Last week I published an essay that gave GS1 some advice on how to trigger interest in adoption of their Global Data Synchronization Network (GDSN).  Those of you who read that essay in the first two days read my snarky comments about GS1 seemingly attempting to commandeer the term “Data Quality” to include the need for GDSN.  That was based on a mis-interpretation of their marketing materials for their “Data Quality Framework” and as soon as I discovered my mistake I removed that part of the essay, leaving the core point of the essay intact (see “An Open Letter to GS1, RE: GDSN Marketing”).

In fact, GS1 is saying exactly the opposite of what I originally thought regarding Data Quality and GDSN.  That is, before you start publishing your supply chain master data (SCMD) through GDSN you should ensure that the quality of your data is high.  As GS1 points out, “Good quality data is foundational to collaborative commerce and global data synchronisation.”  I couldn’t agree more.

The GS1 Data Quality program is centered on the “Data Quality Framework”, which is maintained by GS1 but, according to them, was originally developed by AIM, CIES, ECR Europe, FMI, GCI and GMA.  These organizations are predominantly focused on the food supply chain which is ahead of the healthcare supply chains in their use of automatic identification and data capture (AIDC) and in the use of GS1 GDSN.

The Data Quality Framework appears to be a giant “lessons learned” resource provided by the members of the food supply chain to other companies and other supply chains who might want to follow in their footsteps.  As such, it could be very valuable to companies in the healthcare supply chains to help streamline their move to more efficient AIDC and data exchange.  From my experience, healthcare has a long way to go.

You can download the GS1 Data Quality Framework from this GS1 webpage.  It consists of a ZIP file that contains a self-assessment scorecard, a Data Quality Presentation (2010), a Data Quality KPI Checklist and two PDF files.  One called “Implementation Guides for the Data Quality Framework”, and “Data Quality Framework”.

In my experience within the healthcare supply chains, companies resist the idea of data synchronization, but I haven’t heard anyone who thinks the quality of their master data couldn’t be improved.  In fact, it’s a perennial problem.  Of course, you will find that the Data Quality Framework that GS1 is offering expects you to make use of GS1 identifiers like GTIN and GLN.  No surprise, but somewhere the case has to be clearly made in support of all members of a given supply chain benefiting from the use of the same identifier for a given thing.  Is this it?  Maybe.  Maybe not.  Why not give it a chance?  No one knows better than you that your master data isn’t perfect.

Dirk.

Most Warehouse Management Systems (WMS) available on the market today do a fine job of allowing their users to manage inventories in the warehouses of drug manufacturers, distributors and chain drug stores.  A WMS is a software system that may be a part of a larger Enterprise Resource Planning (ERP) system, or it may be a third-party application that is interfaced with the owner’s ERP system.

All WMS systems that I am aware of are intended to be sold into multiple industries, not just in pharma.  That’s so that the WMS vendor can maximize their sales.  The more industries, the more sales and the more profitable it is.  Because some industries have long had serial numbers on some of their products (computers and peripheral equipment, cell phones, electronics, medical equipment, appliances, etc.) WMS vendors have included serial number handling in their software for decades.  In fact, I would bet that a serial number handling feature was included in WMS systems since the very beginning of that category of software.

However, buyers of WMS systems in the pharma supply chain should be very careful not to confuse a “serial number handling” or even “serialization” checkbox on the WMS vendor’s spec sheets with the kind of “serialization” they will need for compliance with modern pharma serialization regulations.  I include the California Pedigree Law, the potential future serialization requirements that may (or may not) be coming from the FDA, and those in the E.U.

THE DIFFERENCE BETWEEN WMS SERIAL NUMBER HANDLING AND PHARMA SERIALIZATION FOR REGULATORY COMPLIANCE

The reason is simple.  Despite the similar (or same) name, serialization in the pharma supply chain leads to significantly different functionality than dealing with serial numbers on products in other supply chains.  For example, think about what would be needed for a personal computer manufacturer.  They would need to keep track of which serial number is applied to which models.  They may want to keep track of who they shipped which serial number to, and they may want to connect their warranty registration, returns, warranty claims and service processes to their serial number database so they can make sure they know exactly which sub-model revision (hardware, firmware and software) they are dealing with and to confirm that the customer is valid (for after-sales service).  All of these serial number tasks can be easily accomplished within the WMS, within an add-on module, or within some module of the ERP system because they normally do not need to communicate with the systems of other companies.  These same kind of capabilities would be needed for all of the types of products I listed above.

But these capabilities are distinctly different from those that members of the pharma supply chain are going to need going forward and so these traditional serial number features of WMS systems are insufficient.  The pharma supply chain needs to use the serial numbers on drug packages to authenticate the supply chain history, either at each stop (California), at the point of dispense (E.U.), or somewhere in between (potential future U.S. FDA regulation).  This requires a different approach.

First, all companies within a given supply chain must follow certain standards to ensure interoperability of the serial numbers themselves and the how they will be handled across all members.  That is, a WMS vendor can’t simply make up their own serial number handling features because they will not interoperate with those from other vendors.  Second, some kind of standardized data exchange related to the serial numbers must occur between trading partners, and third, the management of the data must also be standardized so that the same functionality is made available to all parties in the supply chain.

STANDARDS ENABLE INTEROPERABILITY ACROSS THE SUPPLY CHAIN

In the U.S. and in many other countries around the world, GS1’s Global Trade Item Number (GTIN) plus serial number (or SGTIN) is the standardized serial number that has been chosen (see my essays “FDA Aligns with GS1 SGTIN For SNDC” and “California Enforcement Subcommittee Moves To Require FDA SNI” and also see the GS1 General Specifications).

In California the GS1 Drug Pedigree Messaging Standard (DPMS) is known to be usable for compliance and would fulfill the necessary standard format for data exchange and data management.  However, the industry has more recently been interested in the use of GS1’s Electronic Product Code Information Services (EPCIS) standard as the basis for the standardized data exchange and data management.  Personally I don’t think anyone has shown satisfactorily that it will comply with the current California law but it appears that companies who are members of GS1 U.S. Healthcare Traceability group are hoping that it will.  (See my essays “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1” and “…Part 2”.)  If the California Board of Pharmacy is willing to accept it, then it can be used for compliance, but until we know that, I think it’s risky to deploy systems that are only based on EPCIS.

We won’t know which standard will fulfill the needs of whatever federal pedigree regulation, if any, may be on the horizon until the regulation is published by the FDA down the road.  So far it is probably a good bet that EPCIS will play an important role and it is very unlikely that DPMS will play any role.  We’ll see…

Ignoring the debate over which GS1 standard would be used in the U.S., the point is, the existing serial number handling features of today’s WMSs will not be sufficient because they are intended for something else.  The key characteristic that both DPMS and EPCIS have that is missing from those existing WMS features is that they are able to document supply chain events that occur to GS1 serial numbers and therefore to the products associated with those serial numbers.  This includes Commissioning, Aggregation, Shipping and Receiving, among others.  When you include the fact that they are both standards that all solution developers can follow, which results in interoperability between their solutions, DPMS and EPCIS are the only ways to address the needs of these modern requirements in the pharma supply chain.

WMS AND SERIALIZED EVENT REPOSITORIES

I once thought that WMS and Pharmacy Management System (PMS) vendors would see the difference and perhaps would add at least the standard EPCIS interfaces to their products (see my essay “The Future of Traceability Repositories and Inventory Management Systems”), but as far as I know that hasn’t happened.  Perhaps they have concluded that a WMS isn’t really the place to store supply chain events.

The whole point of a WMS is for managing inventory and warehouse processes.  Serialized supply chain events are related to things that pass through the inventories, but the life of those events could extend well beyond the life of the typical data element a WMS needs to deal with today.  The data communications and management needs of serialized supply chain events is also beyond the traditional scope of a WMS.  It now seems to make more sense to have a separate repository just for those events and maintain minimal connection between that repository and the WMS.  Perhaps the only connection would be related to the time that the serialized products are present in the inventory that the WMS is managing.

Figure 1.

That might require some interface(s) between the two systems since the serialized event repository is an inventory system of a sort.  For each product code the WMS will likely maintain an inventory count and the event repository will likely maintain a list of serial numbers in the same inventory.

If you are shopping for a new WMS and you know you will need to comply with a pharma serialization regulation, make sure you fully understand the limits of the serial number handling capability of the products from each vendor you are considering.  Don’t assume that you will be covered just because the spec sheet has a check box for “serialization”.

Dirk.

Any company wishing to make use of GS1 standards—including their barcodes, identifiers and data exchange standards—must first obtain a GS1 Company Prefix, or “GCP”.  Normally you would obtain a GCP by applying to the GS1 Member Organization (M.O.) in the country where your company headquarters resides, but if you are a pharmaceutical company that makes drugs for the U.S. market, regardless of where you are located, you will need to obtain a special GCP from GS1 US, the GS1 M.O. in the United States.

That’s because currently, drugs sold into the U.S. market must contain a linear barcode that encodes your U.S. Food and Drug Administration (FDA) National Drug Code (NDC).  To properly encode that NDC into a GS1 barcode symbol, you must register with GS1 US the GS1 GCP that matches the FDA-assigned Labeler Code that is a part of every NDC.  Only GS1 US can assign/register a GCP that matches your FDA-assigned Labeler Code.  I explain all of this in more detail in my essay “Anatomy Of The National Drug Code”.

Companies may end up with more than one GCP over time for several reasons.  For example, if a drug company is based in Switzerland, merged with another pharmaceutical company in France a few years ago and sells pharmaceuticals globally, they may end up with the following GCPs:

• One issued by the Swiss GS1 M.O. obtained originally by the parent company
• One issued by the France GS1 M.O. obtained through the merger
• One issued by the U.S. GS1 M.O. registered by the parent company for use in identifying drugs sold into the U.S. market
• One issued by the U.S. GS1 M.O. obtained through the merger for use in identifying drugs made by the subsidiary in France and sold into the U.S. market

All of these GCPs have value for the parent company and to maximize that value, the parent company should view these GCPs as enterprise resources and manage them that way.  Number allocation based on these GCPs should be managed centrally using a strategy that is designed to maximize the benefit to the whole organization rather than to silos within the company.

WHAT IS A GCP USED FOR?

A GS1 Company Prefix is at the core of “The GS1 System”, a set of standards used globally for identification of products, services, assets, relationships and even documents.  These entities are identified in the GS1 System at the class level or at the serialized unit level through numeric “keys”.  All GS1 keys use the GCP as their foundation so that each key is uniquely specific to the owner of the GCP on a global basis.  Once a company is given the right to use a GCP they are free to define any key using that GCP without fear that they will clash with anyone else’s key, and without additional cost.  The remainder of each key is used to hold additional information to identify the target entity.  Refer to the GS1 General Specifications for full details (check with your GS1 M.O. or just search for a downloadable copy on the internet).

The GCP can vary between six and ten digits in length in the U.S. and may have a different variation depending on the M.O. making the assignment.  The following diagram is just a generalized depiction of that.

