The U.S. Food and Drug Administration (FDA) published their “Standardized Numerical Identification (SNI) for Prescription Drug Packages – Final Guidance” document almost two years ago (see my essay “FDA Aligns with GS1 SGTIN For SNDC” from back then).  The guidance was published as purely non-binding recommendations that reflected the Agency’s current thinking, but in my opinion it is a nice piece of work and can be used as a practical guide, as far as it goes, for implementing drug serialization programs today.

Why is that?  It’s because drug manufacturers and repackagers need to serialize all of their prescription drugs that enter the state of California in 2015/2016.  Can those companies make use of the FDA’s SNI guidance to comply with the serialization requirements of the California Pedigree Law?  I will answer that question in this essay, but first…

A REVIEW OF THE FDA SNI GUIDANCE

According to the FDA, an “SNI” is a unique identifier that is attached to a prescription drug by the original manufacturer.  Presumably “unique” means unique within the United States.  Specifically, an SNI is either a “serialized National Drug Code (sNDC)” or one of the existing recognized standards for identifying and labeling certain blood and blood components and certain minimally manipulated human cells, tissues and cellular and tissue-based products (HCT/Ps) which do not currently use NDC numbers.  The guidance document mentions only ISBT 128 for this latter class of SNI and implies that there may be others.  Apparently those standards always result in a unique identification number for each product package.  The important thing to realize is that an the sNDC is only one type of SNI but it is the kind that should be used on any prescription drug product that has been assigned an NDC.  In this essay I am only going to discuss the sNDC type of SNI.

The FDA defines the sNDC as being composed of the drug’s 10-digit NDC plus an alphanumeric serial number that can be up to 20 characters long.  The guidance applies to prescription drugs only so Over-The-Counter (OTC) drugs that are identified by an NDC apparently aren’t covered.  But since the guidance is non-binding anyway this distinction isn’t really significant.  Perhaps it will if the SNI guidance ever becomes a required regulation.

Example of the components of an sNDC borrowed from the FDA SNI Guidance document. March 2010. Click image to enlarge.

The SNI guidance document itself defines the SNI “for package-level identification only”, but it also makes it clear that SNIs can also exist for levels other than the package-level, like cases and pallets.  It’s just that this guidance document doesn’t cover those.  The FDA defines the “package-level” this way:

“…the smallest unit placed into interstate commerce by the manufacturer or the repackager that is intended by that manufacturer or repackager, as applicable, for individual sale to the pharmacy or other dispenser of the drug product.”

Repackagers that break the manufacturer’s package down and repackages the contents in any way must apply a new and unique SNI to the new package-level and that new SNI must be linked (in some unspecified way that I assume is a database) back to the manufacturer’s original SNI.  The guidance document contains an excellent example of a package of six drug-filled syringes that would be the lowest packaging level that the hypothetical manufacturer intended pharmacies or other dispensers to buy, but is then repackaged by another hypothetical party acting as a repackager into single syringe packages for sale to pharmacies or other dispensers.

The original hypothetical manufacturer would only need to assign an SNI to the package of six drug-filled syringes since it does not intend the syringes for individual sale.  However, the hypothetical repackager would need to assign each drug-filled syringe its own unique SNI and link those six SNI’s to the original manufacturer’s SNI that was assigned to the specific package of six that the individual packages came from.  If you repackage drugs you should study the example in the FDA SNI guidance document.  Of course, since this guidance is not binding the FDA isn’t saying that you have to do this today.

The FDA recommends that the SNI should generally “…be applied to each package in both human-readable and machine-readable forms.”  However, the FDA guidance document explicitly states that “…at this time, FDA is not specifying the means of incorporating the SNI onto the package.”  But it goes on to say that “The SNIs described in this guidance are compatible with, and flexible for, encoding into a variety of machine-readable forms of data carriers, such as 2-dimensional bar codes and radio-frequency identification (RFID)…”.  The document also explicitly doesn’t specify a location on the package where the SNI should be placed, but it does say that any human-readable form could be printed “…in a non-contiguous manner…” from the existing NDC printed on the package.

THE RELATIONSHIP BETWEEN sNDC AND GS1 sGTIN

Finally, the guidance document points out that the sNDC “…is compatible with, and may be presented within, a [GS1] GTIN…”.  GTIN is a GS1 standard for general product/service class-level identification and the letters stand for “Global Trade Item Number” (see my essays “Anatomy of a GTIN” and “Depicting An NDC Within a GTIN”).  It is quite clear that what the FDA meant to say is that the sNDC can be depicted as a serialized GS1 GTIN, or “sGTIN”.  It does not say that an sGTIN is the only way to depict an sNDC or that you must depict it that way, it simply says that it may be presented that way.

The document doesn’t identify any other way to do it but I’m pretty confident you could present an sNDC using HIBCC standards too if you wanted to.  HIBCC product identification standards are very rare in the U.S. pharmaceutical supply chain (they are much more common in the medical devices supply chain) so I’m not covering them in this essay.  For more on HIBCC standards click here.

CAN THE sNDC BE USED TO COMPLY WITH THE CALIFORNIA SERIALIZATION REQUIREMENT?

This question is frequently asked these days.  Fortunately the answer is definitively “yes” in my opinion.  You should read the source documents to convince yourself one way or the other, but here is my logic.

The text of the California pedigree law says that each drug package distributed within the state must have a “unique identification number” attached to it.  Presumable “unique” here means unique within the state of California.  The law doesn’t specify any specific characteristics of the identifier itself other than its uniqueness and that it be “…contained within a standardized nonproprietary data format and architecture, that is uniformly used by manufacturers, wholesalers, and pharmacies…“.  The FDA sNDC is a “unique identification number” and by definition it must be unique, presumably within the U.S., and it is a standardized nonproprietary data format and architecture and it is certainly capable of being uniformly used by all parties in the U.S. pharma supply chain, which fulfills the California requirement.

The language in the California law and the Questions and Answers about the law that was published by the California Board of Pharmacy in 2008 regarding who must apply a unique identifier, to what and when it must be done is comparable to the language in the FDA’s SNI guidance.  This includes the definition of the “package-level” and the need for a unique identifier attached to repackaged drugs and how that identifier must be linked to the original manufacturers unique identifier.  Of course, the language in the California documents was available to the FDA when they were constructing their language.

So far I haven’t found a single significant difference in characteristics of the unique identifier defined by California and the sNDC defined by the FDA.  This leads me to conclude that California will very likely accept the use of unique identifiers that conform to the FDA sNDC guidance for compliance with the serialization requirements of their pedigree law.  It also makes perfect sense that they would.  Again, that’s my opinion.  You form your own.

DEPICTING AN sNDC IN A BARCODE USING GS1 GTIN PLUS SERIAL NUMBER

OK, so you agree with me and you want to print an FDA-compliant sNDC on your drug packages within a machine-readable barcode using GS1 standards in advance of the compliance dates for the California pedigree law.  The way to do it is to make use of “The GS1 System”.  Here I’m referring to the GS1 Application Identifier standard and certain barcode symbologies that are documented fully in the GS1 General Specification. Search for this specification on the internet or contact your local GS1 Member Organization (MO) to obtain a copy.

The GS1 System Application Identifier standard defines a way of encoding multiple pieces of information within a string of characters in an exact way so that a reader can extract them back into their original decomposed form.  There are lots of Application Identifiers (AI) covering a wide spectrum of data types needed in a supply chain context.  An AI is a two-to-four-digit code that identifies the type of data that follows it in an “element string”.  In our particular instance, we are interested in just two AIs: one for the GTIN (AI=”01”) and one for the serial number that is associated with that GTIN (AI=”21”).

A GTIN element string is always 14 digits long when it is depicted using AI “01”.  Remember that the FDA defined their serial number as being up to 20 alphanumeric characters.  That means that it is a variable length value ranging from 1 to 20 characters.  It is a happy coincidence that GS1 defines their serial number element string for AI “21″ in exactly the same way!  Well, in fact, the FDA made the decision to specifically align their definition with that of GS1’s existing AI “21″ definition so that there wouldn’t be any conflict if people chose to use GS1 standards to implement the sNDC.

If we put together the technique I described in my essay “Depicting An NDC Within a GTIN” with the information above, we get the following shortcut for the GS1 string of elements that depict an sNDC:

sNDC to GS1 string of elements shortcut. Click image to enlarge.

Now all we need to do is encode this string of characters into one of the GS1 barcode symbologies that accommodate a GS1 string of elements.  These include GS1-128 and DataBar for linear barcodes and GS1 DataMatrix for 2D barcodes.  See the GS1 General Specification for details on how to properly construct these barcodes.

(NOTE:  According to the HDMA only a subset of the possible DataBar family of symbologies should be used on pharmaceuticals in the U.S. supply chain and they should only be used on products that are very tiny.  See my recent essay “Updated HDMA Barcode Guidance: A Must Read”.)

To construct the human readable string for an sNDC that is encoded in a GS1 string of elements you may insert spaces between the end of the GTIN and the “21” and you may set off the AIs by wrapping them in parentheses.  These “decorations” are commonly used to help make these long numbers more readable and they should never be included in the string that is encoded in the barcode.

Here is an example GS1 string of elements that uses the same data that the FDA included for an example sNDC in their guidance document (shown in the image above).  In their example they used a fictitious NDC of 55555 666 77 and a serial number of 11111111111111111111.  Applying the shortcut technique I show above the GS1 string of elements would be:

sNDC example from the FDA Guidance document encoded into a GS1 string of elements. Click image to enlarge.

The string that would be used to encode the GS1 barcode would be:

010355555666772111111111111111111111

and the human readable to be printed on the drug package might look like this:

(01) 03 55555 666 77 (21) 11111111111111111111

Notice the extra decorations I included in the human readable that are not included in the string that is encoded in the barcode.

DEPICTING AN sNDC IN AN RFID TAG USING GS1 sGTIN

In a departure from the GS1 General Specification, GS1’s RFID tag standards do not make use of AI’s when encoding an sGTIN for product identification.  In fact, in their RFID standards the concept of a GTIN and a serial number are merged together to produce a single indivisible  identifier they explicitly call a Serialized Global Trade Item Number, or SGTIN (see the GS1 Tag Data Standard for the details).

A full explanation of how to encode an SGTIN within a GS1 RFID tag is more complex than the barcode explanation above and it is beyond the scope of this essay (and of RxTrace, really) but you will find the GS1 Tag Data Standard document (now in revision 1.6) to be quite well written (see my essay “Masterpiece:  GS1 Tag Data Standard 1.5”).  And don’t miss my widely read essay “RFID Is DEAD…At Unit Level In Pharma”.

IMPLICATIONS OF THE sNDC SERIAL NUMBER DEFINITION

There are some surprising implications that result from the definition of a serial number in the way the FDA defines the sNDC.  I hope to cover those implications in a future essay.  Stay tuned.

Dirk.

In recent essays I have covered the “Anatomy of an NDC”, the “Anatomy of a GTIN” and the “Updated HDMA Bar Code Guidance: A Must Read“.  Now let’s put them all together.  Why would we need to do that?  Because the U.S. FDA requires many Over-The-Counter (OTC) and all prescription drugs marketed in the United States to have their National Drug Code (NDC) presented in the form of a linear barcode on the package.  Pure and simple.  To do that in a way that your trading partners can understand—that is, to do it interoperably—you need to follow a standard.  You have two realistic choices for standard approaches to this problem:  HIBCC or GS1.

The use of HIBCC standards is fairly common in the U.S. medical surgical devices supply chain but in the pharmaceutical supply chain it is very rare.  Most companies choose GS1’s barcode standards so that’s all I’m going to focus on in this essay.  If you want more information about how to do this with a HIBCC barcode find it here.

