Services started just about two years ago and completed this past December.  How long will it take to get to a ratified standard?  The GS1 Discovery Services Work Group Charter predicts it will be done in June of 2011, but predictions in charter documents are notoriously optimistic.  The EPCIS Charter predicted that standard would be ratified in August of 2005, for example—one third the time it actually took. 

This is not a bad thing in my opinion.  A Charter document needs to estimate how long the effort will take, but once things get rolling, GS1 EPCglobal takes as long as needed to get the standard right.  So how long will this one take?  Based on how long the requirements took, I’m guessing the development of this standard will take some time.  Right now, I’d guess it will be complete sometime in early 2012.  That would be two years.  Hmmm….  Almost feels too short.  We’ll see.

Standards development can be contentious.  If it’s done right, that is.  I’m talking about contentiousness along the lines of the Lincoln-Douglas debates or the crafting of the U.S. Constitution, only pitting different technical approaches against each other.  The GS1 EPCglobal SAG facilitation crew really knows what they are doing when it comes to facilitating contentious groups so the blood, sweat and tears invested are directed in a positive direction and results in a valuable standard in the end.  I worked with Mark Frey in the development of DPMS and I just can’t say enough good things about him.  According to the charter document, Mark will be involved in the Discovery Services group, as will Giselle Ow-Yang—a great start.  From these choices you can tell GS1 EPCglobal places a lot of importance on the success of this effort.

BUT WILL DISCOVERY SERVICES HOLD ANY VALUE FOR PHARMA?

Right now, I don’t think the pharma supply chain will be able to make use of Discovery Services for regulatory compliance with current or even future pedigree laws.  As far as I can tell, I’m the only person I know who sees it that way so let me explain.  It comes down to what Discovery Services is aimed at and how that differs from what pedigree laws are trying to accomplish.  There seems to be a disconnect between what people think a pedigree law is trying to accomplish and the reality.  That leads them to the misconception that something like Discovery Services has value for compliance.

I reach this, perhaps shocking conclusion from the following analysis.

FUNDAMENTAL LAW OF COMMERCE

In my first substantive essay in this blog I pointed out what I called a fundamental law of commerce.  That is, when regulations mandate that a product’s value is determined by the ability to show, at any time, specific information about the product’s history, then the buyer of that product must receive all of the necessary information from the seller at the same time the product is received.  That information is so intertwined with the product’s value that it actually becomes part of the product itself, and needs to move with it.  Supply Chain companies who buy products can’t rely on previous owners to hold information on their behalf without a contract to do so if the total value of those products depends entirely on the instant availability of that information at any unpredictable moment. 

This is the case with drugs in supply chains that operate under pedigree regulations.  If a regulatory inspector arrives at the door of one of these companies and asks to see the pedigree of any item they happen to pick randomly from the inventory, and the company cannot produce the pedigree because they are unable—for any of a myriad of reasons—to collect it from remote databases controlled by upstream trading partners, that item has zero value and the company should expect to be fined, or worse. 

When this scenario happens, more than likely the pedigrees of a lot of other units will also be unavailable at the same time for the same reason.  This single inspection at the wrong time–when an earlier owner’s database is, coincidentally, unavailable–could result in a significant part of the company’s inventory being impounded, large fines imposed and the opening of a wider investigation.  All because essential information was not in the control of the party that was responsible.

So, a distributed pedigree doesn’t work in a regulated supply chain.  But why doesn’t this issue get discussed more in industry groups that are trying to figure out how to create an interoperable, standard approach for the industry to follow to meet the current and future pedigree laws?  It’s because of a very interesting thing about this “fundamental law”:  for the most part, it has no impact on drug manufacturers. 

They don’t buy drugs, so, even if a distributed pedigree were selected as the industry solution, they would almost never need to access data on anyone else’s server to reconstruct a pedigree.  All pedigrees from their perspective are entirely stored on their own servers because they start them.  Because of this fact, drug manufacturers won’t “feel” this problem with a distributed pedigree.  Only wholesalers and pharmacies will “feel” it because they buy drugs from upstream trading partners.  Right now the pharmacies are not participating much in the search for a solution, and the number of wholesalers involved is not great.  The largest representation is from the manufacturing segment.