Here is a list of GS1 keys that are based on the GCP:

• GTIN (Global Trade Item Number) in 8, 12, 13 and 14 digit flavors, and the serial numbers associated with them when forming an SGTIN;
• GLN (Global Location Number) 13 digits;
• SSCC (Serial Shipping Container Code) 18 digits;
• GRAI (Global Returnable Asset Identifier) 14 digits, first digit is always a zero plus optional serial number up to 16 additional characters;
• GIAI (Global Individual Asset Identifier) up to 30 characters;
• GSRN (Global Service Relation Number) 18 digits;
• GDTI (Global Document Type Identifier) 13 digits plus optional serial number up to 17 additional digits;
• GINC (Global Identification Number for Consignment) up to 30 characters;
• GSIN (Global Shipment Identification Number) 17 digits.

Each type of GS1 key includes a numeric value that is combined with the GCP to form a specific instance of the key.  It is the assignment of these numeric values that must be managed in some way.  The total length of the key minus the length of the GCP determines how many digits are available to the owner to assign specific instances of the key.  These digits represent the “key space” for a given key.  The shorter the GCP, the larger the key spaces of each key type will be.

(NOTE:  As George Wright rightly points out in his comment below my off-hand formula for calculating the available digits in the key space leaves out the check digit in some keys as well as certain other individual digits in other keys.  Please refer to the GS1 General Specifications for the full calculation for each individual key type.)

CENTRAL MANAGEMENT OF GCPs AND GS1 KEYS

Companies of any size will benefit by managing all of their GCPs and GS1 keys in a single location and perhaps through a single database and application.  It enables the enforcement of a single corporate strategy for number assignment within each key space and ensures that duplicate values will not be generated and number ranges will not be wasted.

It is not necessary for the central GCP management authority to assign every single value for all of the keys to maintain control.  This is particularly true for high frequency assignment keys.  For example, the responsibility for assigning specific SSCC values may be delegated to remote systems.  Even then, the remote systems should be designed to acquire number ranges from the central system so that the enterprise strategy is maintained.  Once a number range is acquired by the remote system it can perform its own assignment of the SSCCs within the allocated range as necessary.  When it gets close to exhausting the current range of values it can request the next range from the central authority.  For small companies this could be done manually, but for mid to large companies, this should be automated.

Keys that are assigned at low frequencies, like GLN—which would only need a new assignment when a new location is established—or GTIN—which would only need a new assignment when a new product or new variation is introduced—could be done manually even in larger companies.  Whether manual or automated, central management of lower frequency keys is even more important than the high frequency keys in my view, to ensure that used numbers are properly kept track of.

Central management of all GCPs owned by a company allows the central authority to minimize the need to acquire new GCPs by maximizing those that are already under their control.  A central authority can ensure that the key spaces of each key are fully utilized before either reusing previous values (do so very carefully) or acquiring a new GCP.  In most cases these decisions should not be left up to remote business units or you might find that the enterprise possesses many more GCPs than are actually necessary.

Central management of serial numbers associated with GTINs–to form GTIN plus serial number, or SGTINs–should also be controlled centrally whether done individually or through number ranges.  This allows the enterprise to make use of a single serial number assignment strategy, including some form of randomization, if desired, like the kind offered by RxTrace advertiser Kezzler.

The introduction of a new GCP through a central authority can be much cleaner and much more efficient than if done otherwise.  Remote systems should not make any assumptions about the GCPs within the GS1 keys they are provided, whether individually or within ranges.  That way the central GCP authority can introduce the use of new GCPs at any time necessary.

Very large enterprises that make heavy use of GS1 keys might have a group that is dedicated to managing their GCPs and GS1 keys, but most companies will be able to make it fit within a group that is responsible for other data-related activities.  Good candidates for the GCP management responsibility within an enterprise are the Master Data Management (MDM) group or some other existing data management group.

Regardless what group the responsibility ultimately falls, central management of your GCPs and associated GS1 keys is a good idea.  If your company does not currently have central management, I suggest you start asking questions to find out:

• How many GCPs does your company control?
• Who manages the key spaces of each one?
• Does anyone know exactly which key values have been consumed within each key space of each GCP?
• Who has the authority to acquire a new GCP and for what reasons?

You might be surprised at what you find.

Dirk.

The title is a paraphrase of a TV commercial from the 1960′s, ’70′s and ’80′s for Lay’s Potato Chips but the sentiment is the same.  You really can’t get away with using only a single GS1 standard.  That’s why they are sometimes referred to as “The GS1 System of Standards“.  It’s a “system” of standards.  Multiple standards that are designed to work for you together in concert; as a whole; not independently.

So when your customer demands that you make use of Global Location Numbers (GLN) and/or Global Trade Item Number (GTIN), they are starting you down the path of adoption of much more than just those two “entry-level” standards (see my essay “So a customer demands that you use GLN’s and GTIN’s. What next?”).  Here is a partial list of other GS1 standards that you may benefit from adopting once you fully embrace GLN and GTIN:

• GS1 UPC barcode symbology
• GS1 element strings encoded in a barcode symbology such as:
• GS1-128
• GS1 DataMatrix
• GS1 DataBar
• GS1 EANCOM EDI standard
• GS1 EPC RFID in frequencies such as
• UHF
• HF
• GS1 Electronic Product Code Information Services (EPCIS)
• GS1 Drug Pedigree Messaging Standard (DPMS)
• GS1 Global Data Synchronization Network (GDSN)

GS1 Healthcare is a community organization of end users within GS1 who are members of the global healthcare industry.  That organization created the following figure to show how GLN and GTIN are foundational to patient safety and supply chain efficiency, the ultimate end goals of its members.  At the top of that foundation is GDSN and above it are the five pillars of patient safety, which support the ceiling of supply chain efficiency and the overall roof of patient safety.  (See “Change has finally come:  U.S. Healthcare industry to implement common data standards to improve safety, reduce costs” by Joe Pleasant, CIO and SVP, Premier, Inc.)

GS1 Healthcare Patient Safety "House of Standards"

Many U.S.-based hospital Group Purchasing Organizations announced a number of years ago that they would require the use of GLN and GTIN by December 2010 and 2012 respectively.  Apparently at least one of those GPO’s also requires the use of GDSN but without specifying a date.

GS1 GLOBAL DATA SYNCHRONIZATION NETWORK (GDSN)

GS1’s GDSN is a standard that can be used by supply chains to communicate product class-level supply chain master data (SCMD) to all of the companies who participate in it.  Here is how I described it in my essay, “Supply Chain Data Synchronization and Patient Safety”:

“Generally, [GDSN’s] use requires all trading partners in a given supply chain to subscribe to a GDSN-conformant Data Pool service provider.  Unilateral adoption of GDSN by a single company doesn’t make any sense.  It’s a high bar for a large and complex supply chain to achieve through voluntary means.  Right now the pharma supply chain in the U.S. has not achieved it and so the quality of SCMD in the supply chain is currently dependent on ad hoc relationships and data passing.  Some of this includes manual data entry into the local master data systems at many points in the supply chain.”

Here is one way GS1 draws GDSN.  This view emphasizes the plumbing and shows the “how” of GDSN.  (See “Global Data Synchronization Network® (GDSN) Operating Roadmap for GS1, Version 7.3” November 2011.)

Click image to enlarge

Here is my rendition of GDSN use in healthcare.  I show it as a cloud-based repository where the manufacturer publishes their product master data and where downstream trading partners can subscribe to it.  That way everyone in the supply chain—right down to the healthcare professionals at the points of care—are using the exact master data as published by the manufacturer.  Admittedly this rendition doesn’t show how GDSN is implemented, but I happen to think that’s less important that showing what it is.  See GS1 for the details.

Click image to enlarge

Up to this point in time there still hasn’t been any significant use of GDSN in the U.S. medical supplies and devices supply chain and it is tough to get an entire industry to adopt something so large without some kind of incentive.  The GPO’s are trying to provide that incentive by mandating its use, so at some time after the GTIN is widely adopted on medical supplies and devices, SCMD may be synchronized between manufacturers and hospitals, and perhaps distributors as well.

USE OF GDSN IN THE U.S. PHARMACEUTICAL SUPPLY CHAIN

GDSN is also not currently used in the U.S. pharmaceutical supply chain, but in my view, it will be a necessity if/when GS1’s EPCIS standard is ever used for track and trace applications like ePedigree.  In my view, EPCIS alone can’t be used for compliance with the existing pedigree regulations in the U.S. (see my essays, “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1” and “…Part 2”).

But EPCIS just might become the basis for the track & trace standard that the FDA will publish by the end of this year (see me essay “InBrief: FDA To Publish Track & Trace Standard By Year End”).  Many people believe that standard will be based on EPCIS, similar to the way FDA aligned their sNDC standard with GS1’s GTIN (see my essay “FDA Aligns with GS1 SGTIN For SNDC”).  Include me in that group.

But, by design, EPCIS events do not carry SCMD (see my essay, “Pedigree Models and Supply Chain Master Data”), so if EPCIS events form the basis of an ePedigree, it will be a absolute necessity that all parties who are consuming and updating those pedigrees use the identical product class-level master data.  That would be necessary because everyone would need to agree on exactly what constitutes the drug that is referenced by the GTINs in the EPCIS events.  Without that common agreement on exactly what the GTINs mean, how can there be a true pedigree?

Here is a drawing that shows how GDSN could be used in conjunction with a semi-centralized ePedigree system that is built on top of EPCIS events.

Click image to enlarge

Notice how each trading partner in the supply chain communicates with both the GDSN cloud and the Semi-Centralized ePedigree cloud.  In actual implementation these clouds might not be so distinct because the same vendors might offer both, but I show them separate here because they are serving distinctly different purposes.

The GDSN cloud is serving as the common source of product SCMD as published by the manufacturer—keyed off of the GTIN—and the Semi-Centralized ePedigree cloud, based on EPCIS, is serving as the common repository for all supply chain events that occur to the actual unit-level instances of those products—keyed off of the serialized GTIN, or SGTIN.  The clouds also communicate with each other because, to produce a usable ePedigree report the ePedigree engine would need to obtain the SCMD from the GDSN cloud.

As I said, I think something like this will be a necessity if EPCIS is used as the basis of an ePedigree system.  So far when people in the industry talk about using EPICS for ePedigree they almost always forget the SCMD.  The ePedigree solution I show in the figure above is a very efficient model since the SCMD does not travel along the same path as the instance data (the EPCIS events).  This is in stark contrast to DPMS which needs to carry that data along with each ePedigree document—a big negative for that standard that many have pointed out over the years.

All pedigree models have trade-offs.  One of the trade-offs of ePedigree models based on EPCIS is that GDSN will probably have to be adopted throughout the U.S. pharma supply chain over a fairly short period of time, but no doubt patients would benefit greatly from that.

BETCHA CAN’T USE JUST ONE

There you have it.  Not only would pharma trading partners need to adopt GLN and GTIN, in this scenario they would also need to adopt EPCIS and GDSN shortly afterward.  In the pharma supply chain you can’t use just one!

Can you see any alternatives to this scenario besides adding DPMS in some way?  Leave a comment below.

Dirk.

