Last week I published an essay that gave GS1 some advice on how to trigger interest in adoption of their Global Data Synchronization Network (GDSN).  Those of you who read that essay in the first two days read my snarky comments about GS1 seemingly attempting to commandeer the term “Data Quality” to include the need for GDSN.  That was based on a mis-interpretation of their marketing materials for their “Data Quality Framework” and as soon as I discovered my mistake I removed that part of the essay, leaving the core point of the essay intact (see “An Open Letter to GS1, RE: GDSN Marketing”).

In fact, GS1 is saying exactly the opposite of what I originally thought regarding Data Quality and GDSN.  That is, before you start publishing your supply chain master data (SCMD) through GDSN you should ensure that the quality of your data is high.  As GS1 points out, “Good quality data is foundational to collaborative commerce and global data synchronisation.”  I couldn’t agree more.

The GS1 Data Quality program is centered on the “Data Quality Framework”, which is maintained by GS1 but, according to them, was originally developed by AIM, CIES, ECR Europe, FMI, GCI and GMA.  These organizations are predominantly focused on the food supply chain which is ahead of the healthcare supply chains in their use of automatic identification and data capture (AIDC) and in the use of GS1 GDSN.

The Data Quality Framework appears to be a giant “lessons learned” resource provided by the members of the food supply chain to other companies and other supply chains who might want to follow in their footsteps.  As such, it could be very valuable to companies in the healthcare supply chains to help streamline their move to more efficient AIDC and data exchange.  From my experience, healthcare has a long way to go.

You can download the GS1 Data Quality Framework from this GS1 webpage.  It consists of a ZIP file that contains a self-assessment scorecard, a Data Quality Presentation (2010), a Data Quality KPI Checklist and two PDF files.  One called “Implementation Guides for the Data Quality Framework”, and “Data Quality Framework”.

In my experience within the healthcare supply chains, companies resist the idea of data synchronization, but I haven’t heard anyone who thinks the quality of their master data couldn’t be improved.  In fact, it’s a perennial problem.  Of course, you will find that the Data Quality Framework that GS1 is offering expects you to make use of GS1 identifiers like GTIN and GLN.  No surprise, but somewhere the case has to be clearly made in support of all members of a given supply chain benefiting from the use of the same identifier for a given thing.  Is this it?  Maybe.  Maybe not.  Why not give it a chance?  No one knows better than you that your master data isn’t perfect.

Dirk.

Dear GS1,

How have you been?  I’ve been fine, done a bit of writing since we last met and gotten a little greyer.  How are the kids?  My two kids are doing great but I have to admit, after raising two I don’t know how you do it with 125 kids, or whatever the number of M.O.s there are today.

The reason I’m writing to you today is to offer you my thoughts on your Global Data Synchronization Network (GDSN) Marketing campaign.  That campaign would be more effective if it focused on demonstrating the distinction between internal master data (and programs associated with improving its quality), and externally shared master data (and the significantly different kinds of programs needed to improve its quality).  And especially to show that many (most?) of company master data is, in reality, externally shared master data, either incoming or outgoing.  That’s the step that I see missing from your campaign.

Companies who are already familiar with the kind of programs that are designed to improve their internal master data need to be taught to see the special characteristics of the externally shared master data which they could publish for the benefit of their trading partners, or which they could consume from the trading partner who “owns” that data.  These are the characteristics that make the externally shared master data unique from the purely internal master data.  This is the epiphany that your marketing campaign should seek to impart.

Your campaign should acknowledge the existence of internal master data—the kind that benefits from the traditional data quality management programs but which would not benefit from the use of GDSN.  By separating this kind of data from the externally shared kind of master data you will help companies recognize on their own why they may have had so much difficulty elevating and sustaining the quality of this class of data in past data quality efforts.  Once that realization occurs, the need for, and the value of GDSN will become obvious and you will no longer need to “sell” anyone on it.  They would seek it out instead.

HERE’S HOW YOU DO IT

It’s really pretty simple.  All you need to do is to define a new term for the externally shared master data, a term that makes it clear that it is distinctly different from internal master data.  I have proposed the term “Supply Chain Master Data” (SCMD) in the past (here, here, here and here) because I believe it accomplishes that goal.  SCMD is MD that is shared within a supply chain.  I offer that term to you (it isn’t protected as far as I know)—or make up your own.  As long as you talk about SCMD as a special class of MD and how it’s quality can benefit from the application of GDSN I think you will get a lot more agreement because it will finally make sense to people, especially those who are new to GS1.

Whether you pick up my suggestion or not I wish you luck in your current marketing campaign.  I look forward to see you at our next meeting.  Say hi to the spouse and kids.

Sincerely, Your Friend,

Dirk.

Most Warehouse Management Systems (WMS) available on the market today do a fine job of allowing their users to manage inventories in the warehouses of drug manufacturers, distributors and chain drug stores.  A WMS is a software system that may be a part of a larger Enterprise Resource Planning (ERP) system, or it may be a third-party application that is interfaced with the owner’s ERP system.

All WMS systems that I am aware of are intended to be sold into multiple industries, not just in pharma.  That’s so that the WMS vendor can maximize their sales.  The more industries, the more sales and the more profitable it is.  Because some industries have long had serial numbers on some of their products (computers and peripheral equipment, cell phones, electronics, medical equipment, appliances, etc.) WMS vendors have included serial number handling in their software for decades.  In fact, I would bet that a serial number handling feature was included in WMS systems since the very beginning of that category of software.

However, buyers of WMS systems in the pharma supply chain should be very careful not to confuse a “serial number handling” or even “serialization” checkbox on the WMS vendor’s spec sheets with the kind of “serialization” they will need for compliance with modern pharma serialization regulations.  I include the California Pedigree Law, the potential future serialization requirements that may (or may not) be coming from the FDA, and those in the E.U.

THE DIFFERENCE BETWEEN WMS SERIAL NUMBER HANDLING AND PHARMA SERIALIZATION FOR REGULATORY COMPLIANCE

The reason is simple.  Despite the similar (or same) name, serialization in the pharma supply chain leads to significantly different functionality than dealing with serial numbers on products in other supply chains.  For example, think about what would be needed for a personal computer manufacturer.  They would need to keep track of which serial number is applied to which models.  They may want to keep track of who they shipped which serial number to, and they may want to connect their warranty registration, returns, warranty claims and service processes to their serial number database so they can make sure they know exactly which sub-model revision (hardware, firmware and software) they are dealing with and to confirm that the customer is valid (for after-sales service).  All of these serial number tasks can be easily accomplished within the WMS, within an add-on module, or within some module of the ERP system because they normally do not need to communicate with the systems of other companies.  These same kind of capabilities would be needed for all of the types of products I listed above.

But these capabilities are distinctly different from those that members of the pharma supply chain are going to need going forward and so these traditional serial number features of WMS systems are insufficient.  The pharma supply chain needs to use the serial numbers on drug packages to authenticate the supply chain history, either at each stop (California), at the point of dispense (E.U.), or somewhere in between (potential future U.S. FDA regulation).  This requires a different approach.

First, all companies within a given supply chain must follow certain standards to ensure interoperability of the serial numbers themselves and the how they will be handled across all members.  That is, a WMS vendor can’t simply make up their own serial number handling features because they will not interoperate with those from other vendors.  Second, some kind of standardized data exchange related to the serial numbers must occur between trading partners, and third, the management of the data must also be standardized so that the same functionality is made available to all parties in the supply chain.

STANDARDS ENABLE INTEROPERABILITY ACROSS THE SUPPLY CHAIN

In the U.S. and in many other countries around the world, GS1’s Global Trade Item Number (GTIN) plus serial number (or SGTIN) is the standardized serial number that has been chosen (see my essays “FDA Aligns with GS1 SGTIN For SNDC” and “California Enforcement Subcommittee Moves To Require FDA SNI” and also see the GS1 General Specifications).

