Conversations about the merits of various pedigree and authentication models usually start from dissatisfaction with some characteristic of the current GS1 DPMS pedigree model. I maintain that the design of DPMS—including its perceived flaws—is merely a reflection of the current state and federal pedigree laws and regulations. Characteristics that people don’t like—like digital signatures, a growing document as drugs move down the supply chain, and the fact that Supply Chain Master Data is not used by DPMS—are actually all characteristics of the laws and/or regulations, so any alternate pedigree model that would truly be usable for compliance would need those characteristics too.
But that’s not exactly what I want to discuss in this essay. Instead, I wanted to explain my theory of what U.S. pedigree laws are trying to accomplish in the first place. Forget about how they do it for now. What were the goals of those who wrote these laws and regulations? I’ll agree that this is impossible to know for sure but I think I can construct a pretty convincing theory. I don’t know any of the legislators or congresspeople who wrote these laws, but I have studied their work for over four years now. I have made the following observations.
- The highest priority goal of the Florida and California laws appears to be to detect the introduction of illegitimate drugs (counterfeit, stolen, up-labeled, diverted, etc.) into the legitimate supply chain as early as possible, preferably at the very first transaction. These laws accomplish this by requiring companies buying drugs within the supply chain to receive the full supply chain history of those drugs at the time of the purchase (contained in a “pedigree”), and, most importantly, by requiring them to verify the legitimacy of those prior transactions. In Florida that verification can be performed by direct contact, such as a phone call, email, fax, etc., or, optionally, through the use if digital signatures. In California, this verification can only be performed through the use of digital signatures. The federal PDMA, on the other hand, does not appear to obligate the buyer to do any verification of the information provided on pedigrees they receive.Finally, Florida and California both require the recipient of the shipment to confirm that the physical drugs they received match those described by the pedigrees they received. That seems obvious, doesn’t it? Why would any legislative body require all or some supply chain participants to go through all the expense to generate and pass pedigree information but stop short of requiring anyone to actually look at it? Well, oddly, the federal PDMA appears to do just that.
- There is a clear attempt in the laws to help identify who participated in the introduction of the illegitimate product. This is important if your goal is to efficiently and quickly investigate the suspected crime. This would aid in shutting down the criminals as quickly as possible before they are able to spread bad medical products very deeply into the supply chain. All U.S. pedigree laws require some type of information that describes each transaction affecting the change of ownership and/or possession of drugs. Florida requires the name and signatures (hand written or digital) of the individuals who are vouching for the accuracy of the information for each step in their pedigrees. California requires the same in digital form. For those transactions that require a pedigree, the PDMA simply wants the names (but apparently no signatures) of any company who had something to do with each distribution transaction.
- There is also a pretty clear attempt to automatically generate solid evidence that can be used to prosecute criminals efficiently. Here again, signatures play an important role, but just as important is the fact that Florida and California require their pedigrees to be in a single record. I draw the conclusion that this is to ensure that pedigrees are constructed as self-contained pieces of documentary evidence for use “as is” in case a crime occurs.
Supply Chain Master Data in Pedigrees
In my opinion, the use of Supply Chain Master Data (SCMD) in pedigrees fails to meet these goals. When a criminal obtains a wholesaler’s license, they own the SCMD (the GLN, or Global Location Number) that describes the location of their operation. If pedigrees were allowed to make use of SCMD, the criminal would be in control of what their own GLN means. GS1 doesn’t police and enforce the guidelines, best practices or even the rules around GLN’s so the criminal could change the meaning of their GLN at any time it helps their case. Before they are discovered they can throw off investigators by defining their address at an empty lot. After they are caught, but before trial they might correct their “error” and make their GLN point to their actual address. In court, their lawyer might easily be able to challenge the pedigree because too many people can change the SCMD referenced by it, and that means the pedigree is not a fixed record but a dynamic one, meaning one thing today, perhaps something else yesterday and maybe something entirely different tomorrow. Leaving criminals in control of the content and meaning of all pedigrees they have ever touched might make pedigrees difficult to use for detection and identification, and potentially worthless for prosecutions.
To overcome this problem, regulators might be forced to make it a crime to ever change any SCMD after it is used on a single pedigree, which may leave a lot of non-criminal organizations open to criminal prosecution for inadvertently attempting to correct an honest mistake in the definition of their GLN’s or GTIN’s. It may also require the FDA to require a monitored GLN registry.
A distributed pedigree approach (See my earlier essay, “Fundamental Law of Commerce“) would have an even worse problem along these lines. It would take a pretty talented prosecutor to be able to make sense in the minds of a jury out of a pedigree that is composed of snippets that are held and controlled by an array of supply chain participants, including innocent parties and alleged criminals. In contrast, a fully self-contained pedigree could be presented to a jury much more convincingly because it can be fully displayed and validated in front of them without any need for a live internet connection in the courtroom. A self-contained pedigree would not use SCMD.
In Europe, A Different Approach
Pedigree laws in the U.S. are designed to protect the public by attempting to detect the introduction of illegitimate product into the legitimate supply chain as early as possible, identify those who were involved, and then help prosecute them. A current proposal for securing the drug supply in Europe takes a rather different approach. The European Federation of Pharmaceutical Industry Association (EFPIA), an industry organization, proposes a model that would only detect illegitimate drugs at the point of dispense (POD) in the pharmacy. In many cases, this will prevent patients from consuming illegitimate drugs…at only the last opportunity. However, with POD, there is no ability to identify who is introducing the illegitimate product and it offers no help in prosecutions.