Counterfeit Avastin

The internet lit up last week when the U.S. Food and Drug Administration (FDA) posted an announcement that they are aware of counterfeit Avastin in the U.S. pharmaceutical supply chain (see “Counterfeit Version of Avastin in U.S. Distribution” on the FDA website and Genentech’s announcement).

I found out about it when I received notice of Dr. Adam Fein’s (PhD) excellent blog posting “Greedy Physicians Invite Fake Avastin Into the Supply Chain” on his DrugChannels.net blog, but multiple national news agencies picked the story up and many articles were written about it.  Most simply reflected the contents in the FDA’s announcement.

But at least one news source seemed to do some additional investigating.  Bill Berkrot and John Acher of Reuters published the excellent article “Fake Avastin’s path to U.S. traced to Egypt” on Thursday.  In the article they provide a little more background on the path the drugs allegedly took before apparently arriving on the shelves of U.S. physicians and potentially in the bodies of unsuspecting U.S. patients.

And Pharmaceutical Commerce Online reports that Avastin isn’t the only incident of recent counterfeit injectable cancer drugs making it into the U.S. market that the FDA is currently investigating.

HOW COUNTERFEIT AVASTIN MADE IT INTO THE LEGITIMATE U.S. SUPPLY CHAIN

Now keep in mind, this is only investigative journalism so far, and while the information source listed in the Reuters article is the Danish Medicines Agency, criminal investigators may already know more than this and in the end, some or all of the contents of the Reuters article may eventually be found to be untrue.  Whether ultimately true or not, here is a drawing that I have constructed to reflect the path that they sketch out.  Dashed lines indicate probable sales transactions

Click on the image to enlarge.

As far as we know so far all of these distributors were licensed by some local regulatory agency to buy and sell legitimate prescription drugs somewhere.  At least we don’t know otherwise.  According to Genentech’s website, the U.S. Distributor that allegedly sold the counterfeit Avastin to 19 medical practices was not authorized by Genentech to sell legitimate Avastin to anyone anywhere.  The question is, were they licensed to sell prescription drugs in the locations that the FDA says they did (mostly California but also Texas and Illinois).  Local boards of pharmacy will have to investigate that for any potential violations.

PACKAGING PROBLEMS

It appears that the U.S. distributor that allegedly imported the counterfeit Avastin from the U.K. distributor and who then allegedly sold it to the 19 medical practices may have done so illegally not only because the product was allegedly counterfeit, but also because the product was not labeled for distribution in the U.S.  Here are the pictures of the counterfeit Avastin packaging from the FDA website.

Counterfeit Avastin

Counterfeit Avastin

The linear barcode on the package contains a GS1 GTIN-13 that is rarely seen in the U.S. on drugs, though it is typical almost everywhere else (especially in Europe).  According to the GS1 GEPIR service, the GTIN-13 on the counterfeit packaging uses the GS1 Company Prefix (GCP) that is registered with GS1 Switzerland to F. Hoffmann-La Roche AG of Switzerland.  Roche is the parent company of Genentech.  Of course, anyone can generate a barcode that uses someone else’s GCP so that doesn’t really mean anything except that the counterfeiters went to the trouble to make it look legitimate by that number.

The full GTIN-13 appears to be meaningless.  A Google search of the full GTIN returns nothing.  However, the GCP reported by GEPIR is “764012801” which is not composed of an FDA Labeler Code as it must be to be legally distributed in the United States (see my essays “Anatomy of the National Drug Code”, “Anatomy of a GTIN”, and “Depicting an NDC within a GTIN”).  There is no U.S. FDA National Drug Code (NDC) on the package or the vial in either human or machine readable forms.  Any good packaging expert would be able to find multiple other reasons this packaging doesn’t comply with U.S FDA regulations.

IS THIS JUST THE TIP OF THE ICEBERG?

When you trace backward to find the source of any drug in a lengthy supply chain like this it is an easy trap to assume that you have documented where all of the drugs went.  But more than likely you have only found how just one subset of the drugs made it to this particular endpoint.  The role of a distribution company is to distribute product.  If the Danish Medicines Agency and the FDA are correct, then these drugs that have been discovered in the U.S. supply chain went through at least four distribution companies and maybe five (if you include one in Egypt).  What are the odds that each distributor sold their entire inventory of this Avastin to the next distributor?  Laughably slim in my opinion.

Here is how I depict what we don’t know.  Dashed lines indicate probable and potential sales transactions.

Click on image to enlarge

If only a few of these unknown but potential transactions actually took place the problem could be much bigger than we know right now.  Hopefully there are intensive investigations going on right now on both sides of the Atlantic.  Unfortunately there is no single criminal investigating agency with jurisdiction over all of the places through which these counterfeit drugs allegedly passed.  That makes investigations complicated and time consuming.  If you were a criminal, wouldn’t you just love that about this kind of international crime?

HOW WOULD VARIOUS SUPPLY CHAIN SECURITY APPROACHES HAVE DEALT WITH THIS EPISODE?

There are discussions and debates going on all over the world about exactly what is the right way to counter the growth in attacks on the legitimate pharmaceutical supply chain.  I have selected three approaches that have been discussed in Europe and the United States in recent years.  Each of the approaches to supply chain security outlined below requires the application of a globally unique identifier to each drug package by the original manufacturer which is generally considered the first step by most people (see my essay “Anatomy of an FDA SNI“).

Authentication at the Point of Dispense (POD)
The European Federation of Pharmaceutical Industries and Associations (EFPIA) has heavily promoted the concept of Authentication at the Point of Dispense (POD) for years now.  This approach is not really an attempt at securing the supply chain itself but instead focuses all protection of patients on medical professionals such as pharmacists, doctors and nurses.  These healthcare professionals would need to use a barcode reader and associated internet-connected databases to verify the serialized barcode on each package of drugs at the point of dispensing it to a patient.  Thus, if a counterfeit drug made it through the supply chain, it would not be allowed to harm patients because these healthcare professionals would detect it at the last possible moment.

Applied to this specific case the 19 medical practices who are listed in the FDA notice as allegedly having improperly purchased counterfeit and illegally labeled products would have been responsible for scanning the serialized barcode on the counterfeit product just prior to dispensing it to their patients.  How likely is that to have happened in this scenario?  Hard to say, but considering that these 19 practices had a duty to know that they were allegedly buying from an unauthorized source, and that the packages they received were improperly labeled, but yet they apparently failed to notify any regulatory agency when they received them, I wonder if they would have bothered to perform the authentication step.  If they had (and assuming that this product had the necessary serialized barcode on them that would be necessary under a POD system, which they don’t today) then we would hope that the patients would not have been injected with the counterfeit drugs.

POD authentication does not offer any mandatory protections of the supply chain itself.  That is, criminals are free to spew counterfeit and stolen product throughout the supply chain, wherever they can find a place that will allow them to introduce illegitimate product into the legitimate supply chain.  So nothing would have prevented or slowed any of the four or five distributions, or the potentially many other unknown distributions of this counterfeit Avastin.  And by the time the drug is found to be counterfeit the criminal can be long-gone, working somewhere else on their next counterfeit drug.  By then their trail has gone cold.

To me, POD authentication is a lovely invitation to criminals to setup shop and go for it.  Full steam ahead!  Make a killing monetarily but you don’t have to worry about killing patients because POD authentication will ensure that the fake chemicals will eventually be blocked from actually being consumed at the other end of the supply chain.  The game is setup to protect the patient…and coincidentally, the criminal.

Patient Authentication
Like POD Authentication, Patient Authentication doesn’t attempt to protect the supply chain itself but relies on the patient to authenticate each drug prior to injection or ingestion.  It provides an additional benefit over POD Authentication by eliminating the need to trust the healthcare professionals to properly source their medicines and to authenticate them on your behalf.  The patient is allowed to take drug authentication matters into their own hands.

In the current Avastin situation the 19 medical practices would have provided each of their Avastin patients with the packaging prior to injecting them with it so that those patients could use their cell phones to scan the serialized barcode (or type in a unique code via SMS text messaging) and receive a good/bad message directly from Genentech, the manufacturer.

This approach assumes that the patient has a cell phone with a camera and data service (or SMS feature), knows how to use the authentication service (think of your grandparents doing this…most drugs are consumed in the U.S. by those over 60), and the healthcare professional is willing and able to wait around while the patient interacts with the authentication service in a clinical or emergency room situation.  If I were a counterfeiter I would simply counterfeit drugs that are typically administered when patients are unconscious or in fast-paced emergency situations.  Who’s going to take the time to authenticate in those situations?

Patient Authentication fails for all of the same reasons, and more, that causes POD Authentication to fail.  The biggest failure of both is that they fail to do anything to protect the supply chain and therefore encourage counterfeiters and cargo thieves to do their worst.  (See my essays “Illegitimate Drugs In The U.S. Supply Chain: Needle In A Haystack” and “How to Stop Pharmaceutical Cargo Theft“.)

ePedigree
ePedigree is a supply chain protection technology that is invoked at each sales transaction of a drug within the supply chain.  It requires each seller of a drug to provide the buyer with access to a standardized and authenticated (signed) history of all prior transactions starting with the original manufacturer of the drug component (irrespective of any repackaging that may have occurred along the way).  Each buyer in the supply chain is expected to analyze the ePedigree to confirm that the prior history is valid (through validation of each digital signature) and consistent.  All validations are automated and, depending on the model, may be performed centrally or distributed.  If any ePedigree is found to be invalid the buyer can refuse to take possession of the drugs and may return them to the seller, and, depending on the problem, may notify the regulatory agency (see my essay “Viability of Global Track & Trace Models”).

The California Pedigree Law is an example of an ePedigree system (see “The California Pedigree Law”, and “California Pedigree Law: Historic Change to Commerce”).

In this way illegitimate drugs of almost any kind can be blocked from moving into and through the legitimate supply chain.  Applied to this Avastin case, the very first distribution would have been blocked because the counterfeiter would not be able to provide an ePedigree that matched the product and which contained a digital signature from Genentech.  Even if the first distribution would have gone through because the buyer failed to check the ePedigree, the second buyer would have the opportunity to validate it, and so on through the four or five distributors that allegedly owned the Avastin before it reached the 19 medical centers.  Every supply chain sale is an opportunity to detect and stop the counterfeit.

Even if we assume that only the United States required an ePedigree back to the manufacturer, the U.S. Distributor in this case would not have been able to sell the counterfeit product to the 19 medical centers, or anyone else in the U.S., because they would not have received a valid ePedigree from the U.K. Distributor.  In this way, ePedigree keeps the entire supply chain clear of illegitimate drugs and blocks criminals at every point of introduction and sale.

The one thing that ePedigree cannot protect you from is a criminal healthcare professional who might choose to buy illegitimate drugs directly from the trunk of a criminal’s car or truck.  Since those drugs have not passed through the legitimate supply chain they cannot be detected.  In my view this can be addressed by stronger penalties for these kind of crimes so that healthcare professionals decide it’s not worth the risk to their careers.  That’s already in the works in Congress right now (see my essay “STEP #1: Raise Penalties For Drug Crimes To Reflect The Widespread Harm They Can Inflict”).