In California the GS1 Drug Pedigree Messaging Standard (DPMS) is known to be usable for compliance and would fulfill the necessary standard format for data exchange and data management.  However, the industry has more recently been interested in the use of GS1’s Electronic Product Code Information Services (EPCIS) standard as the basis for the standardized data exchange and data management.  Personally I don’t think anyone has shown satisfactorily that it will comply with the current California law but it appears that companies who are members of GS1 U.S. Healthcare Traceability group are hoping that it will.  (See my essays “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1” and “…Part 2”.)  If the California Board of Pharmacy is willing to accept it, then it can be used for compliance, but until we know that, I think it’s risky to deploy systems that are only based on EPCIS.

We won’t know which standard will fulfill the needs of whatever federal pedigree regulation, if any, may be on the horizon until the regulation is published by the FDA down the road.  So far it is probably a good bet that EPCIS will play an important role and it is very unlikely that DPMS will play any role.  We’ll see…

Ignoring the debate over which GS1 standard would be used in the U.S., the point is, the existing serial number handling features of today’s WMSs will not be sufficient because they are intended for something else.  The key characteristic that both DPMS and EPCIS have that is missing from those existing WMS features is that they are able to document supply chain events that occur to GS1 serial numbers and therefore to the products associated with those serial numbers.  This includes Commissioning, Aggregation, Shipping and Receiving, among others.  When you include the fact that they are both standards that all solution developers can follow, which results in interoperability between their solutions, DPMS and EPCIS are the only ways to address the needs of these modern requirements in the pharma supply chain.

WMS AND SERIALIZED EVENT REPOSITORIES

I once thought that WMS and Pharmacy Management System (PMS) vendors would see the difference and perhaps would add at least the standard EPCIS interfaces to their products (see my essay “The Future of Traceability Repositories and Inventory Management Systems”), but as far as I know that hasn’t happened.  Perhaps they have concluded that a WMS isn’t really the place to store supply chain events.

The whole point of a WMS is for managing inventory and warehouse processes.  Serialized supply chain events are related to things that pass through the inventories, but the life of those events could extend well beyond the life of the typical data element a WMS needs to deal with today.  The data communications and management needs of serialized supply chain events is also beyond the traditional scope of a WMS.  It now seems to make more sense to have a separate repository just for those events and maintain minimal connection between that repository and the WMS.  Perhaps the only connection would be related to the time that the serialized products are present in the inventory that the WMS is managing.

Figure 1.

That might require some interface(s) between the two systems since the serialized event repository is an inventory system of a sort.  For each product code the WMS will likely maintain an inventory count and the event repository will likely maintain a list of serial numbers in the same inventory.

If you are shopping for a new WMS and you know you will need to comply with a pharma serialization regulation, make sure you fully understand the limits of the serial number handling capability of the products from each vendor you are considering.  Don’t assume that you will be covered just because the spec sheet has a check box for “serialization”.

Dirk.

Any company wishing to make use of GS1 standards—including their barcodes, identifiers and data exchange standards—must first obtain a GS1 Company Prefix, or “GCP”.  Normally you would obtain a GCP by applying to the GS1 Member Organization (M.O.) in the country where your company headquarters resides, but if you are a pharmaceutical company that makes drugs for the U.S. market, regardless of where you are located, you will need to obtain a special GCP from GS1 US, the GS1 M.O. in the United States.

That’s because currently, drugs sold into the U.S. market must contain a linear barcode that encodes your U.S. Food and Drug Administration (FDA) National Drug Code (NDC).  To properly encode that NDC into a GS1 barcode symbol, you must register with GS1 US the GS1 GCP that matches the FDA-assigned Labeler Code that is a part of every NDC.  Only GS1 US can assign/register a GCP that matches your FDA-assigned Labeler Code.  I explain all of this in more detail in my essay “Anatomy Of The National Drug Code”.

Companies may end up with more than one GCP over time for several reasons.  For example, if a drug company is based in Switzerland, merged with another pharmaceutical company in France a few years ago and sells pharmaceuticals globally, they may end up with the following GCPs:

• One issued by the Swiss GS1 M.O. obtained originally by the parent company
• One issued by the France GS1 M.O. obtained through the merger
• One issued by the U.S. GS1 M.O. registered by the parent company for use in identifying drugs sold into the U.S. market
• One issued by the U.S. GS1 M.O. obtained through the merger for use in identifying drugs made by the subsidiary in France and sold into the U.S. market

All of these GCPs have value for the parent company and to maximize that value, the parent company should view these GCPs as enterprise resources and manage them that way.  Number allocation based on these GCPs should be managed centrally using a strategy that is designed to maximize the benefit to the whole organization rather than to silos within the company.

WHAT IS A GCP USED FOR?

A GS1 Company Prefix is at the core of “The GS1 System”, a set of standards used globally for identification of products, services, assets, relationships and even documents.  These entities are identified in the GS1 System at the class level or at the serialized unit level through numeric “keys”.  All GS1 keys use the GCP as their foundation so that each key is uniquely specific to the owner of the GCP on a global basis.  Once a company is given the right to use a GCP they are free to define any key using that GCP without fear that they will clash with anyone else’s key, and without additional cost.  The remainder of each key is used to hold additional information to identify the target entity.  Refer to the GS1 General Specifications for full details (check with your GS1 M.O. or just search for a downloadable copy on the internet).

The GCP can vary between six and ten digits in length in the U.S. and may have a different variation depending on the M.O. making the assignment.  The following diagram is just a generalized depiction of that.

Here is a list of GS1 keys that are based on the GCP:

• GTIN (Global Trade Item Number) in 8, 12, 13 and 14 digit flavors, and the serial numbers associated with them when forming an SGTIN;
• GLN (Global Location Number) 13 digits;
• SSCC (Serial Shipping Container Code) 18 digits;
• GRAI (Global Returnable Asset Identifier) 14 digits, first digit is always a zero plus optional serial number up to 16 additional characters;
• GIAI (Global Individual Asset Identifier) up to 30 characters;
• GSRN (Global Service Relation Number) 18 digits;
• GDTI (Global Document Type Identifier) 13 digits plus optional serial number up to 17 additional digits;
• GINC (Global Identification Number for Consignment) up to 30 characters;
• GSIN (Global Shipment Identification Number) 17 digits.

Each type of GS1 key includes a numeric value that is combined with the GCP to form a specific instance of the key.  It is the assignment of these numeric values that must be managed in some way.  The total length of the key minus the length of the GCP determines how many digits are available to the owner to assign specific instances of the key.  These digits represent the “key space” for a given key.  The shorter the GCP, the larger the key spaces of each key type will be.

(NOTE:  As George Wright rightly points out in his comment below my off-hand formula for calculating the available digits in the key space leaves out the check digit in some keys as well as certain other individual digits in other keys.  Please refer to the GS1 General Specifications for the full calculation for each individual key type.)

CENTRAL MANAGEMENT OF GCPs AND GS1 KEYS

Companies of any size will benefit by managing all of their GCPs and GS1 keys in a single location and perhaps through a single database and application.  It enables the enforcement of a single corporate strategy for number assignment within each key space and ensures that duplicate values will not be generated and number ranges will not be wasted.

It is not necessary for the central GCP management authority to assign every single value for all of the keys to maintain control.  This is particularly true for high frequency assignment keys.  For example, the responsibility for assigning specific SSCC values may be delegated to remote systems.  Even then, the remote systems should be designed to acquire number ranges from the central system so that the enterprise strategy is maintained.  Once a number range is acquired by the remote system it can perform its own assignment of the SSCCs within the allocated range as necessary.  When it gets close to exhausting the current range of values it can request the next range from the central authority.  For small companies this could be done manually, but for mid to large companies, this should be automated.