OVER-THE-COUNTER DRUGS:  GTIN-12

If your drug is sold over the counter (OTC), like aspirin and cold medications, the barcode on your packages will need to be scanned at point of sale (POS) terminals in the same way that any other consumer good is.  For that reason you need to put your National Drug Code (NDC) into a Universal Product Code (UPC) barcode in the United States.  A UPC-A barcode symbol contains a GS1 GTIN-12 data structure.  Here is what you need to do to convert your NDC into a GS1 GTIN-12:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   Recall from my previous essays that your FDA Labeler Code is either 4 or 5 digits long and a GCP can be anywhere from 6 to 10 digits depending on the fee you pay GS1 US when you register it.  In the case of FDA-regulated pharmaceuticals GS1 US will register a 4-digit FDA Labeler Code as a 6-digit GCP and a 5-digit FDA Labeler Code as a 7-digit GCP.  The reason is that they need to synchronize the length of the Item Reference portion of the resulting GTINs with the combined length of the Product Code and Package Size fields of your NDC.  This is to ensure that you are able to generate valid GTIN-based barcodes for every possible NDC that your Labeler Code enables you to generate.  You only need to register your FDA Labeler Code with GS1 US once as long as you keep up with the annual subscription fees so for subsequent drugs that use a Labeler Code that is already registered you can skip this step.  If you have multiple FDA Labeler Codes you need to register each one with GS1 US once.
   
   GS1 US has reserved GCPs that start with “03″ for owners of FDA Labeler Codes as shown in the following table.
   

   Click images to enlarge

2. From your new GS1 Company Prefix construct your U.P.C. Company Prefix
   Ah ha!  This is an esoteric step.  It is necessary because of the way GS1 merged the formerly North American-only Uniform Code Council’s (UCC) Universal Product Code (UPC) company prefixes with the European Article Numbering Association’s (EAN) European Article Number (EAN) company prefixes and made the whole combined scheme suitable for global company prefixes and yet retained backward compatibility with the UPC and EAN.  But you don’t have to follow any of that.  Here’s what you do.
   
   You take the GCP that GS1 US assigned you and you strip off the leftmost digit.  That digit is always going to end up being a zero because we are dealing with an FDA regulated pharmaceutical and GS1 US will make sure that it is a zero on your behalf.  The remaining digits make up your new U.P.C. Company Prefix, usable only for generating UPC-A barcodes  and a few other less common things (see the GS1 General Specification for what else you can do with a U.P.C. Company Prefix).  For an NDC that has a 4-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 5 total digits long.  For an NDC that has a 5-digit Labeler Code your U.P.C. Company Prefix will now start with a “3” and it will be 6 total digits long as shown below.
   

   Click images to enlarge

3. Combine your U.P.C. Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 U.P.C Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 U.P.C. Company Prefix by placing them to the right of the prefix.  You should now have a total of 11 digits regardless of the length of your Labeler Code as shown in the table below.
   

   Click images to enlarge

4. Calculate the Check Digit and add it to complete your GTIN-12
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage(although where they say to enter the “Item Reference”, they really mean for you to enter the full prefix and item reference together).  Add check digit to the right of the code constructed in step 3.  You should now have a 12-digit code as shown below.  This is the GTIN-12 that can be encoded into a UPC-A barcode and printed on your product.
   

   Click images to enlarge

If you look closely at the table above you may see a short-cut that would get you directly to your GTIN-12.  All you need to do is take your 10-digit NDC and put a “3” in front of it and put a calculated check digit at the end as shown in the following table.

Click on images to enlarge

It is true that you can get there this way but then you might be tempted to skip step #1 and not obtain your official GCP.  As I understand it, since GS1 owns a copyright on the UPC family of barcode symbologies they could make a claim against your company if you encode your NDC into the copyrighted UPC-A symbology without first registering your FDA Labeler Code with them and paying whatever fee they place on that.  Talk to GS1 US to get the full story for your particular situation.  On the other hand, if you have already registered your Labeler Code with GS1 US then this short-cut should always produce your GTIN-12 for subsequent products that share the same FDA Labeler Code.

PRESCRIPTION DRUGS:  GTIN-14

Any drug distributed in the U.S. that is regulated by the FDA as a prescription drug must be dispensed by a registered pharmacist.  In that case it will not be scanned at a retail POS station.  For that reason you do not need to encode your NDC within a GTIN-12 but should encode it into a full GTIN-14.  GTIN-14s should also be used on all case labels whether OTC or prescription (see the HDMA Bar Code Guidance for details).  You can render a GS1 GTIN-14 identifier into a GS1-128, GS1 DataMatrix, or GS1 DataBar symbology depending on the application.

Here is what you need to do to properly convert your NDC into a GS1 GTIN-14 data structure:

1. Register your FDA Labeler Code with GS1 US who will convert it into a GS1 Company Prefix (GCP) and grant you the right to use it
   This is the same as step #1 for GTIN-12 above.
   
   
2. Combine your GS1 Company Prefix with the Product Code and Package Size fields from your NDC
   For an NDC that has a 4-digit Labeler Code your Product Code and Package Size fields will be a total of 6 digits long.  Combine them with the GS1 GS1 Company Prefix by placing them to the right of the prefix.  For an NDC that has a 5-digit Labeler Code your Product Code and Package Size fields will be a total of 5 digits long.  Combine them with the GS1 GS1 Company Prefix by placing them to the right of the prefix.  You should now have a total of 13 digits regardless of the length of your Labeler Code.
   
   
3. Calculate the Check Digit and add it to complete your GTIN-14
   GS1 provides an algorithm to calculate the Check Digit in section 7.2.7 of the GS1 General Specification.  They also provide a handy calculator at this webpage.  Add check digit to the right of the code constructed in step 2.  You should now have a 14-digit code.  This is the GTIN-14 that can be encoded into a GS1 Code-128, GS1 DataMatrix, or DataBar barcode and printed on your product or case.  (NOTE:  DataBar should only be used on packages that are too small to accept one of the other symbologies.  See the HDMA Bar Code Guidelines for details.)

Finally, if you have already registered your Labeler Code with GS1 US you can use the following short-cut to construct your subsequent GTIN-14s.

Click image to enlarge

The following figure summarizes the contents of all forms of the NDC for both GTIN-12 and GTIN-14 data structures.

Click images to enlarge

IMPLICATIONS

There is an important implication stemming from the use of GS1 identifiers and barcodes to encode and render your NDC that I think needs to be explained.  This applies to any company that already possesses a GCP that does not match their FDA Labeler Code.  I can think of two ways that this might happen:

1. Any company in the U.S. that distributes non-drug products and already obtained a GCP from GS1 US for those products,
2. Any drug manufacturer that is based outside of the United States and that already possesses a GCP that was issued by their local, non-U.S. GS1 Member Organization.

Neither of these types of GCP’s can be used to encode an NDC for distribution within the U.S.  That’s because these GCPs do not match your FDA issued Labeler Code.  Only GS1 US, the U.S.-based GS1 Member Organization, can issue you a GCP that is properly based on your Labeler Code.  So these companies should contact GS1 US to register their Labeler Code, whether the company is based in the U.S. or not.

Systems and their associated databases should always be designed to accommodate the full GTIN-14 even when the application may seem to only need to deal with GTIN-12′s.  See GS1′s position paper on this topic for more explanation.

There are a few more “Anatomy of…” essays I want to write including the FDA’s Standardized Numeric Identifier (SNI), and GS-128 in the U.S. Pharma supply chain.  Watch for those essays in the near future.

Dirk.

2012 is the year of the GTIN in the U.S. healthcare supply chains as christened by the largest hospital group purchasing organizations (GPOs) in their so-called “Sunrise 2012″ program.  They have asked all of their suppliers to switch from proprietary product codes to GS1’s Global Trade Item Number (GTIN) standard in catalogs, B2B communications and shipment labeling by the end of this year.  They did the same thing with GS1’s Global Location Number (GLN) back in 2010 (“Sunrise 2010″) but so far it appears to have had only a small (but still growing) impact.

The GTIN can be a mysterious concept.  I received an email recently from a sales person who wanted to know what this “G-ten” thing was that her customer kept claiming was so important to her future business with them.  I’ve also sometimes had difficulty convincing people that GTIN adoption is important.  “We don’t need another product identifier.  We already have the NDC!”

I hope to pull back the veil just a little bit and explain not only the anatomy of the GTIN but also why it is so important to all supply chains in all regions of the world.

WHAT EXACTLY IS A GTIN?

GS1 explains the GTIN this way:

“As the name implies, the GTIN helps automate the trading process – basically buying and selling.  GTINs are therefore assigned to any item (product or service) that may be priced, or ordered, or invoiced at any point in any supply chain.  The GTIN is then used to retrieve pre-defined information about the item.  The key benefit is that information about the item can be retrieved about the product from the GTIN whether it is read in a GS1 BarCodes symbol, exchanged via a GS1 eCom message or accessed from the Global Data Synchronisation Network.”

Hmmm…Let me try.  First, a “Trade Item” is any product or service that may be manufactured, priced, advertised, bought, sold, traded, invoiced, returned or consumed within a commercial supply chain.  GTIN (Global Trade Item Number) is a GS1 standard that defines the structure and usage rules for a numeric identifier that can be assigned to a very specific, idealized description of a “trade item” and which can then be used in any part of the world to refer to instances of trade items that conform to that description.

For another attempt at a definition, see the one on Wikipedia here.

In everyday usage “a GTIN” is the number that is encoded into the product barcodes found on pretty much every product you can find in any store.  In the U.S. you know it as the UPC, or Universal Product Code, a 12-digit number (and technically known as a GTIN-12).  In the E.U. you know it as the EAN, or European Article Number, a 13-digit number (and technically known as a GTIN-13).  The GTIN-12 and GTIN-13 are “retail” GTINs.  That is, these are the GTINs placed on products that are typically sold through a retail Point of Sale (POS) station (a store checkout counter).  This includes most over the counter (OTC), non-prescription drugs.

Today, nearly all OTC drugs and many prescription drugs in the U.S. supply chain are marked with a National Drug Code (NDC) or a Universal Product Code (U.P.C.) that is encoded in a GTIN-12 data structure and rendered on the package in a UPC-A barcode.  Non-retail products like those that are typically sold only B2B (business to business) (GS1 refers to these as “Trade Items Intended for General Distribution Scanning Only”)—including prescription pharmaceuticals—should be assigned a 14-digit GTIN (technically known as a GTIN-14).

You may yawn, but this is powerful stuff if you can get everyone on the bandwagon.  The GPOs in the U.S. and GS1 plan to do just that.

The most important aspect of the GTIN standard is that when one is properly assigned to a given product or service it is globally unique.  That means that no other product or service anywhere in the world can ever be assigned that same GTIN so that number can be used anywhere and everywhere to refer to that specific type of product or service.  This eliminates product code ambiguity globally.

Another important feature is that the GTIN standard is applied in the same way regardless of product type, service type or supply chain.  The same rules apply to all GTIN identifiers.  These rules are defined in GS1’s General Specification—the specification of “The GS1 System”, of which GTIN is just one part.  See also “GS1 GTIN Allocation Rules for Healthcare” for some of these rules in a healthcare context.  (For a great non-technical explanation of “The GS1 System” of standards, check out this great PDF:  “The Value and Benefits of the GS1 System of Standards”.)

ANATOMY OF A GTIN-14

I mentioned above that a GTIN can take form in 12, 13 or 14 digits (it can also take the form of an 8-digit value but that’s very rare in healthcare), but since my focus is primarily in the B2B healthcare supply chains I’m only going to concentrate on the 14-digit form in this essay.  This is the only form that will fit into barcodes that make use of GS1 Application Identifiers (AI) (like GS1-128 linear barcodes and GS1 DataMatrix 2D barcodes) although the other forms can always be converted into the 14-digit form (by padding with zero[s] on the left).  Note that OTC drugs at the unit-level cannot make use of the GTIN-14 structure, AIs or the barcodes that carry them because they need to be scanned at POS.