As a system-wide supply chain solution ePedigree costs more than POD or Patient Authentication.  In particular, distributors need to spend a lot more to deploy and operate an ePedigree solution.  POD and Patient Authentication systems only involve the patient, pharmacy or hospital/clinic and the manufacturers.  Distributors may choose to participate voluntarily if they want to invest the resources.  As in many things, you get what you pay for.

Why didn’t I include “Track & Trace” as a separate approach to securing the supply chain?  Because the “Trace” part of “Track and Trace” performs the same role as ePedigree and the “Track” part doesn’t add anything extra to supply chain integrity.  See my essay “Terminology: Track and Trace, and Pedigree“.

Which approach to blocking counterfeits like this Avastin case do you think is appropriate for our future?  How much should we expect to spend to “solve” this problem?  Who should pay for it?  Should there be a single, global approach selected or different national approaches that are targeted to the specific problems that exist today in each locale?  Leave a comment below.

Dirk.

Linear barcodes have served us well for almost half a century, but NOW is the time to move on to something else in the global pharmaceutical supply chain.  I think most people already agree with that but I’m not sure everyone fully appreciates exactly why that is.  It’s important to fully understand the reason why so that your resolution to move away from linear barcodes is strong and you won’t drag your feet or look back.  So let me show you.

                      SERIALIZATION
THE DAWN OF ^ CIVILIZATION

No matter what you might think is going to happen to ePedigree or track & trace regulations going forward, more and more governments around the world are concluding that legitimate pharmaceuticals should come with unique identifiers—serial numbers—attached to them by the manufacturers and repackagers.

Serialization is upon us and I believe that in 10 years the ongoing benefits from it around the globe will significantly exceed the ongoing costs.  Whether you agree to the benefits or not you certainly must accede to the fact that serialization in pharma supply chains is being mandated by more and more governments around the world, and that trend is not likely to reverse but will likely increase.  Serialization mandates are currently in place for 2015-2016 in the state of California and they are under consideration by the two largest pharmaceutical markets in the world:  The E.U. and the U.S.

Serialization is upon us and there is no turning back.  While this is the foundation for why the industry must move away from linear barcodes, it is not the complete reason.

ADDING SERIAL NUMBERS TO PHARMACEUTICALS

Serialization mandates in countries around the world vary quite a bit but the more recent the regulation, the more likely they are to specify the use of GS1 standards, either as part of the mandate or as an example of one way to comply.  GS1 linear barcodes are the most common type of product identifier barcode in use today in the larger markets so when you need to add a serial number to a drug, the addition of a GS1 serial number makes a lot of sense.

In a recent essay, “Depicting An NDC Within A GTIN”, I showed how to depict a U.S. Food and Drug Administration (FDA) National Drug Code (NDC) with an GS1 Global Trade Item Number (GTIN) for both over-the-counter (OTC) drugs and prescription drugs.  Then, in my essay “Anatomy of an FDA SNI” I explained how to use GS1 standards to produce an FDA-compliant serialized NDC, or sNDC.  An sNDC is what is necessary if you want to (voluntarily today) add a serial number to any drug that has an NDC assigned to it for the U.S. market according to the FDA’s Standardized Numeric Identifier (SNI) document from 2010 (see also my essay “FDA Aligns with GS1 SGTIN For SNDC“).  At the end of my “Anatomy of an FDA SNI” essay I used the FDA’s own example (from their SNI Guidance document) to create the GS1 string of elements that would be encoded into a barcode and placed onto the drug package:

01003555556667762111111111111111111111

What I didn’t say in that essay is that you can’t encode this or any other sNDC in the GS1 Universal Product Code-A (UPC-A) barcode symbology that is used today for depicting NDC’s in linear barcodes on many of the pharmaceuticals in the U.S. supply chain.  The UPC-A symbology itself does not support the addition of the serial number.  For that you have to switch to another GS1 linear symbology known as GS1-128 (formerly known as UCC-128 and EAN-128).

Without the serial number, the linear UPC-A barcode for the NDC in the FDA’s example would look like this (all barcode images in this essay are courtesy of Terry Burton’s website):

That’s what the NDC barcode would look like today depicted as a GS1 GTIN-12 without the serial number.  Here is what the full NDC and the serial number from the FDA’s example sNDC would look like depicted as a GTIN-14 plus serial number and rendered in the GS1-128 symbology:

Look at these two examples and you will see why serialization triggers the need to abandon linear barcodes.  The linear barcodes that result after adding a serial number to NDCs are too long to fit onto most drug labels in a way that allows them to be scanned properly.  Yes, this example uses U.S.-specific data and requirements but the same principles will apply to almost all countries and similar results will occur.  Yes, the serial number in the FDA’s example is an extremely long one that probably exceeds the needs of 99% of companies, but the technology must accommodate the extremes or it is not usable.

And that’s not even the most extreme serial number I can think of.  Serial number “YESTHISISAVALIDSRNUM” (yes, this is a valid serial number) is the most extreme serial number I can think of, and this is what it would look like as an sNDC in the GS1-128 symbology:

In fact, I had to reduce the image considerably to get it to fit into this webpage. Click on the image to see it full scale.

That’s even less workable.

SO WE NEED TO MOVE TO 2D BARCODES, RIGHT?

2-Dimensional barcode symbologies, like GS1’s DataMatrix, will solve this problem, yes.  For example, here is what the previous two examples would look like encoded in GS1 DataMatrix:

(01)00355555666776
(21)11111111111111111111

(01)00355555666776
(21)YESTHISISAVALIDSERNM

Both of these symbols take up less space than the original UPC-A barcode that only contains the NDC.  Even if we now add a lot/batch (AI=”10) and an expiration date (AI=”17) as I recommended in my essay “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach”, and we do so using the maximum lengths possible, these two become:

 (01)00355555666776
(21)11111111111111111111
(17)160701
(10)22222222222222222222

(01)00355555666776
(21)YESTHISISAVALIDSRNUM
(17)160701
(10)YESTHISISAVALIDLOTNM

Whoa!  What happened with the “extreme” example to make it blow up so big?  There are two things that just happened.  First, the DataMatix symbology is highly compressed and it automatically adjusts to accommodate the type and size of the data being encoded.  Notice that the length of the lot number and the serial number in the two images above are the same, but the type of the data in the lot and serial numbers are not the same.  When only digits are used the symbology can compress the image into a smaller space than it can when alphanumerics are used.  In both examples I am using the maximum number of characters allowed, but in the extreme example I am using all alphas in both the serial number and in the lot number.  That is the worst-case scenario and, as you can see, it takes up more space.

Second, the GS1 DataMatrix symbology will split into multiple segments (four in this case) once you cross a technical boundary related to the number of bits being encoded.  Alphanumeric characters require more bits to encode them than numeric characters and in this example we crossed that boundary so the image generator split it into four segments.  This helps readers decode larger symbols without significantly lowering reliability.

Considering the fact that it required me to come up with a pretty unrealistic extreme example of both serial number and lot number before the symbols made the leap to four segments I think it is unlikely that most drugs will require more than one segment.  That’s because most drugs require many fewer than 20 characters for their lot/batch and serial numbers and most companies will probably stick with numeric-only characters in their serial numbers.

WHAT ABOUT RFID?

The pharma industry could move to Radio Frequency Identification (RFID) instead of 2D barcodes where regulations allow, but I believe that is unlikely except where the overseeing regulatory body actually requires it for all drugs in that jurisdiction.  The explanation I documented for that in my essay “RFID is DEAD…at Unit-Level in Pharma” still applies.  On the other hand, RFID would also solve the space problem that we have seen results with linear barcodes and the addition of serialization.  In fact, most RFID tags would likely be placed under the product label so they would not take up any label real estate at all, but I don’t think manufacturers will view that savings as enough to offset the cost of the tags themselves.

THE TIME IS NOW

If you are a global pharma manufacturer or repackager and you haven’t yet figured out a plan for moving away from linear barcodes on your product labels, now is the time to start.  Whether you choose 2D barcodes or RFID, the existence of serialization mandates around the world is the reason you need to take action and the time is now.

If you are a distributor, pharmacy or dispenser of pharmaceuticals in parts of the world where serialization has arrived or is coming, you need to develop a plan for reading the product codes and serial numbers using technologies that drug manufacturers and repackagers will move to.  Now is the time to find out how many different technologies you will have to deal with.  Now is the time to influence those manufacturers who are considering technologies that you don’t want and steer them toward those you do want.

Now is the time.

NOW IS THE TIME…EXCEPT FOR ONE THING!

Except, the FDA currently requires that drugs sold into the U.S. market be identified with their NDC specifically in a linear barcode.  That means that in the U.S. today, you cannot move away from linear barcodes on your drug product, even when you need to add serial numbers to them for compliance with the California pedigree law in 2015-2017.  As I show above, it doesn’t make sense to add serial numbers in linear barcodes so you are left with the probable decision to put the NDC and serial numbers in a 2D barcode or RFID tag in addition to the existing linear barcode that contains the NDC by itself.  That’s pretty space inefficient.

The FDA is aware of this unfortunate situation as indicated by their recent request for comment on eliminating the requirement for the use of linear barcodes containing the NDC on drugs.  Click here to read the responses they have collected so far.  You have until February 23, 2012 to submit your own comments to the FDA through www.regulations.gov, docket number FDA-2011-N-0719.

Pay close attention to what the FDA does with this issue.  More than likely it will impact everyone in the U.S. pharmaceutical supply chain.

Dirk.

Thank you to George Wright IV of PIPS for catching an embarrassing error in my construction of the GTIN-14′s encoded into the sample barcodes.  I have now corrected and updated them.

The U.S. Food and Drug Administration (FDA) published their “Standardized Numerical Identification (SNI) for Prescription Drug Packages – Final Guidance” document almost two years ago (see my essay “FDA Aligns with GS1 SGTIN For SNDC” from back then).  The guidance was published as purely non-binding recommendations that reflected the Agency’s current thinking, but in my opinion it is a nice piece of work and can be used as a practical guide, as far as it goes, for implementing drug serialization programs today.

Why is that?  It’s because drug manufacturers and repackagers need to serialize all of their prescription drugs that enter the state of California in 2015/2016.  Can those companies make use of the FDA’s SNI guidance to comply with the serialization requirements of the California Pedigree Law?  I will answer that question in this essay, but first…

A REVIEW OF THE FDA SNI GUIDANCE

According to the FDA, an “SNI” is a unique identifier that is attached to a prescription drug by the original manufacturer.  Presumably “unique” means unique within the United States.  Specifically, an SNI is either a “serialized National Drug Code (sNDC)” or one of the existing recognized standards for identifying and labeling certain blood and blood components and certain minimally manipulated human cells, tissues and cellular and tissue-based products (HCT/Ps) which do not currently use NDC numbers.  The guidance document mentions only ISBT 128 for this latter class of SNI and implies that there may be others.  Apparently those standards always result in a unique identification number for each product package.  The important thing to realize is that an the sNDC is only one type of SNI but it is the kind that should be used on any prescription drug product that has been assigned an NDC.  In this essay I am only going to discuss the sNDC type of SNI.