Keys that are assigned at low frequencies, like GLN—which would only need a new assignment when a new location is established—or GTIN—which would only need a new assignment when a new product or new variation is introduced—could be done manually even in larger companies.  Whether manual or automated, central management of lower frequency keys is even more important than the high frequency keys in my view, to ensure that used numbers are properly kept track of.

Central management of all GCPs owned by a company allows the central authority to minimize the need to acquire new GCPs by maximizing those that are already under their control.  A central authority can ensure that the key spaces of each key are fully utilized before either reusing previous values (do so very carefully) or acquiring a new GCP.  In most cases these decisions should not be left up to remote business units or you might find that the enterprise possesses many more GCPs than are actually necessary.

Central management of serial numbers associated with GTINs–to form GTIN plus serial number, or SGTINs–should also be controlled centrally whether done individually or through number ranges.  This allows the enterprise to make use of a single serial number assignment strategy, including some form of randomization, if desired, like the kind offered by RxTrace advertiser Kezzler.

The introduction of a new GCP through a central authority can be much cleaner and much more efficient than if done otherwise.  Remote systems should not make any assumptions about the GCPs within the GS1 keys they are provided, whether individually or within ranges.  That way the central GCP authority can introduce the use of new GCPs at any time necessary.

Very large enterprises that make heavy use of GS1 keys might have a group that is dedicated to managing their GCPs and GS1 keys, but most companies will be able to make it fit within a group that is responsible for other data-related activities.  Good candidates for the GCP management responsibility within an enterprise are the Master Data Management (MDM) group or some other existing data management group.

Regardless what group the responsibility ultimately falls, central management of your GCPs and associated GS1 keys is a good idea.  If your company does not currently have central management, I suggest you start asking questions to find out:

• How many GCPs does your company control?
• Who manages the key spaces of each one?
• Does anyone know exactly which key values have been consumed within each key space of each GCP?
• Who has the authority to acquire a new GCP and for what reasons?

You might be surprised at what you find.

Dirk.

Back in 2007 the U.S. Congress passed the Food and Drug Administration Amendments Act (FDAAA) and it was signed into law by President Bush.  One of the provisions of that law was an instruction to the FDA to “…develop standards and identify and validate effective technologies for the purpose of securing the drug supply chain against counterfeit, diverted, subpotent, substandard, adulterated, misbranded, or expired drugs”, and “…develop standards for the identification, validation, authentication, and tracking and tracing of prescription drugs.”

The FDA fulfilled these instructions for one of the specific standards that the law identified when the agency published their Standardized Numerical Identifier (SNI) standard back in 2010.  That standard was fairly high level and for the vast majority of drugs, use of GS1’s Serialized Global Trade Item Number (SGTIN) (or “GTIN plus serial number”) for drug package identification would comply with it.  The text of the FDA’s standard says as much.

By defining the SNI in this way did the FDA surrender the development of the real SNI standard to GS1 (at least the sNDC portion of it)?  I don’t think so.  In my essay about the SNI standard I described it as the FDA “aligning” with GS1’s SGTIN (see my essay “FDA Aligns with GS1 SGTIN For SNDC”).  Alignment shouldn’t be confused with surrender.  The choice of alignment with SGTIN was good for the FDA, good for patients and good for the industry.

WHAT WE GOT WHEN THE FDA ALIGNED THEIR SNI STANDARD WITH GS1’S SGTIN TECHNICAL STANDARD

In the case of the SNI aligning with GS1’s SGTIN we got the following things:

• An existing robust global standard that has multiple years of use by multiple industries—including the pharma supply chain—and in multiple countries;
• Automatic interoperability with the regulatory requirements of other countries who have, or will, align with the SGTIN;
• Automatic interoperability with all of GS1’s other—current and future—standards that use the SGTIN as a key component (see my essay “GS1 Standards – Betcha Can’t Use Just One!”);
• Automatic interoperability with lots of existing third-party applications that are already designed to work with the SGTIN.  Some companies in the supply chain had already deployed these systems and now they can proceed with further deployments knowing that by doing so they will remain compliant with the FDA SNI standard;
• Widespread existing knowledge and understanding of the SGTIN and how to apply it within the industry.

These are huge benefits.

In contrast, China’s State Food and Drug Administration (SFDA) chose to expand the use of their own existing product serialization standard to include drugs, but that standard does not align with the GS1 SGTIN.  That will probably benefit the government there and perhaps domestic companies who are serving only the China market, but it could also complicate international trade in pharmaceuticals where companies from China are a party.

SO SHOULD FDA CEDE ALL STANDARDS DEVELOPMENT TO GS1?

The fact that FDA’s choice to align with GS1’s SGTIN provided so many benefits should not be taken as a sign that the FDA should simply mandate other GS1 standards to fulfill their obligation under FDAAA of 2007.  It made sense when it came to the foundational SNI to use the foundational SGTIN as the aligned standard, but that’s about as far as you can go.  GS1 doesn’t have standards that are out-of-the-box usable for “…validation, authentication, and tracking and tracing of prescription drugs”.  Those are high-level applications, not foundational standards like SNI.

Yes, you can use some of GS1’s standards as the basis for applications that might validate, authenticate and track & trace prescription drugs—likely including GS1’s Electronic Product Code Information Services (EPCIS) and related standards—but it is much harder for the FDA to “align” with those standards without a lot more FDA-specific explanation of exactly how they might be applied to implement those applications.  That FDA-specific explanation would be the description of an authentication and track & trace “model”, which might use GS1 standards under the covers.

The best thing GS1 has done that the FDA might be able to use to help them formulate their authentication and track & trace “standards” is the output of the GS1 Healthcare Network Centric ePedigree (NCeP) work group.  That group simply documented the characteristics of eight different ePedigree models that would be based on GS1 EPCIS.  The documentation amounts to a concise “catalog” of authentication and track & trace models that the FDA could use to help them select a viable model for their “standard”.  (They should also see my RxTrace essays, “The Viability of Global Track & Trace Models”, “Plateaus of Pharma Supply Chain Security”, “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach” and a bunch of others in my back catalog.)

Regardless of what FDA chooses to do in the development of the standards mandated by Congress, they should not and certainly will not cede it all to GS1.  The mission of the FDA is completely different from the mission of GS1 and the standards they each publish reflect that difference.  While I wouldn’t be surprised if the FDA authentication and track & trace standards include some references to GS1 technical standards, they will need to provide a lot more additional details than they did in the SNI standard.

We shouldn’t have long to wait to get an initial glimpse of where the FDA is going with their track & trace standard.  As I reported in my essay “InBrief: FDA To Publish Track & Trace Standard By Year End”, we should see the first draft by the end of the year.

Dirk.

Over the last year in GS1, in many of the members of the U.S. pharma supply chain and even in the FDA, the focus has turned to the analysis and discussion of three classes of electronic pedigree models:

• Fully Centralized,
• Semi-Centralized, and
• Fully Distributed.

I’ve discussed some of the pros and cons of these models here in RxTrace too (see “The Viability of Global Track & Trace Models”, “Should Regulations Dictate Technology?”, and “Could This Be Your Future Track & Trace/ePedigree Exchange Solution?”).

One of the characteristics included in many of these discussions is the “points of failure” of each model.  For example, I’ve heard it said several times that the Fully Centralized model suffers from a “single point of failure”, with the implication being that Fully Distributed models do not have this problem.  In fact, this is incorrect and in reality, both the Fully and Semi-Centralized models are much less likely to fail than models that fall within the Fully Distributed category when “failure” is defined as not being able to provide an ePedigree on demand in any given instance.