There are four components that make up a GTIN-14 and they appear in this order:

• Indicator Digit
  This digit only appears in the GTIN-14 and is primarily used to indicate standard groupings (inner pack, case, pallet, etc.) of packages of the same GTIN using values 1 through 9.  A zero indicates that the GTIN is representing a single unit.  For products where the actual units sold can be a variable measure (weight, size, volume, etc.) the indicator digit should be set to 9.  Indicator values 1 through 8 have no specific standard meaning other than that they indicate a grouping.  That is, there are no standard groupings that values 1 through 8 may indicate so you can’t assume any particular value means an inner pack, a case, a pallet or anything else.  Each company is free to choose any of these values to indicate any grouping they wish.
  
  
• GS1 Company Prefix (GCP)
  This is the variable length number that is assigned by the local GS1 Member Organization (MO) to the company that manufactures, packages or repackages the product that the GTIN represents.  This is the number that those companies must apply to GS1 for assignment.  In the U.S. the GCP ranges in length between 6 and 10 digits and the length partially determines its cost.  Shorter company prefixes cost less than longer ones (see Item Reference below for why this is so).
  
  Pharmaceutical companies who already possess an FDA Labeler Code (see my previous essay, “Anatomy Of The National Drug Code” for more on this) just need to register that code with GS1 US (the local GS1 MO in the United States) to obtain a license to use that same code as the basis for their GCP within the context of GS1’s copyrighted barcode, RFID, EDI, pedigree and track & trace standards.
  
  The GS1 Company Prefix is itself composed of a 1 to 3 digit GS1 Prefix which is assigned by the GS1 Global Office to each GS1 MO to ensure global uniqueness of all GCP-based GS1 keys (GS1 keys include GTIN, GLN, SSCC, GRAI, any EPC, GSRN, GIAI, GDTI, GSIN, etc.).  This prefix is sometimes incorrectly referred to as a “country code” although because MOs are fairly country-specific this is not too far off.  The remainder of the GCP—known as a Company Number—is assigned by the Local MO.  See the GS1 General Specification for more details.
  
  When a company is assigned a GCP by GS1 they are granted exclusive rights to use that prefix to construct any of the GS1 keys (see the list in the paragraph above) and use them in any way they see fit as long as it is within the rules established in the GS1 General Specification.  GS1 keys generated by the owner of the GCP do not need to be authorized, approved or registered with GS1.  There is no additional cost to generate new GS1 keys once a company obtains a GCP.
  
  GCPs are a company asset that should be addressed in any merger or divestiture strategy (see this topic in the GS1 General Specification).  GCP usage within a given company should ideally be controlled at a single point within an organization.  This generally isn’t an issue for smaller companies but multinational corporations should ensure that they have a strategy for centrally assigning and distributing GCP-based GS1 keys to their operations to ensure uniqueness and to ensure that the GCP resource is used to its maximum potential.
  
  Companies may obtain multiple GCPs from their local GS1 MO if they use up the available reference values in one or more GS1 keys.  They may also obtain additional GCPs (partly “used”) as the result of a merger with another company.
  
  Neither GS1 nor the MOs police adherence to any of their standards, but they carefully control the assignment of GCPs to always maintain global uniqueness.  As long as the GCP assignments are all globally unique, all of the keys generated by the owners of all GCPs will also be globally unique.  This is a very important design feature of the entire GS1 System.
  
  
• Item Reference
  The Item Reference is a variable length number that must be chosen by the owner of the GS1 Company Prefix and assigned to the specific description of a single product class.  This specific description must remain unchanged for the life of the GTIN (see the GS1 General Specifications for details and exceptions).  The combination of the owner’s GCP and the Item Reference must be exactly equal to 12 digits.  Since the length of the GCP is determined when it is obtained from the local MO, the length of the Item Reference must take up the remainder of the 12 digit space.
  
  For example, if company A obtains a 6-digit GCP, the Item Reference field within their GTIN-14′s must be 6 digits long (12 – 6 = 6).  If company B obtains a 10-digit GCP, their GTIN-14 Item References must be only 2 digits long (12 – 10 = 2).  From these two examples you can see that company A can identify up to 1,000,000 unique products or services but company B can only identify 100.
  
  There is a comparable limitation in the other GS1 keys.  Shorter GCPs result in more digit space available in the reference portion of the key which results in vastly more usable unique numbers (each extra digit represents an order of magnitude more unique values the owner can assign).  This is why GS1 charges more for the shorter GCPs than they do for longer ones and this provides a measure of affordability to smaller companies who will likely never need more than a small number of unique GTINs or other keys.
  
  
• Check Digit
  The Check Digit is a single digit that is mathematically calculated based on the contents of all of the other digits in the GTIN-14.  The purpose of the Check Digit is to help barcode readers and applications detect data entry errors.  See Section 7.10 of the GS1 General Specification for the algorithm.

EXAMPLE GTIN

Here is an example of a GTIN-14 that I found on an inner-pack of Epinephrine injectors.

Click image to enlarge. Image Copyright RxTrace 2012.

An “inner-pack” is a grouping of trade items and so we see the Indicator Digit is set to “1″, a valid value for a grouping.  We can’t tell by looking at this example exactly how long the GCP is because it could be anywhere from 6 digits to 10 digits long.  Fortunately GS1 provides a service they call Global Electronic Party Information Registry, or GEPIR.  If we select “Search by GTIN”, enter ’10304094921348′ and click “Search”, we are told that this GTIN contains a 6-digit GCP of ’030409′ and it is registered to Hospira, Inc. in Lake Forest, Illinois.  Now we know that the Item Reference that Hospira happened to choose for this GTIN must be ’492134′.  The Check Digit is calculated based on all of the previous digits as “8″.

This particular inner-pack contained about 10 or 12 unit-level packages that were shrink-wrapped together and labeled with the GTIN-14 above.  Each of the units contained a barcode with the unit-level GTIN-14 encoded in it.  It was exactly the same GTIN as the inner-pack except for the Indicator Digit which was correctly set to zero.  These were unit dose injectors.  There are probably about 4 inner-packs per casepack but I didn’t note that information.  The case GTIN would be exactly the same as the inner-pack and units except for the Indicator Digit which would have been been a value in the range of 2 to 8 to reflect that it is a standard grouping that is different than the inner-pack.

Normally we don’t need to deconstruct GTINs like this.  In fact the whole point of a GTIN is to use it as a single whole identifier and not to break it down into its constituent parts like we have done here but I wanted to show you how this one was intelligently constructed by Hospira, the owner of this particular GCP.

BENEFITS OF THE GTIN

The benefits of GTIN adoption by a supply chain are different between manufacturers and non-manufacturers (distributors, pharmacies and retailers).

Manufacturers gain because they can potentially use the same standard product/service identifier in multiple markets/countries.  Well, as long as the packaging doesn’t vary (same language, etc.) and there aren’t any regulatory reasons for using a different identifier (national numbering like the U.S FDA NDC, different units for the unit of measure, etc.).  Even when a different identifier is necessary for different markets/countries the manufacturer benefits from the use of a standardized identifier because modern Manufacturing Execution Systems (MES), Warehouse Management Systems (WMS),  Electronic Data Interchange (EDI) systems and Enterprise Resource Planning (ERP) systems should come with full GS1 System support built in (admittedly not all do yet).  This includes enforcement of many of the GS1 rules for dealing with GTINs and the other pertinent GCP-based identifiers.

Like manufacturers, non-manufacturers in the supply chain make use of WMS, EDI and ERP systems in addition to pharmacy management systems and  Hospital Materials Management Inventory Systems (HMMIS) that ought to have standardized GS1 System support built in.  These companies also benefit because they can trust that GTINs are globally unique and all product identifiers used by all of their suppliers refer to the same product or service and those identifiers are constructed using the same format.  This allows them to eliminate their own internal product codes for each manufacturer’s products and services, simplifying inventory management, sales, purchasing, order fulfillment, shipping, receiving and dispensing and thus reducing errors that generate waste and in the healthcare supply chain can cause injury or even death.  This is why the GPOs are so hot to make 2012 the year of the GTIN.

ADOPTION OF THE GTIN

Manufacturers of products or services can decide to unilaterally adopt the GS1 GTIN standard for all of their products and they can reap some small internal benefits from that decision as I’ve outlined above.  That may not offer enough of a gain to offset the cost of conversion from proprietary product identifiers.  The problem is, for the downstream trading partners to benefit from GTIN use, more than just one manufacturer has to switch to GTINs.  In fact, the benefits don’t start accruing to those companies until a significant number of manufacturers switch to GTINs, and until all manufacturers in a given supply chain switch to them the benefits do not reach their maximum potential.  For this reason, GTINs should be adopted by a supply chain as a whole and not just one company here and there.

How do you trigger a switch within an entire supply chain like that?  The GPOs may have it figured out.  Like Walmart in the fast-moving consumer goods (FMCG) supply chain and the big automakers in their supply chain, they have to start dictating the switch and they have to be hard-nosed about it.  Can the GPOs fill the role of the “800-pound gorilla” like Walmart and the automakers?  We’ll see.

There are some encouraging signs and some discouraging signs in the recently released results of a survey in a document called “GS1 Data Standards Adoption Survey, Progress toward Global Trade Item Numbers (GTINs), December 2011” conducted by the University of Arkansas Center for Innovation in Healthcare Logistics (CIHL) on behalf of the Healthcare Supply Chain Association (HSCA) (the industry association of GPOs, formerly HIGPA) and the Healthcare Industry Supply Chain Institute (HISCI).  I’ll have more to say about this paper and the results it documents in a future essay.

I’ll stop here for now.  Watch for future related essays on “Depicting an NDC Within a GTIN”, and “Anatomy of an SNI”.

I am going to attend the 2012 National Pharmacy Forum in Tampa on February 9th.  The full conference runs from the 8th through 10th and is co-hosted by HCSA and HISCI.  If you run into me there please introduce yourself and tell me what you like and don’t like about RxTrace.

Dirk.

In a long awaited and much anticipated move the Healthcare Distribution Management Association (HDMA) published updated guidance for the formatting, encoding and placement of barcodes in the U.S. pharmaceutical supply chain.  The document is called “HDMA Guidelines for Bar Coding in the Pharmaceutical Supply Chain 2011”.  The guidance is aimed mostly at pharma manufacturers and repackagers who place barcodes on their drug packages, cases and pallets.  The last time the guide was published was in 2005 and this new edition includes some significant changes that everyone in the supply chain who deals with product and shipping container labeling should be aware of.

The updated document can be downloaded from the HDMA Marketplace web page.  It is free to HDMA members.  Non-members will need to pay a fee but don’t let that stop you from downloading a copy if you have any responsibility for applying or reading barcodes in this supply chain because you will need to make changes to keep up with the direction of the technology and the industry.

Full disclosure:  I work for a company that is a member of HDMA and I contributed to the development of this updated guideline, but this essay is not a marketing pitch for the benefit of HDMA or my pride.  Rather it is to help generate alignment around a common approach within the supply chain.

HDMA GUIDELINES FOR BAR CODING IN THE PHARMACEUTICAL SUPPLY CHAIN

The guidelines provide the reader with the industry-specific information necessary to know how to apply GS1 and HIBCC standards in the U.S. pharmaceutical supply chain.  It provides an excellent discussion of barcode standards, including some history which I made use of in my recent RxTrace essay “Anatomy Of The National Drug Code”.  It explains how those standards should be applied to identify drugs at all levels of packaging as they move through the supply chain so that companies can maximize the benefits of barcode technology.  This edition provides expanded guidance on the implementation of 2D barcodes and RFID on packages and shipping containers.

For the first time the HDMA now “…recommends investing in imaging scanners capable of reading Data Matrix and linear codes whenever auto-id procurement needs are under consideration.”  This HDMA recommendation aligns well with GS1 Healthcare’s position as published in 2009.

Both of those recommendations make sense because we are now standing on the threshold between two barcode eras in the U.S. pharma supply chain:  linear in our rear-view and 2D in our forward-view.  Any investment in linear-only barcode reading and writing equipment now probably won’t reach the end of its full depreciation still in use.