THE DEPUTIZED SUPPLY CHAIN

More recently I posted an essay on the “deputization” of the pharmaceutical supply chain by regulators.  This is a recent phenomenon where regulatory agencies have begun to require supply chain member companies to monitor the supply chain themselves.  It comes from the realization of two things by the regulators:

1. the supply chain is too massive for regulatory enforcement officers to inspect anywhere near enough transactions to detect illegitimate behavior;
2. the responsibility for supply chain security rests with the participants and not just with the regulators.

When you put these two concepts together, the only natural conclusion is that supply chain participants must self-monitor and report suspicious activity.

You can see this deputization in the way the Florida and California Pedigree Laws are written.  They both require companies who buy drugs in the supply chain to receive a pedigree for every drug purchased (although in Florida, wholesalers who buy directly from the manufacturer are allowed to initiate pedigrees).  They also require the recipient to check those received pedigrees for errors, inconsistencies and omissions—all before they are allowed to put the drugs they purchased into regular inventory.  Any irresolvable discrepancies must be reported and the drugs must be quarantined pending further investigation.

I hope it’s obvious to you that the buying company must have all of the prior supply chain history—the pedigree— of every drug before they can properly perform this analysis and before they can confidently place it into usable inventory.  Theoretically you could accomplish this with a network of distributed information servers, but the full set of pedigree data would also have to be passed down the supply chain, along with the drug, in addition to it being distributed.  However, the official pedigree—the one that companies and regulators would rely on—would remain the information that is passed.

THE POINT OF DISCOVERY SERVICES

On their website, GS1 EPCglobal answers the question, “What is ‘Discovery’?” this way:

“’Discovery’ is finding and obtaining all relevant visibility data, of which a party is authorized, when some of that data is under the control of other parties with whom no prior business relationship exists.”

They view the benefits of Discovery Services to include:

“Enable trading partners to discover all of the resources who may have information about things (who has data about EPCx? Where is their EPCIS located so I can ask about this data about EPCx?)                  

“Enable trading partners to exchange data in a secure way with parties that they may not have a prior direct business relationship                  

“Will ensure each party retains rights of ownership of its visibility data                  

“Will ensure that queries are authorized and authenticated”                  

Clearly Discovery Services has a value if your supply chain can get away with distributing visibility data across the supply chain, but I’ve already dismissed the utility of this approach for pedigree compliance above.  But if a push-model is used for compliance instead, what value are these benefits? 

THE TRUE VALUE OF DISCOVERY SERVICES IN THE PHARMACEUTICAL SUPPLY CHAIN

When you look at the future Discovery Services standard through this analysis, how can you conclude that it will contribute any value to pedigree compliance?  I don’t, but lots of other people, who have not seen my analysis, do.  But how about value from non-compliance uses?

When you think about it, the concept of pedigree—or chain-of-custody/ownership—is a historical view back “up” the supply chain, as viewed from the perspective of where a drug is right now.  That fulfills one side of the concept of “track and trace”.  Different people define that concept in different ways, but I subscribe to the group that believes that “trace” is the capability that is encased in the concept of “pedigree” (thus the name of my blog:  RxTrace).  In my view, a push-model pedigree completely fulfills the definition of a “trace”, but it does nothing to enable the other side of the coin:  “track”. 

“Track”—a consolidated forward view of exactly where drugs are right now in the supply chain from the perspective of previous owners—has value for things like recalls, regional emergency response, manufacturer production planning and wholesaler purchase planning to name a few. 

Tracking drugs may also make an important contribution to supply chain integrity by helping to detect diversion, theft and duplication of unique identifiers by counterfeiters, depending on the adoption model.  This is where the real value of Discovery Services lies for the pharma supply chain.  But tracking of drugs, and the use of Discovery Services as part of the implementation, has some thorny data ownership issues that will have to get solved.

So why am I so excited about the kickoff of the Discovery Services standard development work group?  I want to help find a way to solve those thorny data ownership issues that stand in the way of some of these “track” applications.  I think they will exist in all supply chains but perhaps pharma’s use case has the most thorns.  If we can find the right technical solution to that issue I think the supply chain will find the value in Discovery Services… It just won’t come from pedigree compliance. 

If you’ve stayed with me by reading this far, then you should join me on the work group.

The original California Pedigree Law was passed back in 2004 and it was subsequently modified by the State Legislature in 2006 and again in 2008. In all three instances, I understand that members of the legislature and the Governor’s office worked closely with the State Board of Pharmacy to develop the final content and language.