RELIABILITY ENGINEERING OF COMPLEX SYSTEMS

Wikipedia has a pretty good article on Reliability Engineering so I’ll spare you the background of the discipline that studies points of failure.  The mistake people sometimes make when comparing the centralized and distributed ePedigree model classes is to think that a single central repository is like “putting all your eggs in one basket”, and the distributed models is like “spreading your eggs out”, but this is wrong.  When it comes to the ability to produce an ePedigree on demand in a given instance, a model where all of the data is held in a single location is going to come out better in the failure analysis than one where the data is fragmented and spread out among multiple distributed databases and needs to be collected to produce a complete ePedigree.

In fact, all things being equal in each repository, the likelihood of failure would be at least n times greater, where n is the number of distributed repositories holding the fragmented ePedigree data.  That’s because, all things being equal in each repository, if any one of the distributed repositories experiences a failure, the overall system fails because it is incapable of producing the ePedigree.

BUT ALL THINGS WON’T BE EQUAL

In a Fully Centralized or Semi-Centralized ePedigree model the central repositories would be designed and maintained under contracts issued by multiple parties who would share an interest in high availability (HA) and disaster recovery (DR) so you can bet that there would be multiple online copies of the data hidden behind the façade of a single point of access.  More than likely those multiple copies would include copies that are widely separated geographically to mitigate the risks of major weather events (hurricanes, tornadoes, ice storms, etc.), natural disasters (tsunamis, fires, earthquakes, floods, etc.) and man-made disasters (terrorist attacks, war, etc.).  Even Twitter applies these principles to ensure that we won’t have to miss out on the latest celebrity drivel during and after one of these disasters.

The investment in the centralized repositories would be spread across multiple parties so more could be spent on ensuring that the data is protected without causing any one participant to pay excessively.  The costs would be spread out.

But in a Fully Distributed ePedigree model each data contributor—each supply chain participant—would be independently responsible for designing and maintaining their own repository to hold their fragment of the ePedigrees for the drugs they make, buy, sell and/or dispense.  Even many of the larger corporations in the supply chain may not have the expertise in-house—or the willingness—to apply the principles of HA and DR when designing their repositories.  It is extremely unlikely that all members would be able to do what is necessary to minimize the odds that some disaster would prevent them from providing their fragment of the ePedigrees requested.

For this reason we can’t use the phrase “all things being equal” between the repositories in the two centralized models and the distributed models.  Things are not going to be equal, and so the odds of a failure in the distributed models would be much worse than even n times greater than those of the centralized models.

WOULD A CRIMINAL CONTRIBUTE THEIR PEDIGREE FRAGMENT?

Now let’s throw into our scenario what happens when one of the supply chain participants is actually a criminal in disguise (for an example of how that can occur, see my essay “Lessons from ‘Drug Theft Goes Big’”).  In either of the two centralized models they would need to supply their ePedigree fragment data to the centralized repository before they could sell a given drug package.  The central repository would need to validate the data they contributed and if it doesn’t check out, the criminal activity would be exposed immediately and the illegitimate drug would not be able to move further down the supply chain.

But in a distributed approach the criminal wouldn’t need to supply their ePedigree fragments until later, perhaps only when someone becomes suspicious and requests the full ePedigree for a particular package of drugs.  When the criminal receives a request to supply their ePedigree fragment for a package that they know has an illegitimate history do you think they would supply that data?  Certainly not!  They would claim that they are having “system problems” and if pressed, the data would get “lost” somehow.  They are criminals, after all, and that data would be self-incriminating!

I hope you can see that a centralized ePedigree model is actually much less susceptible to failure—whether unintentional or intentional—than a distributed model.  I’ve grown to really appreciate the centralized models—particularly the semi-centralized model for free-enterprise countries.  I don’t see any characteristic where a distributed model outperforms the supply chain protections of a centralized model.  Do you?  Leave a comment below and set me straight!

Dirk.

The title is a paraphrase of a TV commercial from the 1960′s, ’70′s and ’80′s for Lay’s Potato Chips but the sentiment is the same.  You really can’t get away with using only a single GS1 standard.  That’s why they are sometimes referred to as “The GS1 System of Standards“.  It’s a “system” of standards.  Multiple standards that are designed to work for you together in concert; as a whole; not independently.

So when your customer demands that you make use of Global Location Numbers (GLN) and/or Global Trade Item Number (GTIN), they are starting you down the path of adoption of much more than just those two “entry-level” standards (see my essay “So a customer demands that you use GLN’s and GTIN’s. What next?”).  Here is a partial list of other GS1 standards that you may benefit from adopting once you fully embrace GLN and GTIN:

• GS1 UPC barcode symbology
• GS1 element strings encoded in a barcode symbology such as:
• GS1-128
• GS1 DataMatrix
• GS1 DataBar
• GS1 EANCOM EDI standard
• GS1 EPC RFID in frequencies such as
• UHF
• HF
• GS1 Electronic Product Code Information Services (EPCIS)
• GS1 Drug Pedigree Messaging Standard (DPMS)
• GS1 Global Data Synchronization Network (GDSN)

GS1 Healthcare is a community organization of end users within GS1 who are members of the global healthcare industry.  That organization created the following figure to show how GLN and GTIN are foundational to patient safety and supply chain efficiency, the ultimate end goals of its members.  At the top of that foundation is GDSN and above it are the five pillars of patient safety, which support the ceiling of supply chain efficiency and the overall roof of patient safety.  (See “Change has finally come:  U.S. Healthcare industry to implement common data standards to improve safety, reduce costs” by Joe Pleasant, CIO and SVP, Premier, Inc.)

GS1 Healthcare Patient Safety "House of Standards"

Many U.S.-based hospital Group Purchasing Organizations announced a number of years ago that they would require the use of GLN and GTIN by December 2010 and 2012 respectively.  Apparently at least one of those GPO’s also requires the use of GDSN but without specifying a date.

GS1 GLOBAL DATA SYNCHRONIZATION NETWORK (GDSN)

GS1’s GDSN is a standard that can be used by supply chains to communicate product class-level supply chain master data (SCMD) to all of the companies who participate in it.  Here is how I described it in my essay, “Supply Chain Data Synchronization and Patient Safety”:

“Generally, [GDSN’s] use requires all trading partners in a given supply chain to subscribe to a GDSN-conformant Data Pool service provider.  Unilateral adoption of GDSN by a single company doesn’t make any sense.  It’s a high bar for a large and complex supply chain to achieve through voluntary means.  Right now the pharma supply chain in the U.S. has not achieved it and so the quality of SCMD in the supply chain is currently dependent on ad hoc relationships and data passing.  Some of this includes manual data entry into the local master data systems at many points in the supply chain.”

Here is one way GS1 draws GDSN.  This view emphasizes the plumbing and shows the “how” of GDSN.  (See “Global Data Synchronization Network® (GDSN) Operating Roadmap for GS1, Version 7.3” November 2011.)

Click image to enlarge

Here is my rendition of GDSN use in healthcare.  I show it as a cloud-based repository where the manufacturer publishes their product master data and where downstream trading partners can subscribe to it.  That way everyone in the supply chain—right down to the healthcare professionals at the points of care—are using the exact master data as published by the manufacturer.  Admittedly this rendition doesn’t show how GDSN is implemented, but I happen to think that’s less important that showing what it is.  See GS1 for the details.

Click image to enlarge

Up to this point in time there still hasn’t been any significant use of GDSN in the U.S. medical supplies and devices supply chain and it is tough to get an entire industry to adopt something so large without some kind of incentive.  The GPO’s are trying to provide that incentive by mandating its use, so at some time after the GTIN is widely adopted on medical supplies and devices, SCMD may be synchronized between manufacturers and hospitals, and perhaps distributors as well.

USE OF GDSN IN THE U.S. PHARMACEUTICAL SUPPLY CHAIN

GDSN is also not currently used in the U.S. pharmaceutical supply chain, but in my view, it will be a necessity if/when GS1’s EPCIS standard is ever used for track and trace applications like ePedigree.  In my view, EPCIS alone can’t be used for compliance with the existing pedigree regulations in the U.S. (see my essays, “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1” and “…Part 2”).