Imaging equipment manufacturers have made great strides in the last decade in nearly matching the read performance of linear barcode readers and the prices have come down.  Linear readers will probably always be cheaper than imagers but you should consider this lower cost a reflection of the fact that they are now in the “discount bin” of obsolete technologies.

Linear codes are not dead yet, but I think we are going to see a fairly rapid transition to 2D barcodes in this industry with the approach of serialization regulatory mandates here and abroad.  See my RxTrace essay “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach“ for more on this.

The development of the HDMA guideline documents over the years have benefited by the contribution of George Wright IV, Vice-president of PIPS / Product Identification & Processing Systems, Inc.  George is an automatic identification and data capture (AIDC) industry veteran and I have found him to be a bottom-less well of technical and historical knowledge in this area.  Many sections in the HDMA guidelines have a depth and quality that come directly from George’s contribution.

CHANGES

If you think you already know how to properly format and print barcodes on drugs marketed and shipped in the U.S., you need this edition of the guidelines.  There are some significant differences from the way things have been done up to now.  The first section of the updated document is a Summary of Revisions.  Here is a partial list:

• Addition of a unique serial number in the GS1-128 product identification bar code to product case labels;
• Addition of an optional but recommended 2D GS1 DataMatrix bar code symbol to drug packages and product case labels;
• Removal of ITF-14 as a Primary Data Carrier (bar code) option for product case labels;
• Removal of AI(22) as a Secondary Data structure option on product case labels.  This is a major departure from the way things are done today because AI(22) currently appears on about 75% of all product cases in the U.S. pharma supply chain.  The document provides details on what AIs to use in place of AI(22) and how to arrange them;
• Reduction in the minimum X-dimension for GS1-128 symbols.  This move enables a slightly tighter linear barcode on case labels so that serial numbers can be added to them without blowing out the available space;
• Reduction in the minimum height for GS1-128 symbols on case labels.  Another move to free up precious real estate on case labels so that serial numbers will fit in the barcodes;
• A new HDMA recommendation for adding GS1 serial numbers to units and shipping containers;
• New information on standardized numerical identifiers (SNIs).

ENFORCEMENT?

The HDMA does not enforce compliance with their guidelines.  That is, if you don’t follow their guidelines no one from the HDMA will knock on your door or send you a cease and desist letter.  The same goes for GS1.  The U.S. FDA tightly regulates everything that appears on drug primary packaging—including the linear barcode that encodes the NDC—but they don’t regulate the contents of case-level product identification or shipping labels.  While the U.S. Drug Enforcement Administration (DEA) does place certain restrictions on the information that appears on shipping labels (and they will come knocking on your door if you fail to follow them) those are limited to controlled substances.

So who enforces compliance with the HDMA guidelines?  In reality no one does and that has led to a major missed opportunity for improved efficiency, accuracy and even profitability in the supply chain.  Unfortunately very few companies follow all of the HDMA guidelines closely and that causes downstream trading partners to miss out on the opportunity to maximize the use of product case barcodes in operations like receiving, inventory management, picking and shipping.  Barcodes are certainly used extensively in all of those processes today but case-level product identification labels cannot always be trusted because there is so much variance in compliance to both GS1 standards and HDMA guidelines.  If you can’t trust the data in the barcode you can’t achieve its promise to maximize efficiency and data capture accuracy.

Some pharma manufacturers take their product case labels very seriously and have a program to ensure that they comply with the standards and with HDMA’s guidance, even without any heavy-handed enforcement.  I applaud them.  But the truth is, the majority of companies seem to take a quick stab at producing the barcodes on their case labels and then ship them out.  If no one complains, they probably think they got lucky and got it right the first time.  In other supply chains that face intense price competition these kind of inaccuracies and waste are not tolerated.

I keep thinking that something will trigger closer attention to detail in the construction of case labels in the pharma supply chain.  Maybe this newly updated guideline from HDMA is just what we need.  Do you think it will have a positive impact?  Leave a comment below.

Dirk.

The U.S. Food and Drug Administration (FDA) created the concept of the National Drug Code (NDC) in 1969 to “…provide an identification system in computer language to permit automated processing of drug data by Government agencies, drug manufacturers and distributors, hospitals, and insurance companies” (from 34 FR 11157, July 2, 1969).  (I can’t find a copy online of the original Federal Register article from 1969 so I’m relying on a more recent article that references it.)   Those of us in the U.S. pharma supply chain make use of NDC’s every day, but very few of us know the history of their development, exactly how the numbers are composed and what they mean.  I’ll try to explain all of that and provide sources for further reading.

HISTORY OF THE NDC

The NDC was initially a voluntary identifier (see references at the end of this essay).  We all know how that would have turned out (for more on that thought, see my recent essay “Should Regulations Dictate Technology?“) so in 1972 the FDA made the NDC mandatory for all prescription and over-the-counter (OTC) drugs.  Manufacturers were required to obtain a “Labeler Code” from the FDA, construct their NDC’s using that code as the base and print the NDC number on drug packages.  Barcodes were not required by the FDA back then.

From the quote in the first paragraph above you can see that the FDA intended the NDC to be used among the full spectrum of users who needed to unambiguously refer to specific drugs.  I can’t imagine how inefficient it must have been to refer to a specific form, size and concentration of a particular drug in every step between manufacturer, patient and insurer before the advent of the NDC.  Even from the very start the FDA intended the NDC to help with automation using computers.  Computer automation leads to greater efficiencies and much greater data accuracy–just what was needed for the drug industry and supply chain to grow in the coming decades.

The FDA recognized in the early 1970′s the automation value of encoding the NDC into barcodes, but as I said, they didn’t require them.   However, barcodes were making a big splash in the grocery industry and soon after in the consumer products goods industry around that time because of the great gains experienced in checkout efficiency and inventory control.  The Uniform Grocery Code Council (UGCC) introduced the 12-digit Universal Product Code (UPC) identifier and barcode symbology in 1974 and it quickly became the standard for all products sold at checkout counters.  Chain stores of all kinds started putting maximum pressure on manufacturers to put a UPC barcode on every product they sold.

This led to an interesting collision of mandates.  The FDA had already mandated that OTC drugs be identified by their NDC.  The UGCC mandated that the “Company Prefix” portion of the Universal Product Code that was encoded in UPC barcodes be assigned by the UGCC.  Since OTC drugs were one of the products that were being sold by chain stores, pressure was put on the UGCC to find a way to accommodate the 10-digit NDC within the 12-digit UPC.

UGCC technical experts quickly came up with a way to do it.  They came up with the scheme of pre-pending the NDC with the digit ’3′ and then adding the standard UPC checksum at the end.  The UGCC had to commit to reserving all UPC’s with a ’3′ as the first digit for drug companies and they agreed to reserve the Company Prefixes for drug companies so that they matched the FDA’s Labeler Code.  OTC drug manufacturers now had a way to satisfy both mandates and many years later that approach continued to be used as manufacturers started to apply barcodes to non-OTC drug packages.

Around that time the UGCC became the Uniform Product Code Council (UPCC), then the Uniform Code Council (UCC) in 1984, and finally became GS1 U.S. in 2005.  All along the organization has been a privately held, non-profit, tax-exempt corporation.

While the printing of the human readable NDC on drug packages was mandatory the printing of a barcode on drugs was voluntary until only relatively recently.  The FDA published a final rule  in 2004 that mandated all drug packages have a linear barcode printed on them starting in 2006.  By 2004 roughly 90% of drug packages in the supply chain already had linear barcodes on them voluntarily.  It seems odd that it took the FDA so long to mandate such a valuable automation element when it seems like it could have mandated it much earlier with little justifiable complaint from the industry.  The final rule document contains a significant amount of discussion, explanation and documentation about the benefits of barcodes on drug packages, particularly around the benefits to patient safety.

THE ANATOMY OF THE NDC

The NDC is composed of three semi-fixed-length data fields:

• FDA Labeler Code
  This is a code that is assigned by the FDA to the manufacturer, packager (“labeler”) or repackager of the drug as part of an application process.
• Product Code
  This is a code that is selected by the owner of the FDA Labeler Code.  It represents the unique combination of the drug, the dosage form and strength that will be packaged by that owner.  While the code is assigned by the owner of the Labeler Code it must be registered with the FDA.
• Package Size
  This is a code that represents the package size or package grouping of the drug.

For a short time the NDC started out in 1969 as a 9-digit code.  Initially the Labeler Code was defined as 3 alphanumeric characters long–a fixed length–but was soon changed to 4 numeric digits bringing the full code to the full 10-digits we know today.  The product code was defined as a fixed 4 digits long and the package size took up the remaining 2 digits.  But Labeler Code assignment requests came it at an alarming rate and it apparently wasn’t slowing down as they started to approach 999 sequential code assignments.

A decision had to be made.  If they crossed the border and assigned Labeler Code 1000, the NDC would forever be limited to 4 digits with a maximum of 9,999 codes and they might run out someday.  They were already approaching 10% of that number.  But if they made the fields of the NDC semi-fixed length at either 4 or 5 digits, they could continue assigning codes until a theoretical maximum of 99,999 codes.

The FDA didn’t want to expand the NDC to 11 digits so they decided to remove one digit from either the Product Code or the Package Size fields.  Rather than picking one or the other they decided to leave that choice up to each owner of the new 5 digit Labeler Codes.  Those companies could choose to have only 3 digits for the Product Code and 2 for the Package Size (written as 5-3-2), or they could choose to have 4 digits for the Product Code and only one digit for the Package Size (written 5-4-1).  The decision is made by the owner and they must register their choice and stick with it for the life of the Labeler Code.

But there is a problem with this approach.  Given a 10-digit NDC that might have a 4-digit or a 5-digit Labeler Code there could be conflicts between the NDC’s of two different companies.  Two companies might end up generating the identical NDC for two different products.  To eliminate this potential problem they decided to never assign labeler codes 1000 through 9999 (actually there is no explicit rule published that the FDA is following this technical requirement but it appears that this is what they are doing for most new Labeler Codes).  This makes the actual maximum number of Labeler Codes available equal to 90,999…not a bad compromise.

This solution provides a well-defined rule that allows systems to easily figure out the length of the Labeler Code within a given 10-digit NDC number.  All NDCs assigned by companies who own a 4-digit Labeler Code will always have a zero in their leftmost position and all NDC’s assigned by companies who own a 5-digit Labeler Code always have a non-zero digit in their leftmost position.  But there is no easy way to figure out if the owner of a 5-digit Labeler Code is using the 5-3-2 form or the 5-4-1 form without looking it up in a database.

The Package Size field is an important field used to differentiate not only the various dosage form sizes of the packages that the manufacturer or repackager produces (i.e. 30-count, 60-count, 90-count), but also the casepack quantities of each of that same set of packages.  There are no standard values for the Package Size field so the values used for one manufacturer cannot be compared with those of another.  They are simply used to differentiate package sizes and groupings within a single product type causing considerable confusion to those who wish to make use of this field.

For example, Company A might choose to use the values ’30′, ’60′ and ’90′ to represent the Package Size codes for their 30, 60 and 90 count bottles of a given drug, and the values ’31′, 61′ and ’91′ to represent a single casepack quantity of 48 bottles for the 30 pill bottle, and 24 bottles for the 60 and 90 pill bottles.  Company B might have chosen the 5-4-1 form of the NDC so they are left with only a single digit to represent their Package Sizes and groupings.  They might choose values ’1′, ’2′, and ’3′ for their 30, 60 and 90 count bottles of a given drug, and the values ’6′, ’7′ and ’8′ to represent the single casepack quantity of 96 bottles of their 30-count bottle, 48 bottles of their 60-count bottle and 24 of their 90-count bottle.  Confused yet?