The FDA defines the sNDC as being composed of the drug’s 10-digit NDC plus an alphanumeric serial number that can be up to 20 characters long.  The guidance applies to prescription drugs only so Over-The-Counter (OTC) drugs that are identified by an NDC apparently aren’t covered.  But since the guidance is non-binding anyway this distinction isn’t really significant.  Perhaps it will if the SNI guidance ever becomes a required regulation.

Example of the components of an sNDC borrowed from the FDA SNI Guidance document. March 2010. Click image to enlarge.

The SNI guidance document itself defines the SNI “for package-level identification only”, but it also makes it clear that SNIs can also exist for levels other than the package-level, like cases and pallets.  It’s just that this guidance document doesn’t cover those.  The FDA defines the “package-level” this way:

“…the smallest unit placed into interstate commerce by the manufacturer or the repackager that is intended by that manufacturer or repackager, as applicable, for individual sale to the pharmacy or other dispenser of the drug product.”

Repackagers that break the manufacturer’s package down and repackages the contents in any way must apply a new and unique SNI to the new package-level and that new SNI must be linked (in some unspecified way that I assume is a database) back to the manufacturer’s original SNI.  The guidance document contains an excellent example of a package of six drug-filled syringes that would be the lowest packaging level that the hypothetical manufacturer intended pharmacies or other dispensers to buy, but is then repackaged by another hypothetical party acting as a repackager into single syringe packages for sale to pharmacies or other dispensers.

The original hypothetical manufacturer would only need to assign an SNI to the package of six drug-filled syringes since it does not intend the syringes for individual sale.  However, the hypothetical repackager would need to assign each drug-filled syringe its own unique SNI and link those six SNI’s to the original manufacturer’s SNI that was assigned to the specific package of six that the individual packages came from.  If you repackage drugs you should study the example in the FDA SNI guidance document.  Of course, since this guidance is not binding the FDA isn’t saying that you have to do this today.

The FDA recommends that the SNI should generally “…be applied to each package in both human-readable and machine-readable forms.”  However, the FDA guidance document explicitly states that “…at this time, FDA is not specifying the means of incorporating the SNI onto the package.”  But it goes on to say that “The SNIs described in this guidance are compatible with, and flexible for, encoding into a variety of machine-readable forms of data carriers, such as 2-dimensional bar codes and radio-frequency identification (RFID)…”.  The document also explicitly doesn’t specify a location on the package where the SNI should be placed, but it does say that any human-readable form could be printed “…in a non-contiguous manner…” from the existing NDC printed on the package.

THE RELATIONSHIP BETWEEN sNDC AND GS1 sGTIN

Finally, the guidance document points out that the sNDC “…is compatible with, and may be presented within, a [GS1] GTIN…”.  GTIN is a GS1 standard for general product/service class-level identification and the letters stand for “Global Trade Item Number” (see my essays “Anatomy of a GTIN” and “Depicting An NDC Within a GTIN”).  It is quite clear that what the FDA meant to say is that the sNDC can be depicted as a serialized GS1 GTIN, or “sGTIN”.  It does not say that an sGTIN is the only way to depict an sNDC or that you must depict it that way, it simply says that it may be presented that way.

The document doesn’t identify any other way to do it but I’m pretty confident you could present an sNDC using HIBCC standards too if you wanted to.  HIBCC product identification standards are very rare in the U.S. pharmaceutical supply chain (they are much more common in the medical devices supply chain) so I’m not covering them in this essay.  For more on HIBCC standards click here.

CAN THE sNDC BE USED TO COMPLY WITH THE CALIFORNIA SERIALIZATION REQUIREMENT?

This question is frequently asked these days.  Fortunately the answer is definitively “yes” in my opinion.  You should read the source documents to convince yourself one way or the other, but here is my logic.

The text of the California pedigree law says that each drug package distributed within the state must have a “unique identification number” attached to it.  Presumable “unique” here means unique within the state of California.  The law doesn’t specify any specific characteristics of the identifier itself other than its uniqueness and that it be “…contained within a standardized nonproprietary data format and architecture, that is uniformly used by manufacturers, wholesalers, and pharmacies…“.  The FDA sNDC is a “unique identification number” and by definition it must be unique, presumably within the U.S., and it is a standardized nonproprietary data format and architecture and it is certainly capable of being uniformly used by all parties in the U.S. pharma supply chain, which fulfills the California requirement.

The language in the California law and the Questions and Answers about the law that was published by the California Board of Pharmacy in 2008 regarding who must apply a unique identifier, to what and when it must be done is comparable to the language in the FDA’s SNI guidance.  This includes the definition of the “package-level” and the need for a unique identifier attached to repackaged drugs and how that identifier must be linked to the original manufacturers unique identifier.  Of course, the language in the California documents was available to the FDA when they were constructing their language.

So far I haven’t found a single significant difference in characteristics of the unique identifier defined by California and the sNDC defined by the FDA.  This leads me to conclude that California will very likely accept the use of unique identifiers that conform to the FDA sNDC guidance for compliance with the serialization requirements of their pedigree law.  It also makes perfect sense that they would.  Again, that’s my opinion.  You form your own.

DEPICTING AN sNDC IN A BARCODE USING GS1 GTIN PLUS SERIAL NUMBER

OK, so you agree with me and you want to print an FDA-compliant sNDC on your drug packages within a machine-readable barcode using GS1 standards in advance of the compliance dates for the California pedigree law.  The way to do it is to make use of “The GS1 System”.  Here I’m referring to the GS1 Application Identifier standard and certain barcode symbologies that are documented fully in the GS1 General Specification. Search for this specification on the internet or contact your local GS1 Member Organization (MO) to obtain a copy.

The GS1 System Application Identifier standard defines a way of encoding multiple pieces of information within a string of characters in an exact way so that a reader can extract them back into their original decomposed form.  There are lots of Application Identifiers (AI) covering a wide spectrum of data types needed in a supply chain context.  An AI is a two-to-four-digit code that identifies the type of data that follows it in an “element string”.  In our particular instance, we are interested in just two AIs: one for the GTIN (AI=”01”) and one for the serial number that is associated with that GTIN (AI=”21”).

A GTIN element string is always 14 digits long when it is depicted using AI “01”.  Remember that the FDA defined their serial number as being up to 20 alphanumeric characters.  That means that it is a variable length value ranging from 1 to 20 characters.  It is a happy coincidence that GS1 defines their serial number element string for AI “21″ in exactly the same way!  Well, in fact, the FDA made the decision to specifically align their definition with that of GS1’s existing AI “21″ definition so that there wouldn’t be any conflict if people chose to use GS1 standards to implement the sNDC.

If we put together the technique I described in my essay “Depicting An NDC Within a GTIN” with the information above, we get the following shortcut for the GS1 string of elements that depict an sNDC:

sNDC to GS1 string of elements shortcut. Click image to enlarge.

Now all we need to do is encode this string of characters into one of the GS1 barcode symbologies that accommodate a GS1 string of elements.  These include GS1-128 and DataBar for linear barcodes and GS1 DataMatrix for 2D barcodes.  See the GS1 General Specification for details on how to properly construct these barcodes.

(NOTE:  According to the HDMA only a subset of the possible DataBar family of symbologies should be used on pharmaceuticals in the U.S. supply chain and they should only be used on products that are very tiny.  See my recent essay “Updated HDMA Barcode Guidance: A Must Read”.)

To construct the human readable string for an sNDC that is encoded in a GS1 string of elements you may insert spaces between the end of the GTIN and the “21” and you may set off the AIs by wrapping them in parentheses.  These “decorations” are commonly used to help make these long numbers more readable and they should never be included in the string that is encoded in the barcode.

Here is an example GS1 string of elements that uses the same data that the FDA included for an example sNDC in their guidance document (shown in the image above).  In their example they used a fictitious NDC of 55555 666 77 and a serial number of 11111111111111111111.  Applying the shortcut technique I show above the GS1 string of elements would be:

sNDC example from the FDA Guidance document encoded into a GS1 string of elements. Click image to enlarge.

The string that would be used to encode the GS1 barcode would be:

01003555556667762111111111111111111111

and the human readable to be printed on the drug package might look like this:

(01) 003 55555 666 77 6 (21) 11111111111111111111

Notice the extra decorations I included in the human readable that are not included in the string that is encoded in the barcode.

DEPICTING AN sNDC IN AN RFID TAG USING GS1 sGTIN

In a departure from the GS1 General Specification, GS1’s RFID tag standards do not make use of AI’s when encoding an sGTIN for product identification.  In fact, in their RFID standards the concept of a GTIN and a serial number are merged together to produce a single indivisible  identifier they explicitly call a Serialized Global Trade Item Number, or SGTIN (see the GS1 Tag Data Standard for the details).

A full explanation of how to encode an SGTIN within a GS1 RFID tag is more complex than the barcode explanation above and it is beyond the scope of this essay (and of RxTrace, really) but you will find the GS1 Tag Data Standard document (now in revision 1.6) to be quite well written (see my essay “Masterpiece:  GS1 Tag Data Standard 1.5”).  And don’t miss my widely read essay “RFID Is DEAD…At Unit Level In Pharma”.

IMPLICATIONS OF THE sNDC SERIAL NUMBER DEFINITION

There are some surprising implications that result from the definition of a serial number in the way the FDA defines the sNDC.  I hope to cover those implications in a future essay.  Stay tuned.

Dirk.

2-13-2012:  Corrected a problem with the GS1 string of elements and the human readable example.  Thanks to George Wright IV of PIPS for reporting the problem.

In recent essays I have covered the “Anatomy of an NDC”, the “Anatomy of a GTIN” and the “Updated HDMA Bar Code Guidance: A Must Read“.  Now let’s put them all together.  Why would we need to do that?  Because the U.S. FDA requires many Over-The-Counter (OTC) and all prescription drugs marketed in the United States to have their National Drug Code (NDC) presented in the form of a linear barcode on the package.  Pure and simple.  To do that in a way that your trading partners can understand—that is, to do it interoperably—you need to follow a standard.  You have two realistic choices for standard approaches to this problem:  HIBCC or GS1.

The use of HIBCC standards is fairly common in the U.S. medical surgical devices supply chain but in the pharmaceutical supply chain it is very rare.  Most companies choose GS1’s barcode standards so that’s all I’m going to focus on in this essay.  If you want more information about how to do this with a HIBCC barcode find it here.

OVER-THE-COUNTER DRUGS:  GTIN-12

If your drug is sold over the counter (OTC), like aspirin and cold medications, the barcode on your packages will need to be scanned at point of sale (POS) terminals in the same way that any other consumer good is.  For that reason you need to put your National Drug Code (NDC) into a Universal Product Code (UPC) barcode in the United States.  A UPC-A barcode symbol contains a GS1 GTIN-12 data structure.  Here is what you need to do to convert your NDC into a GS1 GTIN-12:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   Recall from my previous essays that your FDA Labeler Code is either 4 or 5 digits long and a GCP can be anywhere from 6 to 10 digits depending on the fee you pay GS1 US when you register it.  In the case of FDA-regulated pharmaceuticals GS1 US will register a 4-digit FDA Labeler Code as a 6-digit GCP and a 5-digit FDA Labeler Code as a 7-digit GCP.  The reason is that they need to synchronize the length of the Item Reference portion of the resulting GTINs with the combined length of the Product Code and Package Size fields of your NDC.  This is to ensure that you are able to generate valid GTIN-based barcodes for every possible NDC that your Labeler Code enables you to generate.  You only need to register your FDA Labeler Code with GS1 US once as long as you keep up with the annual subscription fees so for subsequent drugs that use a Labeler Code that is already registered you can skip this step.  If you have multiple FDA Labeler Codes you need to register each one with GS1 US once.
   