But EPCIS just might become the basis for the track & trace standard that the FDA will publish by the end of this year (see me essay “InBrief: FDA To Publish Track & Trace Standard By Year End”).  Many people believe that standard will be based on EPCIS, similar to the way FDA aligned their sNDC standard with GS1’s GTIN (see my essay “FDA Aligns with GS1 SGTIN For SNDC”).  Include me in that group.

But, by design, EPCIS events do not carry SCMD (see my essay, “Pedigree Models and Supply Chain Master Data”), so if EPCIS events form the basis of an ePedigree, it will be a absolute necessity that all parties who are consuming and updating those pedigrees use the identical product class-level master data.  That would be necessary because everyone would need to agree on exactly what constitutes the drug that is referenced by the GTINs in the EPCIS events.  Without that common agreement on exactly what the GTINs mean, how can there be a true pedigree?

Here is a drawing that shows how GDSN could be used in conjunction with a semi-centralized ePedigree system that is built on top of EPCIS events.

Click image to enlarge

Notice how each trading partner in the supply chain communicates with both the GDSN cloud and the Semi-Centralized ePedigree cloud.  In actual implementation these clouds might not be so distinct because the same vendors might offer both, but I show them separate here because they are serving distinctly different purposes.

The GDSN cloud is serving as the common source of product SCMD as published by the manufacturer—keyed off of the GTIN—and the Semi-Centralized ePedigree cloud, based on EPCIS, is serving as the common repository for all supply chain events that occur to the actual unit-level instances of those products—keyed off of the serialized GTIN, or SGTIN.  The clouds also communicate with each other because, to produce a usable ePedigree report the ePedigree engine would need to obtain the SCMD from the GDSN cloud.

As I said, I think something like this will be a necessity if EPCIS is used as the basis of an ePedigree system.  So far when people in the industry talk about using EPICS for ePedigree they almost always forget the SCMD.  The ePedigree solution I show in the figure above is a very efficient model since the SCMD does not travel along the same path as the instance data (the EPCIS events).  This is in stark contrast to DPMS which needs to carry that data along with each ePedigree document—a big negative for that standard that many have pointed out over the years.

All pedigree models have trade-offs.  One of the trade-offs of ePedigree models based on EPCIS is that GDSN will probably have to be adopted throughout the U.S. pharma supply chain over a fairly short period of time, but no doubt patients would benefit greatly from that.

BETCHA CAN’T USE JUST ONE

There you have it.  Not only would pharma trading partners need to adopt GLN and GTIN, in this scenario they would also need to adopt EPCIS and GDSN shortly afterward.  In the pharma supply chain you can’t use just one!

Can you see any alternatives to this scenario besides adding DPMS in some way?  Leave a comment below.

Dirk.

It has been almost two years since I published “RFID is DEAD…at Unit-Level in Pharma” and we are approaching a pivotal decision by the Food and Drug Administration (FDA) that will determine whether or not RFID will be acceptable for identifying drugs in the U.S. supply chain.  Last Thursday was the scheduled final closing of the recent request for comment issued by the FDA formally known as “Bar Code Technologies for Drugs and Biological Products; Retrospective Review Under Executive Order 13563; Request for Comments, 76 Fed. Reg. 66,235” (Oct. 26, 2011) [Docket No. FDA-2011-N-0719].

The closing of this request for comment (RFC) means that it is now time for the FDA to figure out what they might do with the original questions.  That is, should they change the requirement for all packages of prescription drugs and many over-the-counter (OTC) drugs in the U.S. to contain the National Drug Code (NDC) encoded into a linear barcode?  And if so, what should they replace it with?  The RFC doesn’t give any hints about how far they might go and simply asks a series of questions of the industry and interested parties, letting the respondents propose whatever they think the agency should do.

I have spent my Sunday afternoon reading (OK, in some instances, skimming) through all of the responses.  They are available for anyone to read (or skim) at http://www.regulations.gov (search for FDA-2011-N-0719).  Considering that the input received from this RFC may influence the FDA’s decision about what to replace the linear barcode requirement with, I think the responses are particularly pertinent to RxTrace readers.

GENERAL THEMES

My reading has taken so long that I no longer have enough time left over to cover the responses in detail (consider yourself lucky), but there are a number of general themes that emerged from them in aggregate.

“Linear barcodes are so 2004″
Nearly all of the responses that answered the FDA’s specific questions indicated that it is time to move away from the use of linear barcodes.  I think all of the responses were submitted prior to the publication of my essay “Why NOW Is The Time To Move Away From Linear Barcodes” so to them I was simply restating the obvious.

“Don’t mess with ISBT-128“
The members of the blood, tissue and organ supply chain were well represented in the responses with comments that were very similar, like this one from Pat Distler of the ICCBBA.

“…we strongly encourage FDA NOT to require NDC be bar coded on licensed products requiring biovigilance (e.g., cells, tissue, tissue derived products, organs for transplant, medical devices for which donor to recipient traceability is needed).  Instead, FDA should expand the guidance given in Securing the Drug Supply Chain-Standardized Numerical Identification for Drug Packages to include all biologics such that the SNI for these products would be the unique identification number created for each package under ISBT 128 or other recognized standards.”

“Don’t restrict our choices”
Many of the respondents do not want the FDA to simply replace the word “linear” with some other specific symbology or technology.  Here is a comment that is representative of this theme:

“…we do not believe FDA should restrict the type of machine readable technology within the regulation.  The regulation should only state that machine readable information needed for traceability (unique identifier and product code) should be required.”

I was pretty surprised at how many respondents said that they wanted manufacturers to each decide which carrier technology to encode their NDC and other data in.  This is exactly counter to my thoughts as expressed in the essay “Should Regulations Dictate Technology?” where I argued,

“It is the movement by the industry in unison that is the real benefit of carefully mandating a single technology for identifying drugs in the supply chain.  It is the key to maintaining and even improving supply chain efficiencies.”

My concern is that, if every manufacturer can use whatever machine readable technology they think is best, then within a short time we will see every conceivable carrier technology in use within the supply chain at the same time.  Every barcode symbology and every flavor of RFID—and there are some other pretty weird technologies out there.  I think that’s a recipe for the degradation of interoperability.

Fortunately some of the responses in this category are simply concerned about the ease with which the FDA could change their regulations and so they didn’t think a full regulation should identify a specific technology.  They think the FDA should issue less formal guidance documents to specify the acceptable technologies.

“The type of machine readable information (linear bar code, 2-D bar code, RFID, etc.) should be provided only in easily-changed guidance documents.”

DataMatrix…DataMatrix…DataMatrix…DataMatrix…
For those responses that weren’t in the “Don’t restrict our choices” camp (and even including some of those) the most common recommendation was to replace “linear” with “DataMatrix”, one even providing additional technical detail, “DataMatrix  ECC 200”.  A representative example,

“GEHC recommends use of the GS1 Datamatrix as an alternative to the linear bar code.”

“Let GS1 decide”
Quite a few respondents recommended that the FDA turn over the choice of technology variously to GS1, GS1 US, GS1 Healthcare, or “the user community”, which is a euphemism for “companies who are members of GS1”.  John Robert of GS1 US explains it this way.

“It is also recommended that the FDA should select one standards system; specifically, the GS1 System.”