So what use is this Package Size field if there isn’t any standard?  It simply allows manufacturers and repackagers to create unique NDCs for each dosage form size and casepacks so that interested parties can use it to look up the other information in a database.  You can’t just look at an NDC and know exactly what it stands for unless you have some prior knowledge about the choices the manufacturer or repackager has made for that product.  A database lookup doesn’t care what values are chosen for each packaging level or grouping as long as they are each unique.

NCPDP STEPS IN TO REDUCE AMBIGUITY

The current design of the NDC results in a number of ambiguities that stem from the fact that the length of each of the three fields can be one of two values.  The National Council for Prescription Drug Programs (NCPDP) decided to fix the ambiguity to increase the accuracy of claims submission.  They saw that all you have to do to return to a fixed length set of fields is to add an eleventh digit.  The goal was to always end up with a 5-4-2 format for all NDC’s.  To all 4-digit labeler codes (4-4-2) they added a ’0′ on the left.  To any 3-digit Product Code fields (5-3-2) they added a ’0′ on the left.  To any 1 digit Package Size (5-4-1) they added a ’0′ on the left.  All of these resulted in a 5-4-2 format (11 total digits).

For their purposes I’m sure this works great.  But it introduces its own ambiguity when an 11-digit “pseudo-ndc” is offered where a 10-digit true NDC is needed.  Which zero is the extra zero?  You can’t always tell unless you know for a given NDC.  Incidentally, the FDA apparently doesn’t recognize the NCPDP 11-digit format so it is not a real NDC.  That’s why I’ve called it a “pseudo-ndc”.

UNIT DOSE/UNIT-OF-USE NDCs

There is one more thing I want to say about NDCs.  I think the FDA made a significant error in not defining the NDC in a way that requires all pharma manufacturers and repackagers to clearly identify which NDC is a unit dose or unit-of-use for each drug.  The NDC appears to have been conceived as a way for a manufacturer to assign a unique code for each type of package they make for a given drug.  Since most manufacturers currently do not produce packages that contain a single unit dose or unit-of-use there is theoretically no need for them to define an NDC for that level.  I am told that some manufacturers do define and register an NDC for this level even if they don’t package at that level, and the rest do not.

I imagine that this has caused serious heartburn for insurers and Pharmacy Benefit Managers (PBMs) who are probably given the NDC for the original manufacturer’s bottle that a prescription was filled from.  What does it mean for a pharmacist to claim that they filled a prescription with ’1′ of NDC 9999988882 (psuedo-ndc 99999888802 for claims submission) where that NDC describes a 30-count bottle?  Did the patient receive one 30-count bottle or did they receive a single pill that the pharmacist pulled from a 30-count bottle?  There must be some convention for limiting the ambiguity that this introduces.  Perhaps someone can leave a comment to explain what happens in this instance.

In my view all manufacturers and repackagers should always generate and register an NDC for a unit dose or unit-of-use.  Ideally you’d like to think that the Package Size values of either ’00′ or ’0′ would be reserved to indicate the unit dose or unit-of-use, but since it wasn’t defined that way you will probably have lots of drugs that assign those values to some multi-dose/-use package or even a casepack.  It would be too disruptive to force that kind of change on the industry now.

REFERENCES

Normally I provide links to all my references, but there are a couple of sources that I drew from for lots of this content and so I’d like to list them here:

• George Wright IV, Vice-president, PIPS / Product Identification & Processing Systems, Inc.
• “HDMA Guidelines for Bar Coding in the Pharmaceutical Products Supply Chain”, Healthcare Distribution Management Association (HDMA), 2005
• “History of the UPC Bar Code and The Uniform Code Council, Inc.“, by Rob Cummings, Cummings Design
• George Laurer, Inventor of the UPC

Please submit a comment if you have additional information, clarifications or corrections.

Dirk.

In the U.S. pharmaceutical supply chain this question becomes, should regulators—state legislatures, state Boards of Pharmacies, Congress or the FDA—mandate specific technology for serialization, ePedigree and other regulations?  This question arises whenever a new regulation is considered by any of these bodies or agencies.  It’s an important question now that the FDA is considering standards for ePedigree, Track & Trace and related things and I think there are some natural conclusions that can be drawn from past examples that lead to a potential answer.  Let’s review the history first.

EXAMPLE:  EXISTING ePEDIGREE LAWS

The language of the U.S. Prescription Drug Marketing Act (PDMA) specified the kind of data that must be in a compliant pedigree but it did not identify any particular technology to carry that information.  Of course, compared with today, what kind of technology was available back in 1987 when the PDMA was first introduced in the U.S. House of Representatives?  Is it a paper pedigree?  Can it be electronic?  What is the format?  Can GS1’s Drug Pedigree Messaging Standard (DPMS) be used to comply?  None of these questions are definitively answered in the Food and Drug Administration (FDA) documents I have seen.  Also missing is any recognition of the concept of “interoperability” and its importance to companies across the supply chain.

The Florida Pedigree Law was originally passed in 2003.  In the text of the law the word “pedigree” was always followed by the word “papers” as in:

“The information required to be included on a legend drug’s pedigree paper must at least detail the amount of the legend drug, its dosage form and strength, its lot numbers, the name and address of each owner of the legend drug and his or her signature, its shipping information, including the name and address of each person certifying delivery or receipt of the legend drug, and a certification that the recipient has authenticated the pedigree papers.”

It is a document-based pedigree law.  The Florida law allows the records to be stored and transmitted electronically but when the “pedigree papers” are presented to an inspector, they apparently expect them to be in paper form so electronic documents would need to be printed.  The Florida Law assigns the responsibility of creating a form for use as a valid paper pedigree to the Florida Department of Health (DoH)—the only “technology” identified in the law.  The DoH created a form for wholesalers and one for repackagers that companies have used successfully since 2006 when the law went into effect.

SIDEBAR:  Ever since the Florida DoH did a major redesign of their website in the last year or so they seem to have made the paper pedigree forms inaccessible.  If you know where to find them, please leave a comment with the URL below because people frequently search for them on RxTrace.  I haven’t been able to find them.

However, the law required the DoH to produce “rules” for the industry to follow and in these rules (see also these rules) the DoH specifies that an electronic pedigree must make use of a number of Federal Information Processing Standards (FIPS) regarding digital signatures and related technology.  This is a significant technology mandate that is highly specific, but it is optional since it is only required if the company wishes to produce electronic pedigrees rather than paper.

Can you use GS1’s DPMS to comply with the Florida law?  Neither the law nor the regulations say explicitly that you can but I happen to know that many companies have been doing just that since 2006.  The DPMS standard was created after the original laws were passed and it was specifically created to help companies comply with the document-based pedigree laws known at the time.  That included PDMA, Florida, California and the “normal distribution” pedigree laws in a number of other states.

The California Pedigree Law was first enacted in 2004.  It requires the application of “…a unique identification number…” on “…the smallest package or immediate container distributed by the manufacturer…” (see the full text for additional details).  Once again, no specific technology is identified but is left up to the industry to come up with.

The California law was the first pedigree law in the U.S. to specify that “…[a] pedigree shall be created and maintained in an interoperable electronic system, ensuring compatibility throughout all stages of distribution.”  This seemingly simple statement does two things.  First, a pedigree must be electronic.  Second, the system a pedigree is created and maintained in must be interoperable throughout the supply chain.  That is, all parties in the supply chain must be able to read, understand and update the pedigree, but it avoids identifying a particular technology for doing so.  The hope was apparently that the industry would get together and select the optimum technical approach.

How’s that going?  It doesn’t look good right now.  Rather than coalescing around a single, interoperable technical approach to ePedigree it seems like companies in the supply chain are fragmenting into several camps.  Carried to its logical conclusion we may yet find that a few large companies will eventually dictate what technology everyone else will be forced to adopt regardless of the investments those other companies might have already made, but that assumes that those “few large companies” can agree on a single technology.  We’ll see.

A MORE RECENT EXAMPLE:  FDA SNI GUIDANCE

Many in the industry actually prefer that regulatory entities avoid identifying specific technologies in their laws and regulations.  For example, during the comment collection phase of what eventually became the FDA Standardized Numeric Identifier (SNI) Guidance, the SecuringPharma article, “Stakeholders respond to FDA’s track-and-trace proposals”, paraphrased that sentiment in the part of the article that described the response from UPS Supply Chain Solutions:

“UPS Supply Chain Solutions contends that the FDA should not mandate any specific technology for track-and-trace, rather define the requirements, and that industry stakeholders should develop interoperable technology themselves”.

On the surface this seem very logical.  Ultimately the FDA did just that when they published their final guidance for the SNI and did not specify a particular carrier technology or mandate a specific standard, although they did identify the GS1 Serialized Global Trade Item Number (SGTIN) as an example of something that does conform to their guidance.

A COUNTER-EXAMPLE:  FDA BAR CODE GUIDANCE

But there is an example of a time when the FDA did mandate a specific data carrier on prescription drugs and I think it warrants a closer look.  Back in 2004 the FDA published their final bar code rule that required all prescription drugs distributed in the U.S. to have a linear barcode at the unit level.  The final rule took effect in 2006.  That rule did not specify a particular linear symbology, only that the barcode had to be linear.  The final rule itself includes a lengthy section of comments submitted as part of the proposed rule and the FDA’s responses.  In that section they pointed out that,

“[m]ost comments [received] argued against the use of linear bar codes or asked us to encompass other technologies or to eliminate any reference to linear bar codes in the final rule. Many comments claimed that the rule would discourage or inhibit technological innovation, although they differed as to their preferred alternatives to a linear bar code.”

The discussion included in the final rule is lengthy and contains an excellent analysis of the trade-offs between specifying a linear barcode, specifying a different data carrier or not specifying any technology at all.  Very well thought out, interesting reading and very pertinent to this topic.  I highly recommend reading it.

The document continues:

“After reviewing the comments, we have decided to retain the linear bar code requirement, but will consider revising the rule to accommodate newer technologies as they become more mature and established.”

Apparently, that time has come.  Last month the FDA published a new request for comments (RFC) to determine if they should revise the 2004 Bar Code Final Rule by specifically reconsidering the “linear bar code” requirement.  Initial comments must be received by January 9, 2012 and reply comments by February 23, 2012.  According to the RFC…

“FDA is requesting comments and supporting information on (1) bar code labeling standards for drugs and biological products and (2) the identification of current alternative technologies for use by industry and others.”

The remainder of the RFC includes a list of specific questions that are designed to help facilitate more unified responses.

SHOULD REGULATIONS DICTATE TECHNOLOGY?

In my view the original FDA Bar Code Final Rule of 2004 did the right thing in specifying linear barcode technology, but my reasoning is slightly different from those that the FDA listed in that document.  The real value to the industry in the FDA’s mandate was that the technology was fixed on a well-know, well-established and sufficient technology for the time which led to significant efficiencies in the handling of this product in the supply chain.

In this instance I think it is laughable to think that the FDA’s mandate would stifle technical innovation as some did back then.  What that “technical innovation” would have led to if that argument had been embraced by the FDA back then is significantly reduced efficiency in handling drugs by distributors, pharmacies and hospitals who would have been forced to deploy multiple technologies and multiple business processes to deal with every “innovation”—or whim—that drug manufacturers would have chosen to invest in.  As we have seen recently in California that would have included multiple flavors of RFID, linear barcodes and 2D barcodes.  Thankfully they didn’t do that and those drugs that were serialized for California pedigree pilots also retained the linear barcode so that existing systems could still read the NDC.

Now that some time has passed and regulatory needs have evolved, with this new review the FDA can let the industry help them determine if some alternate technology has some important benefits that linear barcodes do not have.  Considering that we are now looking at the need for serialization within the U.S. supply chain because of the California pedigree law and potentially a new Federal law, a new carrier technology to replace the linear barcode seems quite timely.

Just like it did with linear barcodes in 2004, the FDA should now select a logical new carrier technology and mandate it, giving manufacturers at least two years to deploy the necessary system changes.  But once the new carrier technology mandate goes into effect, every manufacturer must use the same, single carrier technology on all saleable units.  That way the downstream supply chain organizations can invest in a single technology to read the NDC and perhaps the serial number, lot and expiration date (if so mandated now or in the future).