In my view, widespread adoption of POD may actually result in an increase in the number of illegitimate drugs introduced at distribution. That’s because the criminal gets paid for their crimes and can disappear before the detection of their fake drugs occurs at the POD, the point of dispense in the pharmacies. These criminals probably don’t really want to harm anyone. They just want to get paid and to not get caught. If they can still get paid, not get caught and their illegitimate products get filtered out of the supply chain before they can do any harm, all the better for them. Currently POD is only a proposal, although you could successfully argue that regulations in Italy, China, Turkey and others are POD regulations. It will be interesting to see if the approach continues to catch on with regulators.
What is your theory about what U.S. and POD pedigree laws are trying to accomplish? Reply below.
6 thoughts on “What are Pedigree Laws Trying to Accomplish Anyway?”
Above all, US Pedigree has an economic impact by far higher than POD scenario.
POD is feasible regardless of wholesaler and distributor's investment but the biggest drawback remains the ownership of information gathered in a central database.
Very thoughtful post.
Your point about POD may be valid, but pedigree laws could also increase the presence of counterfeits. The administrative burden of pedigree could tempt some pharmacies to engage in unsafe buying practices, especially if any type of importation law gets passed by Congress.
So, I think it's very hard for a technical solution to protect us from a "demand-side" counterfeiting problem. See my 2006 blog post for more: Our Demand Side Counterfeit Drug Problem.
Plus, pedigree laws are often driven by the personal whims of a few volunteers at underfunded state boards of pharmacy. Florida's law tries to make up for an asleep-at-the-switch Board of Pharmacy prior to 2003. The result has been a crazy patchwork of inconsistent laws and regulations.
Great post. In my experience people continue to try and wish away the requirements of the laws for some technical elegance or other agenda.
If a 'solution' doesn't satisfy the requirements, its not really a solution, is it? 😉
Guy, Adam and Anonymous all make good points. My essay wasn't focused on economic impacts, but Guy may be correct about the lower cost of the POD model, assuming the government pays for the central repository and all of the technology needed to make that work. I agree with Guy's comment about the ownership of the data held by the "database in the sky" being the biggest drawback of POD.
Adam's comment makes several very good points. I encourage everyone to read his excellent essay regarding the demand side counterfeit drug problem (see the link in his response above). I was just telling my wife that any action that successfully tightens up the supply chain will cause criminals to focus directly on the pharmacies, and that there will be a need for pharmacies to actually advertise their safe buying practices in a way that allows customers to discriminate appropriately. But Adam makes an excellent point (made in his essay) that consumers will ultimately have to be given some way of independently checking the authenticity of the drugs they buy from pharmacies so they can feel more confident in their trust. The pharmacy segment in the U.S. has traditionally been opposed to anything that causes customers to feel less than totally confident in drugs coming from pharmacies (any pharmacy), but with re-importation looking more and more likely, I wonder if they might change their tune.
Finally, Anonymous (above) makes a point similar to one I made in my previous post, "Pedigree Models and Supply Chain Master Data".
These three comments demonstrate just how narrow the focus is in my blog. I don't cover economics. Fortunately Adam covers it quite well and he is able to provide that perspective in his DrugChannels blog and in his comments in my blog.
The intention of the US pedigree laws is not to set up a firewall between consumers and counterfeiting drugs. They intend to protect consumers by deterring counterfeiters. Essentially pedigree is a tracing mechanism that helps reconstruct the movements of counterfeited drugs after they are detected. With this tracing mechanism, finding the source of counterfeiting drugs becomes quicker and easier; catching and convicting criminals become quicker and easier. Thus the risk and cost to the would-be counterfeiters become higher. Will pedigree laws completely solve the counterfeiting problems? No. However once fully implemented, they can be very effective in reducing counterfeiting activities.
Another misconception is that pedigree is costly. From my experience of implementing California pedigree law compliance solutions, pedigree is only a fraction of the cost. It is the item-level serialization which consumes majority of the budget and generates huge amount of data. At the same serialization level, the economic impact of POD model won’t be much less compared to pedigree model. On the other hand, if we decouple pedigree from serialization, the cost of non-serialized pedigree (e.g. lot level) becomes very manageable.
I feel I must comment on the last point made by Anonymous above. It seems that your experience must have been mainly at pharma manufacturers. From that perspective, you are correct when you say that the cost of "non-serialized pedigree" becomes very manageable. The costs to manufacturers are much lower when they do not apply serial numbers at the item level. But from a full supply chain perspective the costs are not "very manageable". Tracing non-serialized items at the wholesale and pharmacy segments is very complex and fraught with potential loss of maintaining the proper history. Once that history linkage is lost the drugs cannot be sold.
It's also a misnomer to call it "lot level" pedigree since only the manufacturer can use the lot as the primary basis for maintaining their supply chain history. Downstream segments must make use of receipt segregation techniques in addition to the lot/batch. Since the lot/batch number applied to each package is not machine readable, using it for tracing is inconsistent with a modern, high volume, high speed supply chain.
It's interesting to look at how costs are distributed across each segment of the supply chain for different approaches to pedigree. I'll try to expand on these thoughts and my observations in a future essay.
Comments are closed.