   GS1 US has reserved GCPs that start with “03″ for owners of FDA Labeler Codes as shown in the following table.
   

   Click images to enlarge

2. From your new GS1 Company Prefix construct your U.P.C. Company Prefix
   Ah ha!  This is an esoteric step.  It is necessary because of the way GS1 merged the formerly North American-only Uniform Code Council’s (UCC) Universal Product Code (UPC) company prefixes with the European Article Numbering Association’s (EAN) European Article Number (EAN) company prefixes and made the whole combined scheme suitable for global company prefixes and yet retained backward compatibility with the UPC and EAN.  But you don’t have to follow any of that.  Here’s what you do.
   
   You take the GCP that GS1 US assigned you and you strip off the leftmost digit.  That digit is always going to end up being a zero because we are dealing with an FDA regulated pharmaceutical and GS1 US will make sure that it is a zero on your behalf.  The remaining digits make up your new U.P.C. Company Prefix, usable only for generating UPC-A barcodes  and a few other less common things (see the GS1 General Specification for what else you can do with a U.P.C. Company Prefix).  For an NDC that has a 4-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 5 total digits long.  For an NDC that has a 5-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 6 total digits long as shown below.
   

   Click images to enlarge

3. Combine your U.P.C. Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 U.P.C Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 U.P.C. Company Prefix by placing them to the right of the prefix.  You should now have a total of 11 digits regardless of the length of your Labeler Code as shown in the table below.
   

   Click images to enlarge

4. Calculate the Check Digit and add it to complete your GTIN-12
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage(although where they say to enter the “Item Reference”, they really mean for you to enter the full prefix and item reference together).  Add check digit to the right of the code constructed in step 3.  You should now have a 12-digit code as shown below.  This is the GTIN-12 that can be encoded into a UPC-A barcode and printed on your product.
   

   Click images to enlarge

If you look closely at the table above you may see a short-cut that would get you directly to your GTIN-12.  All you need to do is take your 10-digit NDC and put a “3” in front of it and put a calculated check digit at the end as shown in the following table.

Click on images to enlarge

It is true that you can get there this way but then you might be tempted to skip step #1 and not obtain your official GCP.  As I understand it, since GS1 owns a copyright on the UPC family of barcode symbologies they could make a claim against your company if you encode your NDC into the copyrighted UPC-A symbology without first registering your FDA Labeler Code with them and paying whatever fee they place on that.  Talk to GS1 US to get the full story for your particular situation.  On the other hand, if you have already registered your Labeler Code with GS1 US then this short-cut should always produce your GTIN-12 for subsequent products that share the same FDA Labeler Code.

PRESCRIPTION DRUGS:  GTIN-14

Any drug distributed in the U.S. that is regulated by the FDA as a prescription drug must be dispensed by a registered pharmacist.  In that case it will not be scanned at a retail POS station.  For that reason you do not need to encode your NDC within a GTIN-12 but should encode it into a full GTIN-14.  GTIN-14s should also be used on all case labels whether OTC or prescription (see the HDMA Bar Code Guidance for details).  You can render a GS1 GTIN-14 identifier into a GS1-128, GS1 DataMatrix, or GS1 DataBar symbology depending on the application.

Here is what you need to do to properly convert your NDC into a GS1 GTIN-14 data structure:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   This is the same as step #1 for GTIN-12 above.
   
   
2. Combine your GS1 Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 Company Prefix by placing them to the right of the prefix.
   
   
3. Add your Indicator Digit
   Next you need to add the single digit “Indicator digit” to the left of the GS1 Company Prefix.  Refer to my previous essay, “Anatomy of a GTIN” to learn what this digit is for.  For a unit of use package, use the value “0″.  You should now have a total of 13 digits regardless of the length of your Labeler Code.
   
   
4. Calculate the Check Digit and add it to complete your GTIN-14
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage.  Add check digit to the right of the code constructed in step 2.  You should now have a 14-digit code.  This is the GTIN-14 that can be encoded into a GS1 Code-128, GS1 DataMatrix, or DataBar barcode and printed on your product or case.  (NOTE:  DataBar should only be used on packages that are too small to accept one of the other symbologies.  See the HDMA Bar Code Guidelines for details.)

Finally, if you have already registered your Labeler Code with GS1 US you can use the following short-cut to construct your subsequent GTIN-14s.

Click image to enlarge

The following figure summarizes the contents of all forms of the NDC for both GTIN-12 and GTIN-14 data structures.

Click images to enlarge

IMPLICATIONS

There is an important implication stemming from the use of GS1 identifiers and barcodes to encode and render your NDC that I think needs to be explained.  This applies to any company that already possesses a GCP that does not match their FDA Labeler Code.  I can think of two ways that this might happen:

1. Any company in the U.S. that distributes non-drug products and already obtained a GCP from GS1 US for those products,
2. Any drug manufacturer that is based outside of the United States and that already possesses a GCP that was issued by their local, non-U.S. GS1 Member Organization.

Neither of these types of GCP’s can be used to encode an NDC for distribution within the U.S.  That’s because these GCPs do not match your FDA issued Labeler Code.  Only GS1 US, the U.S.-based GS1 Member Organization, can issue you a GCP that is properly based on your Labeler Code.  So these companies should contact GS1 US to register their Labeler Code, whether the company is based in the U.S. or not.

Systems and their associated databases should always be designed to accommodate the full GTIN-14 even when the application may seem to only need to deal with GTIN-12′s.  See GS1′s position paper on this topic for more explanation.

There are a few more “Anatomy of…” essays I want to write including the FDA’s Standardized Numeric Identifier (SNI), and GS-128 in the U.S. Pharma supply chain.  Watch for those essays in the near future.

Dirk.

2012 is the year of the GTIN in the U.S. healthcare supply chains as christened by the largest hospital group purchasing organizations (GPOs) in their so-called “Sunrise 2012″ program.  They have asked all of their suppliers to switch from proprietary product codes to GS1’s Global Trade Item Number (GTIN) standard in catalogs, B2B communications and shipment labeling by the end of this year.  They did the same thing with GS1’s Global Location Number (GLN) back in 2010 (“Sunrise 2010″) but so far it appears to have had only a small (but still growing) impact.

The GTIN can be a mysterious concept.  I received an email recently from a sales person who wanted to know what this “G-ten” thing was that her customer kept claiming was so important to her future business with them.  I’ve also sometimes had difficulty convincing people that GTIN adoption is important.  “We don’t need another product identifier.  We already have the NDC!”

I hope to pull back the veil just a little bit and explain not only the anatomy of the GTIN but also why it is so important to all supply chains in all regions of the world.

WHAT EXACTLY IS A GTIN?

GS1 explains the GTIN this way:

“As the name implies, the GTIN helps automate the trading process – basically buying and selling.  GTINs are therefore assigned to any item (product or service) that may be priced, or ordered, or invoiced at any point in any supply chain.  The GTIN is then used to retrieve pre-defined information about the item.  The key benefit is that information about the item can be retrieved about the product from the GTIN whether it is read in a GS1 BarCodes symbol, exchanged via a GS1 eCom message or accessed from the Global Data Synchronisation Network.”

Hmmm…Let me try.  First, a “Trade Item” is any product or service that may be manufactured, priced, advertised, bought, sold, traded, invoiced, returned or consumed within a commercial supply chain.  GTIN (Global Trade Item Number) is a GS1 standard that defines the structure and usage rules for a numeric identifier that can be assigned to a very specific, idealized description of a “trade item” and which can then be used in any part of the world to refer to instances of trade items that conform to that description.

For another attempt at a definition, see the one on Wikipedia here.

In everyday usage “a GTIN” is the number that is encoded into the product barcodes found on pretty much every product you can find in any store.  In the U.S. you know it as the UPC, or Universal Product Code, a 12-digit number (and technically known as a GTIN-12).  In the E.U. you know it as the EAN, or European Article Number, a 13-digit number (and technically known as a GTIN-13).  The GTIN-12 and GTIN-13 are “retail” GTINs.  That is, these are the GTINs placed on products that are typically sold through a retail Point of Sale (POS) station (a store checkout counter).  This includes most over the counter (OTC), non-prescription drugs.

Today, nearly all OTC drugs and many prescription drugs in the U.S. supply chain are marked with a National Drug Code (NDC) or a Universal Product Code (U.P.C.) that is encoded in a GTIN-12 data structure and rendered on the package in a UPC-A barcode.  Non-retail products like those that are typically sold only B2B (business to business) (GS1 refers to these as “Trade Items Intended for General Distribution Scanning Only”)—including prescription pharmaceuticals—should be assigned a 14-digit GTIN (technically known as a GTIN-14).

You may yawn, but this is powerful stuff if you can get everyone on the bandwagon.  The GPOs in the U.S. and GS1 plan to do just that.

The most important aspect of the GTIN standard is that when one is properly assigned to a given product or service it is globally unique.  That means that no other product or service anywhere in the world can ever be assigned that same GTIN so that number can be used anywhere and everywhere to refer to that specific type of product or service.  This eliminates product code ambiguity globally.

Another important feature is that the GTIN standard is applied in the same way regardless of product type, service type or supply chain.  The same rules apply to all GTIN identifiers.  These rules are defined in GS1’s General Specification—the specification of “The GS1 System”, of which GTIN is just one part.  See also “GS1 GTIN Allocation Rules for Healthcare” for some of these rules in a healthcare context.  (For a great non-technical explanation of “The GS1 System” of standards, check out this great PDF:  “The Value and Benefits of the GS1 System of Standards”.)

ANATOMY OF A GTIN-14

I mentioned above that a GTIN can take form in 12, 13 or 14 digits (it can also take the form of an 8-digit value but that’s very rare in healthcare), but since my focus is primarily in the B2B healthcare supply chains I’m only going to concentrate on the 14-digit form in this essay.  This is the only form that will fit into barcodes that make use of GS1 Application Identifiers (AI) (like GS1-128 linear barcodes and GS1 DataMatrix 2D barcodes) although the other forms can always be converted into the 14-digit form (by padding with zero[s] on the left).  Note that OTC drugs at the unit-level cannot make use of the GTIN-14 structure, AIs or the barcodes that carry them because they need to be scanned at POS.