I heard that one of the goals was to create a better law than the one in Florida. Did they succeed? In order to find out, let’s take a closer look at how they compare.

The law that is currently on the books in California differs from the Florida Pedigree Law in the following ways:

1. It is fully electronic (it is NOT paper-based)
   The law and all of the discussion of the law by the Board of Pharmacy make it clear that the only acceptable form of a pedigree is electronic. This make it much more reasonable to implement because supply chain members can make use solely of computers to exchange, store and validate pedigrees, without fear that their trading partners can only handle paper pedigrees.
2. Pharmacy returns must be reflected on pedigrees
   This was an original requirement of the Florida Pedigree Law too, but it was removed under pressure from lobbyists before the law went into effect. So far, it remains intact in California, but the law is not yet in effect. What it means is that when a pharmacy buys drugs from someone and they return those drugs, regardless of how little time has transpired, they must provide a pedigree update so that subsequent buyers of those drugs can see their purchase, and return transactions. This is no different from the requirements faced by all other segments.
3. It starts with the manufacturer
   In Florida the first wholesaler started the pedigree. In California, the pedigree must be started by the manufacturer or it is not valid. If you are looking to expose the full history of package of drugs, how could you not start with the manufacturer? I even think the manufacturers generally agree with that notion.Interestingly, the Law doesn’t actually require anything of the manufacturers directly. It is directed at wholesalers who are licensed to operate within the state. Distribution of a drug without a pedigree that was started by the manufacturer is illegal and subject to penalties, but it is the wholesaler who violates the law and is punished, not the manufacturer. Thus, if a given manufacturer fails to provide California wholesalers with serialized product and compliant pedigrees by the time the law goes into effect, it will be up to the wholesaler to decide not to distribute those drugs within California in order to avoid violation of the law and avoid the associated penalties. The only risk a manufacturer takes on is that their drugs may no longer reach patients in California (and the subsequent PR firestorm that would follow).
4. It requires item-level serialization
   California is very clear that they consider the concepts of “electronic track and trace” and “item-level serialization” as being inseparable. That is, if you have one but not the other, then you don’t have a pedigree system. Every drug package must have a unique identifier on it, applied by the manufacturer or repackager, and that UID must be included in the pedigree (the electronic record). This is a substantial difference from the Florida law which has no such requirement.
5. No holes designed to accommodate special interests
   I’m not aware of any special treatment in the Law for any particular segment of the supply chain. Florida opened several holes that seriously compromise the intent of their law. So far, California has resisted opening holes, unless you consider pushing back the effective date to 2015-2017 a “hole”.

Attentive readers will notice that I have listed these differences in the same order as my list of failures of the Florida Pedigree Law in my earlier post about the Florida Law. This is my way of showing that California has, so far, created a pedigree regulation that does not have any of the major failures of the Florida regulation.

These are the major differences, but what about the common characteristics? Here are the key things that the California Law has in common with the Florida Law:

• Reliance on Digital Signatures
  Florida allows a pedigree to be created, stored and passed in electronic form, though they don’t require it. But if a Florida pedigree is in electronic form, digital signatures are required for the same purpose as a hand-executed signature on a paper document. The digital signature legally binds the signing person or entity to the content of the electronic document. Florida identified some specific standards that ensure that the digital signatures possess the all-important quality of non-repudiation. The California Pedigree Law does not, itself, specify any standards for digital signatures, but the Board of Pharmacy’s Q&A (see their Q72) calls out the fact that the California Code of Regulations identifies the specific characteristics that must result from a compliant digital signature architecture for electronic documents. The digital signature standards that are compliant in Florida would also be compliant in California.The fact that California included the use of digital signatures is significant because it ensures that each pedigree can stand on its own as a self-contained, self-secure package. This maximizes the value of the entire pedigree architecture because the security mechanism that prevents tampering goes with the package itself. No one has to rely on the access security of a given server or group of servers to prevent tampering. And, if tampering does occur, it can be easily detected, unlike tampering of pedigree approaches that rely solely on server access security. In that case, if server security is breached, you can’t tell which pedigrees were modified and which were not, rendering them all suspicious.
• It distributes responsibility for monitoring supply chain security to all supply chain participants
  This is the one genius concept of the Florida Law and California retained it, thus qualifying those involved for genius status as well. It’s a regulatory approach that is relatively new but is likely to become much more common in the face of perpetual budget “crises” in state and federal government agencies. Instead of requiring trading partners to simply keep records of their own buying and selling history for each drug so that they can be audited by an inspector at some later date, these laws require them to check the validity of the full pedigree at the time of each purchase transaction, in near real-time.Notice the difference. In the first instance, it is up to the State Board of Pharmacy inspector to detect suspicious activity in the supply chain. But how often will a state inspector visit, and how many records will they be able to review? It’s inconceivable that this approach would result in the detection of illegitimate activity.But when every purchase of a drug as it passes down the supply chain requires the buyer to run a validity check on the full transaction history of that specific bottle, it greatly increases the odds that most suspicious transactions will be detected. And for most suspicious events in the history there will normally be multiple opportunities for detection. Here, digital signatures are the enabling technology. They allow all of this supply chain monitoring activity to occur reliably and automatically inside computers that are distributed throughout the supply chain, without human intervention and without slowing the movement of drugs.

