In this essay, I’m not going to discuss the attributes of a track & trace system from a regulator’s point of view. I’m not going to discuss input into the FDA’s Track & Trace workshop that occurs this week and I’m not going to speculate on the outcome of that meeting. Instead, I’m going to talk about the attributes of a track & trace application from the viewpoint of any global pharma manufacturer who is facing the regulatory mandates for serialization and traceability in a growing list of countries around the world, and from the viewpoint of any solution provider who is thinking about what they need to include in their solution offering so that those global pharma companies find it attractive enough to buy.
To those kinds of companies, the potential for new non-binding guidance from the U.S. is important, but perhaps less so than an increasing number of binding regulations from around the world. Whatever the FDA—and especially the U.S. Congress—may do in the future will be important when selecting a track & trace solution, but the U.S. is only one of the countries in the world and pharma companies that do business in those other countries do not have time to wait for the U.S. to figure out their approach before making investments.
The goal is to make investments today that will be flexible enough to accommodate existing laws around the globe and whatever ultimately might or might not happen in the U.S., the E.U. and elsewhere. To accomplish that, “flexibility” is the key word and the key attribute. The application you invest in should not be only targeted at a single regulation but should be designed to provide building-blocks of functionality which can be applied differently to the same products that will be shipped into many different regulatory environments around the world.
Companies looking to buy a solution should look for a provider that has already made their own investments in understanding the specific regulations around the world. You need a partner to help you understand and meet the specific requirements in Turkey, Brazil, Italy, India, China, South Korea and others that might pop up in the future. Look for a solution provider who knows the existing global regulations and also knows exactly how to apply their solution in a way that will meet each one.
Here is a list of attributes to look for in a global track and trace solution.
Interoperability. In a phrase, “Standards-Based”. Reject all proprietary solutions or you will find that your solution does not work with those selected by your trading partners. It’s surprising how often I receive an email from a solution provider who thinks the world will be so much better off once their proprietary solution is deployed by everyone in the world. In fact, no approach to track and trace will work if it is only supplied by a single company. Interoperability demands a standards-based approach so that multiple companies can offer solutions that are fully compatible with each other. That way pharma company A can invest in the solution from solution provider A’, and pharma company B can invest in the solution from solution provider B’, and wholesaler C can invest in the solution from solution provider C’, and so on, and they all work together without any special patching. That’s interoperability.
Today, the safest bet is to deploy solutions that are based on GS1 standards. There are two major reasons for that. First, several countries, notably Brazil, India and South Korea, have apparently explicitly named GS1 identification standards in their regulations or in their guidance. (Be careful. GS1 has a lot of standards. This doesn’t mean that these countries require you to use every single standard that GS1 publishes so study the regulations carefully to learn exactly which GS1 standards are actually mandated.)
Second, there is a lot of pharma industry activity in GS1’s end-user organizations including GS1 Healthcare (global) and GS1 US Healthcare. This activity offers an indispensible source of adoption examples and experience. No matter what, it’s dangerous jumping onto the cutting edge when you are forced to adopt new technology while regulations are still evolving, but at least it feels less dangerous when you are in a crowd of other companies who are forced to do the same thing.
Don’t be lulled into thinking that GS1 or GS1 US knows what they are doing either. Be prepared to interpret the regulations for yourself, but expect to deploy a solution that makes use of some GS1 standards. Just because GS1 identification standards are usable today and are the most likely candidates for pharmaceuticals that are packaged for sale in certain markets doesn’t mean necessarily that GS1’s data exchange standards like DPMS or EPCIS will apply to those same markets. GS1 isn’t done developing standards for pharmaceutical track and trace so we can’t yet tell which of their standards provide the right mix of interoperability and compliance. That makes it tough to figure out today what the right choice is and that may lead to less efficiency than companies would like. All the more reason to select a solution provider who is willing and able to respond to changes in regulations, and to evolving standards as well.
Serial Number Management. This feature of a track & trace application doesn’t need to be standardized across all industry deployments, although it must work with both standard and country-specific identifiers. In fact, this is going to be one of the key differentiating features of the products that you will need to select between. Serial number management is a set of functionality that will allow you to securely and accurately control and keep track of the serial numbers that you apply to your pharmaceutical products. Again, flexibility will be crucial. You need a single, centralized (within the corporation) place where serial numbers of all types will be allocated and then distributed to the remote facilities where the actual commissioning (association of a serial number to a physical thing) occurs. In GS1 parlance, this includes SGTIN’s (Serialized Global Trade Item Numbers), SSCC’s (Serial Shipping Container Codes), GIAI’s (Global Individual Asset Identifiers) and GRAI’s (Global Returnable Asset Identifiers). All of these standard identifiers need to be managed by the proprietary serial number management module of your track and trace solution.