There are four components that make up a GTIN-14 and they appear in this order:

• Indicator Digit
  This digit only appears in the GTIN-14 and is primarily used to indicate standard groupings (inner pack, case, pallet, etc.) of packages of the same GTIN using values 1 through 9.  A zero indicates that the GTIN is representing a single unit.  For products where the actual units sold can be a variable measure (weight, size, volume, etc.) the indicator digit should be set to 9.  Indicator values 1 through 8 have no specific standard meaning other than that they indicate a grouping.  That is, there are no standard groupings that values 1 through 8 may indicate so you can’t assume any particular value means an inner pack, a case, a pallet or anything else.  Each company is free to choose any of these values to indicate any grouping they wish.
  
  
• GS1 Company Prefix (GCP)
  This is the variable length number that is assigned by the local GS1 Member Organization (MO) to the company that manufactures, packages or repackages the product that the GTIN represents.  This is the number that those companies must apply to GS1 for assignment.  In the U.S. the GCP ranges in length between 6 and 10 digits and the length partially determines its cost.  Shorter company prefixes cost more than longer ones (see Item Reference below for why this is so).
  
  Pharmaceutical companies who already possess an FDA Labeler Code (see my previous essay, “Anatomy Of The National Drug Code” for more on this) just need to register that code with GS1 US (the local GS1 MO in the United States) to obtain a license to use that same code as the basis for their GCP within the context of GS1’s copyrighted barcode, RFID, EDI, pedigree and track & trace standards.
  
  The GS1 Company Prefix is itself composed of a 1 to 3 digit GS1 Prefix which is assigned by the GS1 Global Office to each GS1 MO to ensure global uniqueness of all GCP-based GS1 keys (GS1 keys include GTIN, GLN, SSCC, GRAI, any EPC, GSRN, GIAI, GDTI, GSIN, etc.).  This prefix is sometimes incorrectly referred to as a “country code” although because MOs are fairly country-specific this is not too far off.  The remainder of the GCP—known as a Company Number—is assigned by the Local MO.  See the GS1 General Specification for more details.
  
  When a company is assigned a GCP by GS1 they are granted exclusive rights to use that prefix to construct any of the GS1 keys (see the list in the paragraph above) and use them in any way they see fit as long as it is within the rules established in the GS1 General Specification.  GS1 keys generated by the owner of the GCP do not need to be authorized, approved or registered with GS1.  There is no additional cost to generate new GS1 keys once a company obtains a GCP.
  
  GCPs are a company asset that should be addressed in any merger or divestiture strategy (see this topic in the GS1 General Specification).  GCP usage within a given company should ideally be controlled at a single point within an organization.  This generally isn’t an issue for smaller companies but multinational corporations should ensure that they have a strategy for centrally assigning and distributing GCP-based GS1 keys to their operations to ensure uniqueness and to ensure that the GCP resource is used to its maximum potential.
  
  Companies may obtain multiple GCPs from their local GS1 MO if they use up the available reference values in one or more GS1 keys.  They may also obtain additional GCPs (partly “used”) as the result of a merger with another company.
  
  Neither GS1 nor the MOs police adherence to any of their standards, but they carefully control the assignment of GCPs to always maintain global uniqueness.  As long as the GCP assignments are all globally unique, all of the keys generated by the owners of all GCPs will also be globally unique.  This is a very important design feature of the entire GS1 System.
  
  
• Item Reference
  The Item Reference is a variable length number that must be chosen by the owner of the GS1 Company Prefix and assigned to the specific description of a single product class.  This specific description must remain unchanged for the life of the GTIN (see the GS1 General Specifications for details and exceptions).  The combination of the owner’s GCP and the Item Reference must be exactly equal to 12 digits.  Since the length of the GCP is determined when it is obtained from the local MO, the length of the Item Reference must take up the remainder of the 12 digit space.
  
  For example, if company A obtains a 6-digit GCP, the Item Reference field within their GTIN-14′s must be 6 digits long (12 – 6 = 6).  If company B obtains a 10-digit GCP, their GTIN-14 Item References must be only 2 digits long (12 – 10 = 2).  From these two examples you can see that company A can identify up to 1,000,000 unique products or services but company B can only identify 100.
  
  There is a comparable limitation in the other GS1 keys.  Shorter GCPs result in more digit space available in the reference portion of the key which results in vastly more usable unique numbers (each extra digit represents an order of magnitude more unique values the owner can assign).  This is why GS1 charges more for the shorter GCPs than they do for longer ones and this provides a measure of affordability to smaller companies who will likely never need more than a small number of unique GTINs or other keys.
  
  
• Check Digit
  The Check Digit is a single digit that is mathematically calculated based on the contents of all of the other digits in the GTIN-14.  The purpose of the Check Digit is to help barcode readers and applications detect data entry errors.  See Section 7.10 of the GS1 General Specification for the algorithm.

EXAMPLE GTIN

Here is an example of a GTIN-14 that I found on an inner-pack of Epinephrine injectors.

Click image to enlarge. Image Copyright RxTrace 2012.

An “inner-pack” is a grouping of trade items and so we see the Indicator Digit is set to “1″, a valid value for a grouping.  We can’t tell by looking at this example exactly how long the GCP is because it could be anywhere from 6 digits to 10 digits long.  Fortunately GS1 provides a service they call Global Electronic Party Information Registry, or GEPIR.  If we select “Search by GTIN”, enter ’10304094921348′ and click “Search”, we are told that this GTIN contains a 6-digit GCP of ’030409′ and it is registered to Hospira, Inc. in Lake Forest, Illinois.  Now we know that the Item Reference that Hospira happened to choose for this GTIN must be ’492134′.  The Check Digit is calculated based on all of the previous digits as “8″.

This particular inner-pack contained about 10 or 12 unit-level packages that were shrink-wrapped together and labeled with the GTIN-14 above.  Each of the units contained a barcode with the unit-level GTIN-14 encoded in it.  It was exactly the same GTIN as the inner-pack except for the Indicator Digit, which was correctly set to zero, and the check digit which changed because of the change in the Indicator Digit.  These were unit dose injectors.  There are probably about 4 inner-packs per casepack but I didn’t note that information.  The case GTIN would be exactly the same as the inner-pack and units except for the Indicator Digit which would have been been a value in the range of 2 to 8 to reflect that it is a standard grouping that is different than the inner-pack.

Normally we don’t need to deconstruct GTINs like this.  In fact the whole point of a GTIN is to use it as a single whole identifier and not to break it down into its constituent parts like we have done here but I wanted to show you how this one was intelligently constructed by Hospira, the owner of this particular GCP.

BENEFITS OF THE GTIN

The benefits of GTIN adoption by a supply chain are different between manufacturers and non-manufacturers (distributors, pharmacies and retailers).

Manufacturers gain because they can potentially use the same standard product/service identifier in multiple markets/countries.  Well, as long as the packaging doesn’t vary (same language, etc.) and there aren’t any regulatory reasons for using a different identifier (national numbering like the U.S FDA NDC, different units for the unit of measure, etc.).  Even when a different identifier is necessary for different markets/countries the manufacturer benefits from the use of a standardized identifier because modern Manufacturing Execution Systems (MES), Warehouse Management Systems (WMS),  Electronic Data Interchange (EDI) systems and Enterprise Resource Planning (ERP) systems should come with full GS1 System support built in (admittedly not all do yet).  This includes enforcement of many of the GS1 rules for dealing with GTINs and the other pertinent GCP-based identifiers.

Like manufacturers, non-manufacturers in the supply chain make use of WMS, EDI and ERP systems in addition to pharmacy management systems and  Hospital Materials Management Inventory Systems (HMMIS) that ought to have standardized GS1 System support built in.  These companies also benefit because they can trust that GTINs are globally unique and all product identifiers used by all of their suppliers refer to the same product or service and those identifiers are constructed using the same format.  This allows them to eliminate their own internal product codes for each manufacturer’s products and services, simplifying inventory management, sales, purchasing, order fulfillment, shipping, receiving and dispensing and thus reducing errors that generate waste and in the healthcare supply chain can cause injury or even death.  This is why the GPOs are so hot to make 2012 the year of the GTIN.

ADOPTION OF THE GTIN

Manufacturers of products or services can decide to unilaterally adopt the GS1 GTIN standard for all of their products and they can reap some small internal benefits from that decision as I’ve outlined above.  That may not offer enough of a gain to offset the cost of conversion from proprietary product identifiers.  The problem is, for the downstream trading partners to benefit from GTIN use, more than just one manufacturer has to switch to GTINs.  In fact, the benefits don’t start accruing to those companies until a significant number of manufacturers switch to GTINs, and until all manufacturers in a given supply chain switch to them the benefits do not reach their maximum potential.  For this reason, GTINs should be adopted by a supply chain as a whole and not just one company here and there.

How do you trigger a switch within an entire supply chain like that?  The GPOs may have it figured out.  Like Walmart in the fast-moving consumer goods (FMCG) supply chain and the big automakers in their supply chain, they have to start dictating the switch and they have to be hard-nosed about it.  Can the GPOs fill the role of the “800-pound gorilla” like Walmart and the automakers?  We’ll see.

There are some encouraging signs and some discouraging signs in the recently released results of a survey in a document called “GS1 Data Standards Adoption Survey, Progress toward Global Trade Item Numbers (GTINs), December 2011” conducted by the University of Arkansas Center for Innovation in Healthcare Logistics (CIHL) on behalf of the Healthcare Supply Chain Association (HSCA) (the industry association of GPOs, formerly HIGPA) and the Healthcare Industry Supply Chain Institute (HISCI).  I’ll have more to say about this paper and the results it documents in a future essay.

I’ll stop here for now.  Watch for future related essays on “Depicting an NDC Within a GTIN”, and “Anatomy of an SNI”.

I am going to attend the 2012 National Pharmacy Forum in Tampa on February 9th.  The full conference runs from the 8th through 10th and is co-hosted by HCSA and HISCI.  If you run into me there please introduce yourself and tell me what you like and don’t like about RxTrace.

Dirk.

For the application of unique serial numbers, or Standard Numerical Identifiers (SNIs), to packages as part of compliance with the California Pedigree Law in 2015-2017 , GS1′s Electronic Product Code (EPC), particularly in barcode form, is the clear winning standard.  But there seems to be a very common misconception going around that for pedigree data management, all you need to do to comply with that law is to deploy a system that is based solely on the GS1 Electronic Product Code Information Services (EPCIS) standard.  The  misconception assumes that there is a formula that can be followed to achieve compliance and that EPCIS is the whole formula.

In truth, EPCIS will almost certainly be an important component in the compliance formula but exactly how it fits, and whether there are other necessary components, has not yet been determined.

There are probably several reasons that this misconception persists.  First, GS1 US continues to promote their 2015 “Readiness” Program as if it is that formula.  The program documentation strongly implies that, if you simply follow their program, you will “be ready” to comply with the law; but it stops short of actually saying that you will be compliant.

Second, it seems like people are either able to understand the law well but not the technical standards, or they are able to understand the technical standards well but not the law.  The legal folks are left to trust what the technical people say about EPCIS, and the technical people assume that as long as the data elements identified in the law are present somewhere then EPCIS must comply.