So did California succeed in creating a better law than Florida? I propose that there is almost no comparison so the question may be moot. The California Pedigree Law is so much more far-reaching than the one in Florida. While Florida focused on disrupting some very troublesome practices being performed by a few nefarious licensed and unlicensed wholesalers, California’s law is designed to cause a major reorientation of the pharmaceutical supply chain approach to security, monitoring and policing (see also The Deputized Supply Chain). This has major implications that go well beyond those of the Florida law.

Faced with that, it is not surprising that it was necessary to push out the effective dates to 2015-2017. Transformation this big takes time to implement.

Over the last few years I have been kicking around an idea that helps identify an important characteristic that will be necessary in any successful supply chain pedigree or track and trace technology/regulation. I can sum it up as follows:

When regulations mandate that a product’s value is determined by the ability to show, at any time, specific information about the product’s history, then the buyer of that product must receive all of the necessary information from the seller at the same time the product is received.

Take, for instance, a secondary wholesaler in Florida today. Florida requires a secondary wholesaler to be able to show an inspector a complete pedigree for any prescription drug in their possession. If the wholesaler cannot show the proper pedigree, then the product cannot be sold in Florida. The value of the item is reduced, perhaps to zero. If this drug-without-a-pedigree can legally be shipped to sites or customers outside of Florida the reduction in value is equal to the cost of the extra shipment, extra handling and perhaps a temporary out-of-stock situation until the unexpected loss can be backfilled (and possibly a fine).

Now imagine what would happen if there were no other place to legally ship drugs whose pedigree information is unavailable when called upon. The value of the drugs would certainly be zero, or worse. That’s a risk that can be avoided by ensuring that all of the information necessary for the pedigree is in the possession of the secondary wholesaler at the time they purchase the drug.

What would cause the information to not be available? Some technical approaches to maintaining pedigree information under discussion within the industry right now might result in something I call a “distributed” pedigree. That is, one that is stored across multiple organizations; the previous owners of the drug. When it is necessary to show a complete pedigree–to an inspector, a law enforcement organization, or just to a buyer–these other organization must be called upon to provide their part of the pedigree. The occasion that leads to the need to show a complete pedigree will probably occur somewhat unexpectedly (especially in the instance of a regulatory inspection or a law enforcement action). If one or more of the organizations holding part of the pedigree information are temporarily or permanently unable to provide their part of the pedigree, the product cannot be sold and thus has lost all of its value.

The real problem with a distributed pedigree occurs when the supply chain extends beyond just two trading partners. For example, the third owner of a drug in the supply chain probably doesn’t have any business relationship with the manufacturer (the first owner). That’s why they bought the product from the second owner. There is probably no contract between the current owner of the drug and the previous owners (except the most recent seller) so there is no way to ensure that these earlier owners will provide their necessary components to the pedigree when it is called for.

The solution is to make sure that all of the necessary data for the pedigree is always supplied by the seller at the time of purchase. That way, if any of the earlier owners have technical (or other) difficulties that prevent them from being able to serve up data, it won’t affect the value of the drugs that are downstream in the supply chain. In short, a “distributed” pedigree won’t work.

I believe this concept is a corollary to the fundamental law of commerce known as “Buyer Beware”. Transmitting a full pedigree at the time of the sales transaction is one way of arming the buyer with sufficient information so they can beware.