It is the movement by the industry in unison that is the real benefit of carefully mandating a single technology for identifying drugs in the supply chain.  It is the key to maintaining and even improving supply chain efficiencies.  This is nothing more than “interoperability”, where everyone uses the same approach to something so that the systems of all companies can understand and work with that something to its fullest extent.  Does it stifle innovation?  Yes, but it does it in a way that allows the most efficient changeover to each new innovation, which actually leads to more benefits than allowing any company to make use of any innovation at any time.

So the point is, pick the right innovation to switch to at the right time.  I think now is the right time, but what is the right innovation?  Make sure you submit your favorite one to the FDA through their docket and don’t forget to clearly explain why it is best.

CAN THIS LOGIC BE APPLIED TO FUTURE ePEDIGREE REGULATIONS TOO?

When it comes to regulating a supply chain I think it is clear that interoperability is essential to ensure lower costs for all parties.  Interoperability comes from standards, which is just another way of saying “one way of doing something”.

Consider what is happening right now in the GS1 Network Centric ePedigree (NCeP) group.  That group has published descriptions of seven different ways to create a new drug ePedigree system through a network approach.  I have been part of that effort.  Once we had a list of five NCeP models we felt like we needed to reduce the number by selecting one or two to go forward with, or by eliminating two or three.  We found that to be so hard to do that instead of the number of models being reduced it actually grew to the current seven models!

For the most part, the models are mutually exclusive.  To attempt to allow two or more models simultaneously within a given country or region would result in the same problem that multiple carrier technologies on packages of drugs would.  It might be technically possible, but it would lead to reduced interoperability, be very confusing and highly inefficient for all supply chain members.  Maximizing interoperability would come from the use of a single NCeP model at any given time within a given region and that would have the effect of maximizing efficiency for all.

I finally concluded that we shouldn’t reduce the number of NCeP models at all.  In fact, the GS1 NCeP list of models and their descriptions should be considered a “catalog” of models for use by any regulatory bodies who feel the need for a new ePedigree system, and the industry to compare and select the best model for their region and their supply chain.  Ultimately the regulatory body for that region should be expected to identify exactly one of the NCeP models that must be followed after a given date in the future as part of a new regulation.  A specific technology mandate.  The regulatory body could identify another date farther out in the future when the choice of models will be reconsidered—with industry input—so that innovation is accommodated, just like the FDA is doing with their barcode rule.

GS1 can facilitate that only so far.  They can help explain the standards behind each model, as we have already done in the NCeP group.  Once again, the final decision must be made by the regulator using the input of all stakeholders.

Do you disagree?  Should regulators allow/encourage the use of multiple carrier technologies on drugs within the U.S. supply chain?  Should they allow/encourage the use of more than one ePedigree model within a given region?  Is there some other way to get total alignment around a single technology within a supply chain of a given region without resorting to a regulatory mandate?  Explain your logic in a comment below.

Dirk.

Within conversations held during the development of standards for electronic pedigrees it is sometimes common to hear people apply the following test to any pedigree proposal:

“A state inspector arrives at your facility without prior warning, enters the warehouse, picks up any random package of drugs and asks to see ‘the pedigree’ for this package.”

The point being made is that, according to the California Pedigree Law, at the very least, supply chain members will need to be capable of producing a full pedigree for any and every package of drugs in their possession at any time in case of a surprise inspection.

This scenario is an important one when selecting a pedigree model, but it often causes me to think about exactly what the company being inspected would show the inspector, and how they would do that.  To comply with the law, ‘the pedigree’ must be electronic.  That is, it would be in the form of computer-friendly data.  The only electronic pedigree format that is known, with some confidence, to be usable for compliance in California is the GS1 Drug Pedigree Messaging Standard (DPMS) and it carries the data in an XML (eXtensible Markup Language) file.  Even GS1’s Electronic Product Code Information Services (EPCIS) –based systems that many people are hoping will comply with the law stores the data that would constitute ‘the pedigree’ in XML.

But XML isn’t really very readable to humans, with the possible exception of computer programmers.  It’s not likely that the inspector is going to want to see a printout of the pedigree XML data when he or she asks to see ‘the pedigree’.

Instead, most people I know assume that companies will need to show a fancy formatted report that represents the data that is in ‘the pedigree’ XML.  Remember that the Florida pedigree regulations stipulate a specific form that constitutes a valid paper pedigree format and, while they allow pedigrees to be held and exchanged electronically, they apparently expect the electronic pedigree to be presented to them as a printout that is formatted to look just like the paper form.  That may be what leads people to think that California will accept a formatted paper printout that contains all the same data that is in the electronic XML data that is the actual pedigree.

In fact, even the California Board of Pharmacy seems to agree with this kind of presentation of pedigree data to an inspector.  In their January 2008 draft document called “Questions and Answers Relating to the California Electronic Prescription Drug Pedigree Law(s)” the very last question and answer is:

“Q78 Can a wholesaler or pharmacy maintain/store the pedigree record electronically?

Yes. California law requires that records of the manufacture, sale, acquisition and distribution of prescription drugs be available on the licensed premises for three years from the date of making (B&P §§ 4081, 4105, and 4333.) The pedigree record may be kept electronically so long as a hard copy and an electronic copy can during that period immediately be produced (B&P § 4105.)”

The pedigree record may be kept electronically so long as a hard copy and an electronic copy can…be produced.  Hhmmm…Personally, I think the board has mis-interpreted their own law, but I’m not a lawyer and you should consult with yours to decide if you agree or not.

WHY ACCEPTING A PRINTED REPRESENTATION OF AN ELECTRONIC PEDIGREE IS A BAD IDEA

One of the whole points of pedigrees is to help detect criminal activity within the legitimate supply chain.  The California law is quite clear on the requirement that pedigrees be electronic and it doesn’t mention paper, hard copies or printouts.  The reason is fairly obvious, I think.  Electronic pedigrees can take advantage of modern electronic security mechanisms that have been developed over the last 40 years.  DPMS takes advantage of digital signatures to make even the slightest tampering plainly obvious.  But these mechanisms don’t work when they are printed out.  There is no effective protection retained from a digital signature when you print it.

In fact, a criminal wouldn’t even need to bother investing in pedigree management software if an inspector only expects to see a printed representation of an electronic pedigree.  They would simply use a word processor and maybe some simple scripts to print a very nice looking fake “pedigree” that contains a believably proper chain of custody.  It doesn’t need to be true because, unlike an electronic pedigree, with a printout the inspector can’t easily check its accuracy or consistency while he or she is on the premises.  Checking it later would provide the criminal with the time to pack up and disappear.

HOW TO INSPECT AN ELECTRONIC PEDIGREE

So if a printout is a bad idea, how should an electronic pedigree be inspected?  In my view inspectors should carry a laptop computer that has some standard pedigree checking software on it and they would ask the company to provide them with a copy of the electronic pedigree data on a USB thumb drive.  Or in a Semi-Centralized pedigree model the company would give the inspector temporary access to the pedigree data stored in the cloud-based third-party repository.  (See my essay “A Semi-Centralized, Semi-Distributed Pedigree System Idea”.)

The inspector would then use their own checking software to check the digital signatures and present the results on their screen in a format that would look just like the printout might have looked.  The difference here is that the analysis of the electronic pedigree would be performed by software, brought by the inspector, that has been certified against whatever pedigree standard is in use.  If a pedigree has been faked or tampered with, this software would easily detect it and would display that result.

WHAT IF THE INSPECTOR MAKES A SLIGHTLY DIFFERENT REQUEST?

So far in this essay I haven’t differentiated between a distributed pedigree system and a non-distributed one.  (For a discussion of various track & trace models see my essay “The Viability of Global Track & Trace Models”.)  People think that the logical pedigree-related request for an inspector to make is the one I started this essay with.  If the data necessary to produce a pedigree is distributed across multiple trading partners (the previous owners of the drug) and needs to be collected before it can be presented to the inspector, everything still works as I’ve described above (assuming those trading partners’ systems are responding at the time the inspector makes the request to see your pedigree).

But what if the inspector makes the following request instead?

“Show me the pedigree that you received from the seller at the time you acquired this drug”

This may seem like an insignificant variation of the earlier request above but it’s actually an entirely different request.  With this request the inspector is testing the requirement that, as the buyer, you “may not acquire a dangerous drug without receiving a pedigree”.  The trouble is, in a distributed pedigree model companies would not actually receive the full dataset necessary to build ‘a pedigree’ at the time they receive each drug package.  That would only occur at the time an inspector asks to see the pedigree.

If the company being inspected is using a distributed pedigree model and they respond to this request by collecting the necessary data from the previous owners and constructing the pedigree for the inspector, it seems like they are committing a form of fraud (check with your lawyer) since the resulting pedigree is not the pedigree they received at the time they acquired the drug.  It was constructed just now for the first time.

In fact, in a distributed pedigree model, they did not receive ‘a pedigree’ at all at the time they acquired the drug, which appears to be a violation of the law.  (For an explanation of what constitutes ‘a pedigree’ in California see my previous essay “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1”.)

With this logic, I contend that a true distributed pedigree model, by its nature, doesn’t comply with the California Pedigree Law.  Do you disagree with this logic?  Leave a comment below.

Dirk.

For the application of unique serial numbers, or Standard Numerical Identifiers (SNIs), to packages as part of compliance with the California Pedigree Law in 2015-2017 , GS1′s Electronic Product Code (EPC), particularly in barcode form, is the clear winning standard.  But there seems to be a very common misconception going around that for pedigree data management, all you need to do to comply with that law is to deploy a system that is based solely on the GS1 Electronic Product Code Information Services (EPCIS) standard.  The  misconception assumes that there is a formula that can be followed to achieve compliance and that EPCIS is the whole formula.

In truth, EPCIS will almost certainly be an important component in the compliance formula but exactly how it fits, and whether there are other necessary components, has not yet been determined.

There are probably several reasons that this misconception persists.  First, GS1 US continues to promote their 2015 “Readiness” Program as if it is that formula.  The program documentation strongly implies that, if you simply follow their program, you will “be ready” to comply with the law; but it stops short of actually saying that you will be compliant.

Second, it seems like people are either able to understand the law well but not the technical standards, or they are able to understand the technical standards well but not the law.  The legal folks are left to trust what the technical people say about EPCIS, and the technical people assume that as long as the data elements identified in the law are present somewhere then EPCIS must comply.

Now I am not a legal expert but I’ve been looking at the text of the California Pedigree Law for a few years now and I think I understand it at a level that allows me to estimate how various technical approaches might fill its requirements.  Let me show you how the text of the law compares to the capabilities of the EPCIS standard.  From that analysis I think you will either be able to see that EPCIS by itself is insufficient to comply with the law, or you may see some flaw in my logic.  In that latter case, please leave a comment below to point out the flaw.  My intent is not to provide you with legal advice but to explain how the EPCIS technical standard would likely be applied when using it in an attempt to comply with the law.  Decide for yourself what you think will or won’t comply.

THE CALIFORNIA PEDIGREE LAW

The California Pedigree Law is now part of the California Business and Professions Code.  There are a number of resources that the California Board of Pharmacy provides to help you study and interpret the code.  Unfortunately all of the material on their website is a little out-of-date, but it still has some value.

• A page containing a copy of the pertinent text from the California Business and Professions Code.  The text on this page is the way the regulations were prior to the most recent modification of the law that pushed the effective date out to 2015-1017.  Most of it is still accurate.
• A draft of a PDF called “Questions and Answers Relating to the Electronic Prescription Drug Pedigree Law”.  Dated January 2008 please note that this document was written for the regulation as it existed prior to the last modification that pushed the effective date out to 2015-2017.  It is still a useful guide to the Board of Pharmacy’s interpretation of the law except when related to the effective dates and perhaps some of the exceptions to the law;
• A PDF called “Background and Summary of the California ePedigree Law”.  The document doesn’t have a date but it is obviously describing the law as it was prior to the latest revision that pushed the effective date to 2015-2017.  It is still useful because it provides some of the history leading up to that revision.