Now I am not a legal expert but I’ve been looking at the text of the California Pedigree Law for a few years now and I think I understand it at a level that allows me to estimate how various technical approaches might fill its requirements.  Let me show you how the text of the law compares to the capabilities of the EPCIS standard.  From that analysis I think you will either be able to see that EPCIS by itself is insufficient to comply with the law, or you may see some flaw in my logic.  In that latter case, please leave a comment below to point out the flaw.  My intent is not to provide you with legal advice but to explain how the EPCIS technical standard would likely be applied when using it in an attempt to comply with the law.  Decide for yourself what you think will or won’t comply.

THE CALIFORNIA PEDIGREE LAW

The California Pedigree Law is now part of the California Business and Professions Code.  There are a number of resources that the California Board of Pharmacy provides to help you study and interpret the code.  Unfortunately all of the material on their website is a little out-of-date, but it still has some value.

• A page containing a copy of the pertinent text from the California Business and Professions Code.  The text on this page is the way the regulations were prior to the most recent modification of the law that pushed the effective date out to 2015-1017.  Most of it is still accurate.
• A draft of a PDF called “Questions and Answers Relating to the Electronic Prescription Drug Pedigree Law”.  Dated January 2008 please note that this document was written for the regulation as it existed prior to the last modification that pushed the effective date out to 2015-2017.  It is still a useful guide to the Board of Pharmacy’s interpretation of the law except when related to the effective dates and perhaps some of the exceptions to the law;
• A PDF called “Background and Summary of the California ePedigree Law”.  The document doesn’t have a date but it is obviously describing the law as it was prior to the latest revision that pushed the effective date to 2015-2017.  It is still useful because it provides some of the history leading up to that revision.

It would be nice if the Board would update these resources now that people are beginning to pay more attention to the current deadlines and are preparing for compliance.

To read the actual text of the current California Business and Professions Code click here and then search for the word “pedigree”, then click on the sections where your search finds that word.  That should take you to the actual text of those sections of the Code.  Now search for key words related to pedigrees.

I have written about the California Pedigree Law in the past.  You might find these essays of interest.  Click here for a list of RxTrace essays that contain references to it.  Dr. Adam Fein of Pembroke Consulting has written frequently about pedigree in general including the California Pedigree Law over the last 5 years or so.  Click here for a list of his DrugChannels blog essays about Pedigree.

THE CALIFORNIA CODE THAT IS PERTINENT TO THE TECHNICAL IMPLEMENTATION AIMED AT COMPLIANCE

First, what constitutes “a pedigree” under California Law?

Section 4034.

(a) “Pedigree” means a record, in electronic form, containing information regarding each transaction resulting in a change of ownership of a given dangerous drug, from sale by a manufacturer, through acquisition and sale by one or more wholesalers, manufacturers, repackagers, or pharmacies, until final sale to a pharmacy or other person furnishing, administering, or dispensing the dangerous drug. The pedigree shall be created and maintained in an interoperable electronic system, ensuring compatibility throughout all stages of distribution.

(b) A pedigree shall include all of the following information:

(1) The source of the dangerous drug, including the name, the federal manufacturer’s registration number or a state license number as determined by the board, and principal address of the source.

(2) The trade or generic name of the dangerous drug, the quantity of the dangerous drug, its dosage form and strength, the date of the transaction, the sales invoice number or, if not immediately available, a customer-specific shipping reference number linked to the sales invoice number, the container size, the number of containers, the expiration dates, and the lot numbers.

(3) The business name, address, and the federal manufacturer’s registration number or a state license number as determined by the board, of each owner of the dangerous drug,  and the dangerous drug shipping information, including the name and address of each person certifying delivery or receipt of the dangerous drug.

(4) A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate.

(5) The unique identification number described in subdivision (i).

(c) A single pedigree shall include every change of ownership of a given dangerous drug from its initial manufacture through to its final transaction to a pharmacy or other person for furnishing, administering, or dispensing the drug, regardless of repackaging or assignment of another National Drug Code (NDC) Directory number.

Dangerous drugs that are repackaged shall be serialized by the repackager and a pedigree shall be provided that references the pedigree of the original package or packages provided by the manufacturer.

[…]

The key to my argument is that all of this information (I’ve highlighted it for you above) must be present in “a record” or it isn’t a valid “Pedigree” according to this part of the Code.  A “single pedigree” must include information about every change of ownership of a given drug or it’s not a valid pedigree.

We only need parts of one more section to be able to determine why EPCIS by itself won’t work for California pedigree.  That’s section 4163.  I’m leaving out parts that aren’t needed for my argument, including the exceptions, so feel free to review the entire section to convince yourself that I haven’t bent anything to benefit my case:

Section 4163.

[…]

(c) […] commencing on July 1, 2016, a wholesaler or repackager may not sell, trade, or transfer a dangerous drug at wholesale without providing a pedigree.

(d) […] commencing on July 1, 2016, a wholesaler or repackager may not acquire a dangerous drug without receiving a pedigree.

(e) […] commencing on July 1, 2017, a pharmacy may not sell, trade, or transfer a dangerous drug at wholesale without providing a pedigree.

(f) […] commencing on July 1, 2017, a pharmacy may not acquire a dangerous drug without receiving a pedigree.

(g) […] commencing on July 1, 2017, a pharmacy warehouse may not acquire a dangerous drug without receiving a pedigree.

[…]

So once the law goes into effect, wholesalers, repackagers and pharmacies cannot sell, trade or transfer a drug without providing the buyer with “a pedigree”, and, separately, wholesalers, repackagers and pharmacies cannot buy a drug without receiving “a pedigree” from the seller.  Notice that this obligates both the buyer and seller independently.  If “a pedigree” isn’t provided with the transaction, both buyer and seller are breaking the law.

HOW EPCIS WAS DESIGNED TO WORK

EPCIS was designed to be used to implement a distributed network of repositories that each contain records describing the WHO, WHAT, WHEN and WHY of supply chain events that occur as serialized products move through a supply chain.  The original vision of EPCIS as applied to the U.S. pharmaceutical supply chain would expect each pharma manufacturer, each distributor and each pharmacy to have their own event repository that conforms to the EPCIS specification.

In their repositories, these companies would save records—or, events—that describe all of the serial number-based events that would occur while the drugs were under their control.  That is, the manufacturer’s repository would hold all of the events related to each drug package that occurred during manufacturing through shipment to the their customer, but it would not hold any of the events that occurred on the properties of downstream owners of those drugs.  Likewise, the distributor who bought the drugs from the manufacturer would typically hold only the events for those drugs from the point of receipt from the manufacturer through their own shipment to their customer.  And so on down the supply chain.

APPLYING BASIC EPCIS TO THE BASIC PEDIGREE PROBLEM

To get a full “trace”, or “supply chain history”, of a given package of a drug you would need to query each of the EPCIS repositories of all previous owners back to and including the manufacturer.  This “trace report” that would result would be a good example of a “chain of custody” report, but it would fall short of what California calls “a pedigree”.  It may be a valid pedigree in other jurisdictions under different laws but in California it would be missing the following necessary data elements from their definition:

• “Name”, “registration number or a state license number and principle address of the source”
  These data elements would be missing because, by definition, EPCIS makes use of Supply Chain Master Data (SCMD) references to save space.  Instead of the explicit information called out in the law the trace records produced by EPCIS queries would contain GS1 Global Location Numbers (GLNs) which are 13-digit numbers that are supposed to represent most of this data.  That representation is defined by the owner of the GLN and they are under no obligation to maintain it or to ensure that the data has a single, fixed association with the GLN.
• “Trade or generic name”, “dosage form”, “strength”, and “container size”
  These data elements would be missing because, like its use of GLN’s, EPCIS is designed to also use SCMD references for product data to save space.  In place of this data, each event would include only a GS1 Global Trade Item Number (GTIN) which is a 14-digit number that is supposed to represent most of that product data.  The manufacturer of the drug owns the relationship between the GTIN and the associated product data, but they are under no obligation to ensure there is only one, unchanging set of product data associated with that number.
• “Business name”, “address”, “federal manufacturer’s registration number or a state license number”…”of each owner” of the drug, including the “name” and “address of each person certifying delivery or receipt” of the drug
  Again, EPCIS events would hold a representation of this information as a set of GLN’s to save space.  The actual data would only be implied.
• “A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate”
  The EPCIS standard doesn’t define anything like this kind of data.
• “A single pedigree shall include every change of ownership…”
  The chain of custody report that is built as the result of the set of queries mentioned above would be a set of records that would need to be interpreted and the information combined into a single record.  But this would only be possible if the current owner knows who to query and then only if all of the previous owners of the drug were willing and technically able to reply at that particular moment with their contribution of the events they hold about that particular drug.

That’s a lot of missing information.  It may seem like the EPCIS standard is so far away from what the law calls for that it is hopeless to expect it to ever work.  Not quite.  EPCIS has an important feature that is intended to allow users to extend its operation in multiple ways.  This feature allows EPCIS to be shaped into solutions that can fit problems much more flexibly than previous general purpose systems might have in the past.  Can this extensibility feature address all of the missing information in some way and turn the chain of custody report into a compliant pedigree?  Perhaps.  I will consider that possibility in future essays in this series.  But first…

ENTER THE GS1 US HEALTHCARE 2015 READINESS PROGRAM

GS1 US saw these problems with EPCIS a number of years ago.  Since that time their Healthcare Traceability group has been working on potential solutions to some of the problems I listed above.  I can’t write about exactly how they propose to do that because they have policies that prevent the disclosure of that kind of internal information.  However, it appears that GS1 US is just about to make that kind of information public themselves in the next few weeks.  As soon as they do I will pick up this topic again and explain how their ideas might or might not address this list of deficiencies.

WHAT ABOUT GS1 (GLOBAL) HEALTHCARE?

That’s a good question.  That organization has been busy working on pedigree-related ideas as well, though at a global level, and, not coincidentally, they too are about to make public their latest thoughts on how to use the EPCIS standard for network-centric ePedigree applications.  Although their work is intentionally not aimed at meeting the exact requirements of the California law (because it is a global effort), their work does beg for an explanation of how it might fit if those ideas were applied in that State Law.  This release of information will probably occur in the next few weeks as well.  So we will shortly have lots of ideas in the public domain that we can discuss and analyze.  In fact, I hope we are not overwhelmed!

WILL ANY OF THIS MAKE ANY DIFFERENCE AT ALL?

Another great question.  In fact, it may all become moot, because a new federal pedigree bill was apparently introduced into the U.S. Congress a couple of weeks ago by Representative Jim Matheson [D-UT].  If that bill, or some modified version of it eventually makes it out of committee and then passes both Houses of Congress and then if the President signs it, it would almost certainly pre-empt the California Pedigree Law.  In that case, we will all shift our attention to the peculiarities of the Federal regulation and the likely FDA guidance that would certainly follow.

However, it is very hard to estimate the likelihood that this, or other bills like it in the future, will pass.  Similar bills introduced in past sessions have not made it out of committee.  So until one of these bills make it through the entire process, it makes the most sense to keep our eyes on the realities of the California requirements.

Stay tuned for Part 2 as soon as the GS1 US and GS1 (global) documents are made public.

Dirk.

For Part 2 in this series, see “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2“.