…

“In order to accommodate a variety of environments and applications, the GS1 System supports six barcodes that industry partners can work with to support their supply chain needs.  In addition, the GS1 System also supports two RFID data carriers…”

…

“Thus, it is recommended that the FDA not specify a proprietary data carrier, or any particular type of data carrier or technology.  Instead, it is recommended that the FDA only specify automatic identification standards that can be used.  Selection of data carriers must consider the constraints of the application.  The best way to determine the right data carrier for the product/package is to embrace a user driven, global process where data carrier selections are based on the operational, regulatory, business and practical considerations of the trading partners and the drugs themselves.  Therefore, the Bar Code Rule should not be based on a specific technology or a specific symbology.  Rather, it is only necessary to embrace unique identification based on global standards, and leave the selection of symbology and technology to the user community.”

“Require Lot and Expiration Date”
Quite a few responses note that the new FDA carrier technology, whatever it turns out to be, will be able to accommodate additional data with ease and that leads them to support the requirement that the drug’s Lot and Expiration Date be included along with its NDC.  Typical of these:

“PhRMA believes that both the product lot number and the product expiration date should be included in the barcode, along with the NDC number.  This information is included in the 2D barcodes that manufacturers have begun to adopt and FDA’s rules should allow for the inclusion of these data elements in the product bar code.  The inclusion of this information should be optional until 2016 and required after 2016.”

HEY, WHAT ABOUT RFID?

I know, I know, I promised you something about RFID, so here it is.  Quite a few of the responses that didn’t want the industry to be restricted explicitly listed linear barcodes, 2D barcodes and RFID as examples of technologies that should be acceptable.  Many of those would include any future technology so as not to stifle innovation (I shudder to think how many different kinds of readers we would all need to invest in!).

The only response that pushed hard for RFID over everything else was submitted by my old friend Randy Stigall of UPM RFID, an RFID tag manufacturer.  Randy’s response was an essay called “Powerful drivers for RFID pharmaceutical serialization”, apparently a reprint of his article from a pharmaceutical magazine.  In it he makes the case for the adoption of the latest High Frequency (HF) RFID standard from the International Organization for Standardization (ISO) and GS1, ISO 18000-3m3.  It is interesting reading, but I don’t think it’s likely to sway the FDA to replace “linear” with “ISO 18000-3m3 HF RFID” (sorry Randy…hey, give me a call sometime).

On the other hand, if either the “Don’t restrict our choices” or “Let GS1 decide” arguments prevail and one of them is adopted by the FDA, maybe one or two drugs identified by ISO 18000-3m3 HF RFID will show up in your drug shipments sometime soon.  What’s that?  Your linear/2D/UHF RFID combo device can’t read ISO 18000-3m3 HF RFID?  Quick.  Time for an upgrade!

Didn’t submit a comment in response to the FDA RFC?  That’s all right.  Submit one to RxTrace below.

Dirk.

Counterfeit Avastin

The internet lit up last week when the U.S. Food and Drug Administration (FDA) posted an announcement that they are aware of counterfeit Avastin in the U.S. pharmaceutical supply chain (see “Counterfeit Version of Avastin in U.S. Distribution” on the FDA website and Genentech’s announcement).

I found out about it when I received notice of Dr. Adam Fein’s (PhD) excellent blog posting “Greedy Physicians Invite Fake Avastin Into the Supply Chain” on his DrugChannels.net blog, but multiple national news agencies picked the story up and many articles were written about it.  Most simply reflected the contents in the FDA’s announcement.

But at least one news source seemed to do some additional investigating.  Bill Berkrot and John Acher of Reuters published the excellent article “Fake Avastin’s path to U.S. traced to Egypt” on Thursday.  In the article they provide a little more background on the path the drugs allegedly took before apparently arriving on the shelves of U.S. physicians and potentially in the bodies of unsuspecting U.S. patients.

And Pharmaceutical Commerce Online reports that Avastin isn’t the only incident of recent counterfeit injectable cancer drugs making it into the U.S. market that the FDA is currently investigating.

HOW COUNTERFEIT AVASTIN MADE IT INTO THE LEGITIMATE U.S. SUPPLY CHAIN

Now keep in mind, this is only investigative journalism so far, and while the information source listed in the Reuters article is the Danish Medicines Agency, criminal investigators may already know more than this and in the end, some or all of the contents of the Reuters article may eventually be found to be untrue.  Whether ultimately true or not, here is a drawing that I have constructed to reflect the path that they sketch out.  Dashed lines indicate probable sales transactions

Click on the image to enlarge.

As far as we know so far all of these distributors were licensed by some local regulatory agency to buy and sell legitimate prescription drugs somewhere.  At least we don’t know otherwise.  According to Genentech’s website, the U.S. Distributor that allegedly sold the counterfeit Avastin to 19 medical practices was not authorized by Genentech to sell legitimate Avastin to anyone anywhere.  The question is, were they licensed to sell prescription drugs in the locations that the FDA says they did (mostly California but also Texas and Illinois).  Local boards of pharmacy will have to investigate that for any potential violations.

PACKAGING PROBLEMS

It appears that the U.S. distributor that allegedly imported the counterfeit Avastin from the U.K. distributor and who then allegedly sold it to the 19 medical practices may have done so illegally not only because the product was allegedly counterfeit, but also because the product was not labeled for distribution in the U.S.  Here are the pictures of the counterfeit Avastin packaging from the FDA website.

Counterfeit Avastin

Counterfeit Avastin

The linear barcode on the package contains a GS1 GTIN-13 that is rarely seen in the U.S. on drugs, though it is typical almost everywhere else (especially in Europe).  According to the GS1 GEPIR service, the GTIN-13 on the counterfeit packaging uses the GS1 Company Prefix (GCP) that is registered with GS1 Switzerland to F. Hoffmann-La Roche AG of Switzerland.  Roche is the parent company of Genentech.  Of course, anyone can generate a barcode that uses someone else’s GCP so that doesn’t really mean anything except that the counterfeiters went to the trouble to make it look legitimate by that number.

The full GTIN-13 appears to be meaningless.  A Google search of the full GTIN returns nothing.  However, the GCP reported by GEPIR is “764012801” which is not composed of an FDA Labeler Code as it must be to be legally distributed in the United States (see my essays “Anatomy of the National Drug Code”, “Anatomy of a GTIN”, and “Depicting an NDC within a GTIN”).  There is no U.S. FDA National Drug Code (NDC) on the package or the vial in either human or machine readable forms.  Any good packaging expert would be able to find multiple other reasons this packaging doesn’t comply with U.S FDA regulations.

IS THIS JUST THE TIP OF THE ICEBERG?

When you trace backward to find the source of any drug in a lengthy supply chain like this it is an easy trap to assume that you have documented where all of the drugs went.  But more than likely you have only found how just one subset of the drugs made it to this particular endpoint.  The role of a distribution company is to distribute product.  If the Danish Medicines Agency and the FDA are correct, then these drugs that have been discovered in the U.S. supply chain went through at least four distribution companies and maybe five (if you include one in Egypt).  What are the odds that each distributor sold their entire inventory of this Avastin to the next distributor?  Laughably slim in my opinion.

Here is how I depict what we don’t know.  Dashed lines indicate probable and potential sales transactions.

Click on image to enlarge

If only a few of these unknown but potential transactions actually took place the problem could be much bigger than we know right now.  Hopefully there are intensive investigations going on right now on both sides of the Atlantic.  Unfortunately there is no single criminal investigating agency with jurisdiction over all of the places through which these counterfeit drugs allegedly passed.  That makes investigations complicated and time consuming.  If you were a criminal, wouldn’t you just love that about this kind of international crime?

HOW WOULD VARIOUS SUPPLY CHAIN SECURITY APPROACHES HAVE DEALT WITH THIS EPISODE?

There are discussions and debates going on all over the world about exactly what is the right way to counter the growth in attacks on the legitimate pharmaceutical supply chain.  I have selected three approaches that have been discussed in Europe and the United States in recent years.  Each of the approaches to supply chain security outlined below requires the application of a globally unique identifier to each drug package by the original manufacturer which is generally considered the first step by most people (see my essay “Anatomy of an FDA SNI“).