It would be nice if the Board would update these resources now that people are beginning to pay more attention to the current deadlines and are preparing for compliance.

To read the actual text of the current California Business and Professions Code click here and then search for the word “pedigree”, then click on the sections where your search finds that word.  That should take you to the actual text of those sections of the Code.  Now search for key words related to pedigrees.

I have written about the California Pedigree Law in the past.  You might find these essays of interest.  Click here for a list of RxTrace essays that contain references to it.  Dr. Adam Fein of Pembroke Consulting has written frequently about pedigree in general including the California Pedigree Law over the last 5 years or so.  Click here for a list of his DrugChannels blog essays about Pedigree.

THE CALIFORNIA CODE THAT IS PERTINENT TO THE TECHNICAL IMPLEMENTATION AIMED AT COMPLIANCE

First, what constitutes “a pedigree” under California Law?

Section 4034.

(a) “Pedigree” means a record, in electronic form, containing information regarding each transaction resulting in a change of ownership of a given dangerous drug, from sale by a manufacturer, through acquisition and sale by one or more wholesalers, manufacturers, repackagers, or pharmacies, until final sale to a pharmacy or other person furnishing, administering, or dispensing the dangerous drug. The pedigree shall be created and maintained in an interoperable electronic system, ensuring compatibility throughout all stages of distribution.

(b) A pedigree shall include all of the following information:

(1) The source of the dangerous drug, including the name, the federal manufacturer’s registration number or a state license number as determined by the board, and principal address of the source.

(2) The trade or generic name of the dangerous drug, the quantity of the dangerous drug, its dosage form and strength, the date of the transaction, the sales invoice number or, if not immediately available, a customer-specific shipping reference number linked to the sales invoice number, the container size, the number of containers, the expiration dates, and the lot numbers.

(3) The business name, address, and the federal manufacturer’s registration number or a state license number as determined by the board, of each owner of the dangerous drug,  and the dangerous drug shipping information, including the name and address of each person certifying delivery or receipt of the dangerous drug.

(4) A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate.

(5) The unique identification number described in subdivision (i).

(c) A single pedigree shall include every change of ownership of a given dangerous drug from its initial manufacture through to its final transaction to a pharmacy or other person for furnishing, administering, or dispensing the drug, regardless of repackaging or assignment of another National Drug Code (NDC) Directory number.

Dangerous drugs that are repackaged shall be serialized by the repackager and a pedigree shall be provided that references the pedigree of the original package or packages provided by the manufacturer.

[…]

The key to my argument is that all of this information (I’ve highlighted it for you above) must be present in “a record” or it isn’t a valid “Pedigree” according to this part of the Code.  A “single pedigree” must include information about every change of ownership of a given drug or it’s not a valid pedigree.

We only need parts of one more section to be able to determine why EPCIS by itself won’t work for California pedigree.  That’s section 4163.  I’m leaving out parts that aren’t needed for my argument, including the exceptions, so feel free to review the entire section to convince yourself that I haven’t bent anything to benefit my case:

Section 4163.

[…]

(c) […] commencing on July 1, 2016, a wholesaler or repackager may not sell, trade, or transfer a dangerous drug at wholesale without providing a pedigree.

(d) […] commencing on July 1, 2016, a wholesaler or repackager may not acquire a dangerous drug without receiving a pedigree.

(e) […] commencing on July 1, 2017, a pharmacy may not sell, trade, or transfer a dangerous drug at wholesale without providing a pedigree.

(f) […] commencing on July 1, 2017, a pharmacy may not acquire a dangerous drug without receiving a pedigree.

(g) […] commencing on July 1, 2017, a pharmacy warehouse may not acquire a dangerous drug without receiving a pedigree.

[…]

So once the law goes into effect, wholesalers, repackagers and pharmacies cannot sell, trade or transfer a drug without providing the buyer with “a pedigree”, and, separately, wholesalers, repackagers and pharmacies cannot buy a drug without receiving “a pedigree” from the seller.  Notice that this obligates both the buyer and seller independently.  If “a pedigree” isn’t provided with the transaction, both buyer and seller are breaking the law.

HOW EPCIS WAS DESIGNED TO WORK

EPCIS was designed to be used to implement a distributed network of repositories that each contain records describing the WHO, WHAT, WHEN and WHY of supply chain events that occur as serialized products move through a supply chain.  The original vision of EPCIS as applied to the U.S. pharmaceutical supply chain would expect each pharma manufacturer, each distributor and each pharmacy to have their own event repository that conforms to the EPCIS specification.

In their repositories, these companies would save records—or, events—that describe all of the serial number-based events that would occur while the drugs were under their control.  That is, the manufacturer’s repository would hold all of the events related to each drug package that occurred during manufacturing through shipment to the their customer, but it would not hold any of the events that occurred on the properties of downstream owners of those drugs.  Likewise, the distributor who bought the drugs from the manufacturer would typically hold only the events for those drugs from the point of receipt from the manufacturer through their own shipment to their customer.  And so on down the supply chain.

APPLYING BASIC EPCIS TO THE BASIC PEDIGREE PROBLEM

To get a full “trace”, or “supply chain history”, of a given package of a drug you would need to query each of the EPCIS repositories of all previous owners back to and including the manufacturer.  This “trace report” that would result would be a good example of a “chain of custody” report, but it would fall short of what California calls “a pedigree”.  It may be a valid pedigree in other jurisdictions under different laws but in California it would be missing the following necessary data elements from their definition:

• “Name”, “registration number or a state license number and principle address of the source”
  These data elements would be missing because, by definition, EPCIS makes use of Supply Chain Master Data (SCMD) references to save space.  Instead of the explicit information called out in the law the trace records produced by EPCIS queries would contain GS1 Global Location Numbers (GLNs) which are 13-digit numbers that are supposed to represent most of this data.  That representation is defined by the owner of the GLN and they are under no obligation to maintain it or to ensure that the data has a single, fixed association with the GLN.
• “Trade or generic name”, “dosage form”, “strength”, and “container size”
  These data elements would be missing because, like its use of GLN’s, EPCIS is designed to also use SCMD references for product data to save space.  In place of this data, each event would include only a GS1 Global Trade Item Number (GTIN) which is a 14-digit number that is supposed to represent most of that product data.  The manufacturer of the drug owns the relationship between the GTIN and the associated product data, but they are under no obligation to ensure there is only one, unchanging set of product data associated with that number.
• “Business name”, “address”, “federal manufacturer’s registration number or a state license number”…”of each owner” of the drug, including the “name” and “address of each person certifying delivery or receipt” of the drug
  Again, EPCIS events would hold a representation of this information as a set of GLN’s to save space.  The actual data would only be implied.
• “A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate”
  The EPCIS standard doesn’t define anything like this kind of data.
• “A single pedigree shall include every change of ownership…”
  The chain of custody report that is built as the result of the set of queries mentioned above would be a set of records that would need to be interpreted and the information combined into a single record.  But this would only be possible if the current owner knows who to query and then only if all of the previous owners of the drug were willing and technically able to reply at that particular moment with their contribution of the events they hold about that particular drug.

That’s a lot of missing information.  It may seem like the EPCIS standard is so far away from what the law calls for that it is hopeless to expect it to ever work.  Not quite.  EPCIS has an important feature that is intended to allow users to extend its operation in multiple ways.  This feature allows EPCIS to be shaped into solutions that can fit problems much more flexibly than previous general purpose systems might have in the past.  Can this extensibility feature address all of the missing information in some way and turn the chain of custody report into a compliant pedigree?  Perhaps.  I will consider that possibility in future essays in this series.  But first…

ENTER THE GS1 US HEALTHCARE 2015 READINESS PROGRAM

GS1 US saw these problems with EPCIS a number of years ago.  Since that time their Healthcare Traceability group has been working on potential solutions to some of the problems I listed above.  I can’t write about exactly how they propose to do that because they have policies that prevent the disclosure of that kind of internal information.  However, it appears that GS1 US is just about to make that kind of information public themselves in the next few weeks.  As soon as they do I will pick up this topic again and explain how their ideas might or might not address this list of deficiencies.

WHAT ABOUT GS1 (GLOBAL) HEALTHCARE?

That’s a good question.  That organization has been busy working on pedigree-related ideas as well, though at a global level, and, not coincidentally, they too are about to make public their latest thoughts on how to use the EPCIS standard for network-centric ePedigree applications.  Although their work is intentionally not aimed at meeting the exact requirements of the California law (because it is a global effort), their work does beg for an explanation of how it might fit if those ideas were applied in that State Law.  This release of information will probably occur in the next few weeks as well.  So we will shortly have lots of ideas in the public domain that we can discuss and analyze.  In fact, I hope we are not overwhelmed!

WILL ANY OF THIS MAKE ANY DIFFERENCE AT ALL?

Another great question.  In fact, it may all become moot, because a new federal pedigree bill was apparently introduced into the U.S. Congress a couple of weeks ago by Representative Jim Matheson [D-UT].  If that bill, or some modified version of it eventually makes it out of committee and then passes both Houses of Congress and then if the President signs it, it would almost certainly pre-empt the California Pedigree Law.  In that case, we will all shift our attention to the peculiarities of the Federal regulation and the likely FDA guidance that would certainly follow.

However, it is very hard to estimate the likelihood that this, or other bills like it in the future, will pass.  Similar bills introduced in past sessions have not made it out of committee.  So until one of these bills make it through the entire process, it makes the most sense to keep our eyes on the realities of the California requirements.

Stay tuned for Part 2 as soon as the GS1 US and GS1 (global) documents are made public.

Dirk.

For Part 2 in this series, see “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2“.

In this essay, I’m not going to discuss the attributes of a track & trace system from a regulator’s point of view.  I’m not going to discuss input into the FDA’s Track & Trace workshop that occurs this week and I’m not going to speculate on the outcome of that meeting.  Instead, I’m going to talk about the attributes of a track & trace application from the viewpoint of any global pharma manufacturer who is facing the regulatory mandates for serialization and traceability in a growing list of countries around the world, and from the viewpoint of any solution provider who is thinking about what they need to include in their solution offering so that those global pharma companies find it attractive enough to buy.  

To those kinds of companies, the potential for new non-binding guidance from the U.S. is important, but perhaps less so than an increasing number of binding regulations from around the world.  Whatever the FDA—and especially the U.S. Congress—may do in the future will be important when selecting a track & trace solution, but the U.S. is only one of the countries in the world and pharma companies that do business in those other countries do not have time to wait for the U.S. to figure out their approach before making investments. 

The goal is to make investments today that will be flexible enough to accommodate existing laws around the globe and whatever ultimately might or might not happen in the U.S., the E.U. and elsewhere.  To accomplish that, “flexibility” is the key word and the key attribute.  The application you invest in should not be only targeted at a single regulation but should be designed to provide building-blocks of functionality which can be applied differently to the same products that will be shipped into many different regulatory environments around the world. 

Companies looking to buy a solution should look for a provider that has already made their own investments in understanding the specific regulations around the world.  You need a partner to help you understand and meet the specific requirements in Turkey, Brazil, Italy, India, China, South Korea and others that might pop up in the future.  Look for a solution provider who knows the existing global regulations and also knows exactly how to apply their solution in a way that will meet each one. 

THE ATTRIBUTES 

Here is a list of attributes to look for in a global track and trace solution. 

Interoperability.  In a phrase, “Standards-Based”.  Reject all proprietary solutions or you will find that your solution does not work with those selected by your trading partners.  It’s surprising how often I receive an email from a solution provider who thinks the world will be so much better off once their proprietary solution is deployed by everyone in the world.  In fact, no approach to track and trace will work if it is only supplied by a single company.  Interoperability demands a standards-based approach so that multiple companies can offer solutions that are fully compatible with each other.  That way pharma company A can invest in the solution from solution provider A’, and pharma company B can invest in the solution from solution provider B’, and wholesaler C can invest in the solution from solution provider C’, and so on, and they all work together without any special patching.  That’s interoperability. 

Today, the safest bet is to deploy solutions that are based on GS1 standards.  There are two major reasons for that.  First, several countries, notably Brazil, India and South Korea, have apparently explicitly named GS1 identification standards in their regulations or in their guidance.  (Be careful.  GS1 has a lot of standards.  This doesn’t mean that these countries require you to use every single standard that GS1 publishes so study the regulations carefully to learn exactly which GS1 standards are actually mandated.)  

Second, there is a lot of pharma industry activity in GS1’s end-user organizations including GS1 Healthcare (global) and GS1 US Healthcare.  This activity offers an indispensible source of adoption examples and experience.  No matter what, it’s dangerous jumping onto the cutting edge when you are forced to adopt new technology while regulations are still evolving, but at least it feels less dangerous when you are in a crowd of other companies who are forced to do the same thing.  

Don’t be lulled into thinking that GS1 or GS1 US knows what they are doing either.  Be prepared to interpret the regulations for yourself, but expect to deploy a solution that makes use of some GS1 standards.  Just because GS1 identification standards are usable today and are the most likely candidates for pharmaceuticals that are packaged for sale in certain markets doesn’t mean necessarily that GS1’s data exchange standards like DPMS or EPCIS will apply to those same markets.  GS1 isn’t done developing standards for pharmaceutical track and trace so we can’t yet tell which of their standards provide the right mix of interoperability and compliance.  That makes it tough to figure out today what the right choice is and that may lead to less efficiency than companies would like.  All the more reason to select a solution provider who is willing and able to respond to changes in regulations, and to evolving standards as well. 

Serial Number Management.  This feature of a track & trace application doesn’t need to be standardized across all industry deployments, although it must work with both standard and country-specific identifiers.  In fact, this is going to be one of the key differentiating features of the products that you will need to select between.  Serial number management is a set of functionality that will allow you to securely and accurately control and keep track of the serial numbers that you apply to your pharmaceutical products.  Again, flexibility will be crucial.  You need a single, centralized (within the corporation) place where serial numbers of all types will be allocated and then distributed to the remote facilities where the actual commissioning (association of a serial number to a physical thing) occurs.  In GS1 parlance, this includes SGTIN’s (Serialized Global Trade Item Numbers), SSCC’s (Serial Shipping Container Codes), GIAI’s (Global Individual Asset Identifiers) and GRAI’s (Global Returnable Asset Identifiers). All of these standard identifiers need to be managed by the proprietary serial number management module of your track and trace solution. 

This management must also work well for regions of the world where the local government defines the serial numbers and provides them to you, either in data form (as appears to be the case in China) or as pre-printed stickers (as appears to be the case in Italy and Brazil).  Even when the government gives you these numbers you still need to keep track of them.  Because these numbers may not always conform to GS1 standards, your solution will need to be able to deal with non-standard identifiers and serial numbers as well.  Exactly how that is done ought to be a big differentiating factor in your selection process. 

Certifications.  A certification is a way to attach individual or corporate assertions of truthfulness to the track and trace data in order to fulfill specific requirements to do so.  It’s a feature of some regulations that is intended to make it easier to prosecute criminals—one of the more important reasons for the existence of track & trace regulations.  Not all country regulations require you to include a certification within your track and trace data but your track & trace solution needs to be able to include them if you expect to use it in California after January 1, 2015.  That’s when their pedigree regulation goes into effect for the first 50% of each manufacturer’s product.  This ought to be another big differentiating factor in your solution selection process if your products end up there.  Any solution provider who has this figured out is well on the way to deserving your business. 

Pedigree Reporting.  This is a catchall term I am using here to cover any and all reporting requirements that each track & trace regulation includes.  If a regulation specifies it, your solution needs to supply it.  The problem here is that many of the global requirements are not well defined and you could easily find that the regulatory agency that oversees the regulation comes up with the need for a particular report that is not clearly spelled out in the regulation.  You need a technology partner who is going to monitor these agencies around the world on behalf of their customers so that they will be the first to know about the new reporting requirement and they will already be working on its implementation when you first become aware of its need.  

RFID and Barcode Data Capture.  Finally, the track & trace solution you select should be capable of easily handling serialization data capture from both RFID and Barcode data carriers.  Even if you don’t plan to make use of one or the other today, you may find that certain jurisdictions mandate one or the other.  For example, I understand that South Korea has, or will, mandate the use of RFID on pharmaceuticals sold there.  If I understand that right, and if you package drugs for sale in that market, then you may be faced with applying RFID tags to those units. 

These attributes may eliminate some solution providers from consideration.  Watch out for any solution provider that doesn’t have one or more people dedicated to monitoring global regulations.  If they are only in business to sell you a solution to today’s static “regulatory problem” then they aren’t worth your time.  That’s because we are in a very dynamic regulatory situation today when it comes to global pharmaceutical track and trace regulations.  You should be looking for a technology partner who has a long-term interest in meeting the shifting pharma track & trace demands of all the world’s governments.  That’s a tall order, and one that demands flexibility and constant attention.

Digital electronic messages can be transmitted from one party to another using a wide range of communications technologies.  Today, businesses that make use of the internet to transmit their business messages to and from their trading partners make use of standards-based Electronic Data Interchange (EDI) message formatting. 

EDI messages are typically transmitted point-to-point, from one business to one other business.  There are a large number of EDI message types defined but in the pharmaceutical supply chain the most common messages are purchase orders, purchase order acknowledgments, invoices and advance shipment notices (ASN’s).  (While I have the chance, I’d like to point out that ASN’s are not pedigrees for multiple reasons that I will not cover in this essay.)

In the U.S. pharma supply chain AS2 is the most common communications protocol in use for EDI message exchange.  AS2 provides generalized message security to ensure that the messages cannot be understood or tampered with by unauthorized parties during movement from sender to recipient.  According to Wikipedia, these are achieved through the use of digital certificates and encryption.  Messages can optionally be digitally signed by the sender to provide non-repudiation within the AS2 payload context.

Electronic pedigrees as defined by the states of Florida and California are messages that contain fairly complex legal documentation which describe the chain of custody or ownership of a given package of drugs, but they also contain several types of legally required certifications.  I’ve written about these certifications in the past (see “Certifications In A California-Compliant Drug Pedigree” and “Digital Signatures”) and I have more to say about them below.

Electronic pedigree messages need to be transmitted from point-to-point over the internet just like traditional EDI documents and so they have the same need for secure transmission.  In fact, AS2 is one of the protocols that has been used for transmission of pedigrees that take the form of GS1 Drug Pedigree Messaging Standard (DPMS) documents.  AS2 is also one of the protocols specified for business to business exchange of GS1 Electronic Product Code Information Services (EPCIS) events which may someday be used as components of electronic pedigrees. 

In RxTrace I usually discuss the kind of digital electronic messages that contain drug pedigree information, but in reality, almost any digital electronic business-to-business messages could have needs that are similar to pedigrees.  In this essay I want to take a closer look at the certification requirements and discuss some of the technical implications that result. 

WHAT IS A “CERTIFICATION”? 

The Merriam-Webster dictionary defines the word “certification” this way:

cer·ti·fi·ca·tion  noun \ˌsər-tə-fə-ˈkā-shən\

1. the act of certifying : the state of being certified
2. a certified statement

 It defines the word “certify” this way:

cer·ti·fy  verb \ˈsər-tə-ˌfī\

1. to attest authoritatively: as
   1. confirm
   2. to present in formal communication
   3. to attest as being true or as represented or as meeting a standard
   4. to attest officially to the insanity of
2. to inform with certainty : assure
3. to guarantee (a personal check) as to signature and amount by so indicating on the face
4. to recognize as having met special qualifications (as of a governmental agency or professional board) within a field <agencies that certify teachers>

If these words are specifically defined in the California statues I haven’t been able to find them, so when those words are used in their pedigree regulations and the Board of Pharmacy’s document, “QUESTIONS AND ANSWERS RELATING TO THE CALIFORNIA ELECTRONIC PRESCRIPTION DRUG PEDIGREE LAW(S)”, I think the first definition of “certification” and definition 1.3 for “certify” are the what they mean.  I’ve bolded those definitions above.  Let me know in a comment if you disagree with my choice. 

The dictionary definitions above strongly imply that it is a person or organization that is doing the certifying.  For that reason, for a certification to be performed, it must be bound to the person or organization that is executing it.  

The California law says that each owner of a drug must include in the pedigree for that drug “A certification under penalty of perjury…that the information contained in the pedigree is true and accurate.”  Pedigrees must also include “…the name and address of each person certifying delivery or receipt of the…drug.” 

These appear to be two different kinds of certifications.  The first is certifying that “the information contained in the pedigree” is “true and accurate”.  The second is certifying the “delivery or receipt of the drug”.  It’s an open question if these two or three certifications per owner can be combined into the execution of a single technical certification. 

HOW DOES DPMS IMPLEMENT THESE CERTIFICATIONS? 

In DPMS pedigrees, certifications are implemented through the use of digital signatures that use X509 certificates to bind the identity of a person or organization as the “signer” to a given range of data within the pedigree message.  These digital signatures provide non-repudiability of the signer’s identity and they break the signature if someone later modifies the portion of the pedigree that was signed.  X509 also defines a way to revoke the authorization of a certificate holder to sign future pedigrees. 

DPMS requires the signer to identify the “signatureMeaning” of the digital signature they are applying.  This “signatureMeaning” is the magical element that converts digital signatures in DPMS pedigrees from a collection of data that simply identifies the signer and associates him/her/it with a range of chain-of-custody/-ownership data, into the true “certification” of the target range of data that is being signed by the signer.  The “signatureMeaning” provides context to the signature by allowing the signer to clearly indicate their intent when they apply their signature.  In DPMS the “signatureMeaning” may be one of the following values (this list is extendible): 

• “Certified”  when certifying the content added to a pedigree
• “Received” use by recipient after receiving the item against the pedigree
• “Authenticated” used by recipient after successfully authenticating the pedigree
• “Received and Authenticated” used by the recipient after successfully authenticating a pedigree and receiving the item against the pedigree 

HOW CAN CERTIFICATIONS BE APPLIED TO A COLLECTION OF EPCIS EVENTS? 

That’s the million dollar question—one that has stopped efforts to move forward with an EPCIS-only pedigree solution in the past.  The question remains unanswered.  Fortunately there is another group of very bright people who are now working to answer the question.  DPMS can be used as a reference model but the goal of this group is not to simply recreate DPMS using EPCIS events.  The use of digital signatures in DPMS is the thing that is most often cited as the reason people wish to look for an alternate solution to the pedigree regulations.  

But to implement an acceptable certification without using digital signatures is a tall order.  You will need to come up with some way to clearly document the identity of the individual or organization (and provide non-repudiation of it) and then bind them to the set of events that describe the part of the pedigree that they need to certify.  Of course, once certified the certifier will demand that the set of events they just certified cannot be modified in any way without breaking their certification.  Otherwise they could be held legally liable for a change to the events that they did not authorize. 

So let’s see.  The certification will need to… 

1. Provide a mechanism to clearly document the certifier’s identity (with non-repudiation…and also with a way to revoke their authorization to certify),
2. Tightly bind the certifier to a specific set of EPCIS events, and
3. Prevent unauthorized modification of the same set of events.

Hmmm.  So far it sounds just like a digital signature to me.  Oh, but I need to add …

4.  Require less space overhead and less complexity than a digital signature.

I’m not saying it can’t be done.  Chances are you can do any two or three, but to do all four will be really hard.  In fact, if the group is successful it would mark a huge leap forward in digital technology and it would open doors to its use in many other types of legal documents and business transactions. 

For EPCIS-only to work as a pedigree system this problem will have to be solved.  Watch for the results of this effort in the next few years.