Authentication at the Point of Dispense (POD)
The European Federation of Pharmaceutical Industries and Associations (EFPIA) has heavily promoted the concept of Authentication at the Point of Dispense (POD) for years now.  This approach is not really an attempt at securing the supply chain itself but instead focuses all protection of patients on medical professionals such as pharmacists, doctors and nurses.  These healthcare professionals would need to use a barcode reader and associated internet-connected databases to verify the serialized barcode on each package of drugs at the point of dispensing it to a patient.  Thus, if a counterfeit drug made it through the supply chain, it would not be allowed to harm patients because these healthcare professionals would detect it at the last possible moment.

Applied to this specific case the 19 medical practices who are listed in the FDA notice as allegedly having improperly purchased counterfeit and illegally labeled products would have been responsible for scanning the serialized barcode on the counterfeit product just prior to dispensing it to their patients.  How likely is that to have happened in this scenario?  Hard to say, but considering that these 19 practices had a duty to know that they were allegedly buying from an unauthorized source, and that the packages they received were improperly labeled, but yet they apparently failed to notify any regulatory agency when they received them, I wonder if they would have bothered to perform the authentication step.  If they had (and assuming that this product had the necessary serialized barcode on them that would be necessary under a POD system, which they don’t today) then we would hope that the patients would not have been injected with the counterfeit drugs.

POD authentication does not offer any mandatory protections of the supply chain itself.  That is, criminals are free to spew counterfeit and stolen product throughout the supply chain, wherever they can find a place that will allow them to introduce illegitimate product into the legitimate supply chain.  So nothing would have prevented or slowed any of the four or five distributions, or the potentially many other unknown distributions of this counterfeit Avastin.  And by the time the drug is found to be counterfeit the criminal can be long-gone, working somewhere else on their next counterfeit drug.  By then their trail has gone cold.

To me, POD authentication is a lovely invitation to criminals to setup shop and go for it.  Full steam ahead!  Make a killing monetarily but you don’t have to worry about killing patients because POD authentication will ensure that the fake chemicals will eventually be blocked from actually being consumed at the other end of the supply chain.  The game is setup to protect the patient…and coincidentally, the criminal.

Patient Authentication
Like POD Authentication, Patient Authentication doesn’t attempt to protect the supply chain itself but relies on the patient to authenticate each drug prior to injection or ingestion.  It provides an additional benefit over POD Authentication by eliminating the need to trust the healthcare professionals to properly source their medicines and to authenticate them on your behalf.  The patient is allowed to take drug authentication matters into their own hands.

In the current Avastin situation the 19 medical practices would have provided each of their Avastin patients with the packaging prior to injecting them with it so that those patients could use their cell phones to scan the serialized barcode (or type in a unique code via SMS text messaging) and receive a good/bad message directly from Genentech, the manufacturer.

This approach assumes that the patient has a cell phone with a camera and data service (or SMS feature), knows how to use the authentication service (think of your grandparents doing this…most drugs are consumed in the U.S. by those over 60), and the healthcare professional is willing and able to wait around while the patient interacts with the authentication service in a clinical or emergency room situation.  If I were a counterfeiter I would simply counterfeit drugs that are typically administered when patients are unconscious or in fast-paced emergency situations.  Who’s going to take the time to authenticate in those situations?

Patient Authentication fails for all of the same reasons, and more, that causes POD Authentication to fail.  The biggest failure of both is that they fail to do anything to protect the supply chain and therefore encourage counterfeiters and cargo thieves to do their worst.  (See my essays “Illegitimate Drugs In The U.S. Supply Chain: Needle In A Haystack” and “How to Stop Pharmaceutical Cargo Theft“.)

ePedigree
ePedigree is a supply chain protection technology that is invoked at each sales transaction of a drug within the supply chain.  It requires each seller of a drug to provide the buyer with access to a standardized and authenticated (signed) history of all prior transactions starting with the original manufacturer of the drug component (irrespective of any repackaging that may have occurred along the way).  Each buyer in the supply chain is expected to analyze the ePedigree to confirm that the prior history is valid (through validation of each digital signature) and consistent.  All validations are automated and, depending on the model, may be performed centrally or distributed.  If any ePedigree is found to be invalid the buyer can refuse to take possession of the drugs and may return them to the seller, and, depending on the problem, may notify the regulatory agency (see my essay “Viability of Global Track & Trace Models”).

The California Pedigree Law is an example of an ePedigree system (see “The California Pedigree Law”, and “California Pedigree Law: Historic Change to Commerce”).

In this way illegitimate drugs of almost any kind can be blocked from moving into and through the legitimate supply chain.  Applied to this Avastin case, the very first distribution would have been blocked because the counterfeiter would not be able to provide an ePedigree that matched the product and which contained a digital signature from Genentech.  Even if the first distribution would have gone through because the buyer failed to check the ePedigree, the second buyer would have the opportunity to validate it, and so on through the four or five distributors that allegedly owned the Avastin before it reached the 19 medical centers.  Every supply chain sale is an opportunity to detect and stop the counterfeit.

Even if we assume that only the United States required an ePedigree back to the manufacturer, the U.S. Distributor in this case would not have been able to sell the counterfeit product to the 19 medical centers, or anyone else in the U.S., because they would not have received a valid ePedigree from the U.K. Distributor.  In this way, ePedigree keeps the entire supply chain clear of illegitimate drugs and blocks criminals at every point of introduction and sale.

The one thing that ePedigree cannot protect you from is a criminal healthcare professional who might choose to buy illegitimate drugs directly from the trunk of a criminal’s car or truck.  Since those drugs have not passed through the legitimate supply chain they cannot be detected.  In my view this can be addressed by stronger penalties for these kind of crimes so that healthcare professionals decide it’s not worth the risk to their careers.  That’s already in the works in Congress right now (see my essay “STEP #1: Raise Penalties For Drug Crimes To Reflect The Widespread Harm They Can Inflict”).

As a system-wide supply chain solution ePedigree costs more than POD or Patient Authentication.  In particular, distributors need to spend a lot more to deploy and operate an ePedigree solution.  POD and Patient Authentication systems only involve the patient, pharmacy or hospital/clinic and the manufacturers.  Distributors may choose to participate voluntarily if they want to invest the resources.  As in many things, you get what you pay for.

Why didn’t I include “Track & Trace” as a separate approach to securing the supply chain?  Because the “Trace” part of “Track and Trace” performs the same role as ePedigree and the “Track” part doesn’t add anything extra to supply chain integrity.  See my essay “Terminology: Track and Trace, and Pedigree“.

Which approach to blocking counterfeits like this Avastin case do you think is appropriate for our future?  How much should we expect to spend to “solve” this problem?  Who should pay for it?  Should there be a single, global approach selected or different national approaches that are targeted to the specific problems that exist today in each locale?  Leave a comment below.

Dirk.

Linear barcodes have served us well for almost half a century, but NOW is the time to move on to something else in the global pharmaceutical supply chain.  I think most people already agree with that but I’m not sure everyone fully appreciates exactly why that is.  It’s important to fully understand the reason why so that your resolution to move away from linear barcodes is strong and you won’t drag your feet or look back.  So let me show you.

                      SERIALIZATION
THE DAWN OF ^ CIVILIZATION

No matter what you might think is going to happen to ePedigree or track & trace regulations going forward, more and more governments around the world are concluding that legitimate pharmaceuticals should come with unique identifiers—serial numbers—attached to them by the manufacturers and repackagers.

Serialization is upon us and I believe that in 10 years the ongoing benefits from it around the globe will significantly exceed the ongoing costs.  Whether you agree to the benefits or not you certainly must accede to the fact that serialization in pharma supply chains is being mandated by more and more governments around the world, and that trend is not likely to reverse but will likely increase.  Serialization mandates are currently in place for 2015-2016 in the state of California and they are under consideration by the two largest pharmaceutical markets in the world:  The E.U. and the U.S.

Serialization is upon us and there is no turning back.  While this is the foundation for why the industry must move away from linear barcodes, it is not the complete reason.

ADDING SERIAL NUMBERS TO PHARMACEUTICALS

Serialization mandates in countries around the world vary quite a bit but the more recent the regulation, the more likely they are to specify the use of GS1 standards, either as part of the mandate or as an example of one way to comply.  GS1 linear barcodes are the most common type of product identifier barcode in use today in the larger markets so when you need to add a serial number to a drug, the addition of a GS1 serial number makes a lot of sense.

In a recent essay, “Depicting An NDC Within A GTIN”, I showed how to depict a U.S. Food and Drug Administration (FDA) National Drug Code (NDC) with an GS1 Global Trade Item Number (GTIN) for both over-the-counter (OTC) drugs and prescription drugs.  Then, in my essay “Anatomy of an FDA SNI” I explained how to use GS1 standards to produce an FDA-compliant serialized NDC, or sNDC.  An sNDC is what is necessary if you want to (voluntarily today) add a serial number to any drug that has an NDC assigned to it for the U.S. market according to the FDA’s Standardized Numeric Identifier (SNI) document from 2010 (see also my essay “FDA Aligns with GS1 SGTIN For SNDC“).  At the end of my “Anatomy of an FDA SNI” essay I used the FDA’s own example (from their SNI Guidance document) to create the GS1 string of elements that would be encoded into a barcode and placed onto the drug package:

01003555556667762111111111111111111111

What I didn’t say in that essay is that you can’t encode this or any other sNDC in the GS1 Universal Product Code-A (UPC-A) barcode symbology that is used today for depicting NDC’s in linear barcodes on many of the pharmaceuticals in the U.S. supply chain.  The UPC-A symbology itself does not support the addition of the serial number.  For that you have to switch to another GS1 linear symbology known as GS1-128 (formerly known as UCC-128 and EAN-128).

Without the serial number, the linear UPC-A barcode for the NDC in the FDA’s example would look like this (all barcode images in this essay are courtesy of Terry Burton’s website):

That’s what the NDC barcode would look like today depicted as a GS1 GTIN-12 without the serial number.  Here is what the full NDC and the serial number from the FDA’s example sNDC would look like depicted as a GTIN-14 plus serial number and rendered in the GS1-128 symbology:

Look at these two examples and you will see why serialization triggers the need to abandon linear barcodes.  The linear barcodes that result after adding a serial number to NDCs are too long to fit onto most drug labels in a way that allows them to be scanned properly.  Yes, this example uses U.S.-specific data and requirements but the same principles will apply to almost all countries and similar results will occur.  Yes, the serial number in the FDA’s example is an extremely long one that probably exceeds the needs of 99% of companies, but the technology must accommodate the extremes or it is not usable.

And that’s not even the most extreme serial number I can think of.  Serial number “YESTHISISAVALIDSRNUM” (yes, this is a valid serial number) is the most extreme serial number I can think of, and this is what it would look like as an sNDC in the GS1-128 symbology:

In fact, I had to reduce the image considerably to get it to fit into this webpage. Click on the image to see it full scale.

That’s even less workable.

SO WE NEED TO MOVE TO 2D BARCODES, RIGHT?

2-Dimensional barcode symbologies, like GS1’s DataMatrix, will solve this problem, yes.  For example, here is what the previous two examples would look like encoded in GS1 DataMatrix:

(01)00355555666776
(21)11111111111111111111

(01)00355555666776
(21)YESTHISISAVALIDSERNM

Both of these symbols take up less space than the original UPC-A barcode that only contains the NDC.  Even if we now add a lot/batch (AI=”10) and an expiration date (AI=”17) as I recommended in my essay “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach”, and we do so using the maximum lengths possible, these two become:

 (01)00355555666776
(21)11111111111111111111
(17)160701
(10)22222222222222222222

(01)00355555666776
(21)YESTHISISAVALIDSRNUM
(17)160701
(10)YESTHISISAVALIDLOTNM

Whoa!  What happened with the “extreme” example to make it blow up so big?  There are two things that just happened.  First, the DataMatix symbology is highly compressed and it automatically adjusts to accommodate the type and size of the data being encoded.  Notice that the length of the lot number and the serial number in the two images above are the same, but the type of the data in the lot and serial numbers are not the same.  When only digits are used the symbology can compress the image into a smaller space than it can when alphanumerics are used.  In both examples I am using the maximum number of characters allowed, but in the extreme example I am using all alphas in both the serial number and in the lot number.  That is the worst-case scenario and, as you can see, it takes up more space.

Second, the GS1 DataMatrix symbology will split into multiple segments (four in this case) once you cross a technical boundary related to the number of bits being encoded.  Alphanumeric characters require more bits to encode them than numeric characters and in this example we crossed that boundary so the image generator split it into four segments.  This helps readers decode larger symbols without significantly lowering reliability.

Considering the fact that it required me to come up with a pretty unrealistic extreme example of both serial number and lot number before the symbols made the leap to four segments I think it is unlikely that most drugs will require more than one segment.  That’s because most drugs require many fewer than 20 characters for their lot/batch and serial numbers and most companies will probably stick with numeric-only characters in their serial numbers.

WHAT ABOUT RFID?

The pharma industry could move to Radio Frequency Identification (RFID) instead of 2D barcodes where regulations allow, but I believe that is unlikely except where the overseeing regulatory body actually requires it for all drugs in that jurisdiction.  The explanation I documented for that in my essay “RFID is DEAD…at Unit-Level in Pharma” still applies.  On the other hand, RFID would also solve the space problem that we have seen results with linear barcodes and the addition of serialization.  In fact, most RFID tags would likely be placed under the product label so they would not take up any label real estate at all, but I don’t think manufacturers will view that savings as enough to offset the cost of the tags themselves.

THE TIME IS NOW

If you are a global pharma manufacturer or repackager and you haven’t yet figured out a plan for moving away from linear barcodes on your product labels, now is the time to start.  Whether you choose 2D barcodes or RFID, the existence of serialization mandates around the world is the reason you need to take action and the time is now.

If you are a distributor, pharmacy or dispenser of pharmaceuticals in parts of the world where serialization has arrived or is coming, you need to develop a plan for reading the product codes and serial numbers using technologies that drug manufacturers and repackagers will move to.  Now is the time to find out how many different technologies you will have to deal with.  Now is the time to influence those manufacturers who are considering technologies that you don’t want and steer them toward those you do want.

Now is the time.

NOW IS THE TIME…EXCEPT FOR ONE THING!

Except, the FDA currently requires that drugs sold into the U.S. market be identified with their NDC specifically in a linear barcode.  That means that in the U.S. today, you cannot move away from linear barcodes on your drug product, even when you need to add serial numbers to them for compliance with the California pedigree law in 2015-2017.  As I show above, it doesn’t make sense to add serial numbers in linear barcodes so you are left with the probable decision to put the NDC and serial numbers in a 2D barcode or RFID tag in addition to the existing linear barcode that contains the NDC by itself.  That’s pretty space inefficient.

The FDA is aware of this unfortunate situation as indicated by their recent request for comment on eliminating the requirement for the use of linear barcodes containing the NDC on drugs.  Click here to read the responses they have collected so far.  You have until February 23, 2012 to submit your own comments to the FDA through www.regulations.gov, docket number FDA-2011-N-0719.

Pay close attention to what the FDA does with this issue.  More than likely it will impact everyone in the U.S. pharmaceutical supply chain.

Dirk.

Thank you to George Wright IV of PIPS for catching an embarrassing error in my construction of the GTIN-14′s encoded into the sample barcodes.  I have now corrected and updated them.