This management must also work well for regions of the world where the local government defines the serial numbers and provides them to you, either in data form (as appears to be the case in China) or as pre-printed stickers (as appears to be the case in Italy and Brazil). Even when the government gives you these numbers you still need to keep track of them. Because these numbers may not always conform to GS1 standards, your solution will need to be able to deal with non-standard identifiers and serial numbers as well. Exactly how that is done ought to be a big differentiating factor in your selection process.
Certifications. A certification is a way to attach individual or corporate assertions of truthfulness to the track and trace data in order to fulfill specific requirements to do so. It’s a feature of some regulations that is intended to make it easier to prosecute criminals—one of the more important reasons for the existence of track & trace regulations. Not all country regulations require you to include a certification within your track and trace data but your track & trace solution needs to be able to include them if you expect to use it in California after January 1, 2015. That’s when their pedigree regulation goes into effect for the first 50% of each manufacturer’s product. This ought to be another big differentiating factor in your solution selection process if your products end up there. Any solution provider who has this figured out is well on the way to deserving your business.
Pedigree Reporting. This is a catchall term I am using here to cover any and all reporting requirements that each track & trace regulation includes. If a regulation specifies it, your solution needs to supply it. The problem here is that many of the global requirements are not well defined and you could easily find that the regulatory agency that oversees the regulation comes up with the need for a particular report that is not clearly spelled out in the regulation. You need a technology partner who is going to monitor these agencies around the world on behalf of their customers so that they will be the first to know about the new reporting requirement and they will already be working on its implementation when you first become aware of its need.
RFID and Barcode Data Capture. Finally, the track & trace solution you select should be capable of easily handling serialization data capture from both RFID and Barcode data carriers. Even if you don’t plan to make use of one or the other today, you may find that certain jurisdictions mandate one or the other. For example, I understand that South Korea has, or will, mandate the use of RFID on pharmaceuticals sold there. If I understand that right, and if you package drugs for sale in that market, then you may be faced with applying RFID tags to those units.
These attributes may eliminate some solution providers from consideration. Watch out for any solution provider that doesn’t have one or more people dedicated to monitoring global regulations. If they are only in business to sell you a solution to today’s static “regulatory problem” then they aren’t worth your time. That’s because we are in a very dynamic regulatory situation today when it comes to global pharmaceutical track and trace regulations. You should be looking for a technology partner who has a long-term interest in meeting the shifting pharma track & trace demands of all the world’s governments. That’s a tall order, and one that demands flexibility and constant attention.
6 thoughts on “Attributes Of A Global Track & Trace Application”
Makes you think, “Who is in the driver’s seat?” Technology or Regulatory?
A nice summary, as usual. Here are some comments/questions:
1. You mention that GS1 standards are important and Brazil has adopted them. But they have not done so for serial numbers as far as I know (SGTIN equivalent). What have they adopted GS1 for and, more importantly, how is what they adopted relevant for Track & Trace?
2. Your explanation for “Certification” sounds like it’s pedigree, but you describe pedigree reporting separately. So I assume it’ something other than pedigree – if so, what is it exactly?
3. You talk about centralized number management as a requirement, but then say the system needs to be flexible since some jurisdictions will give the numbers. Fair enough. But just to add – some companies will consider a third way, which is that the numbers will come from the “bottom up” withint their own operations, such as concatenating date/time with other line-level data.
4. Finally, I was a little surprised that you didn’t specifically call out support for aggregation as a topic to evaluate carefully. I believe that the data management requirement goes up significantly if, in addition to serial number reporting/management, aggregation is required.
Thank you for your comment and questions, and sorry for the delay in responding. I was on vacation in Aruba this past week and that means that we were very busy. We had a great time but left little time for RxTrace after writing this essay on Sunday. Anyway, we’re back home now and I now have time to respond properly.
1. Stephen said: “You mention that GS1 standards are important and Brazil has adopted them. But they have not done so for serial numbers as far as I know (SGTIN equivalent). What have they adopted GS1 for and, more importantly, how is what they adopted relevant for Track & Trace?”
Your question raises another opportunity for me to point out that countries who mention GS1 in their regulations typically only refer to GS1 barcode standards and/or GS1 identification standards, like Global Trade Item Number (GTIN) and Global Location Number (GLN). I’m not aware of any government regulation around the world that mandates any of GS1’s track and trace, data exchange or repository standards. But I consider any mention of GS1 standards to be laying the foundation for the use of these higher-level GS1 standards now and in the future. In fact, if a country does nothing more than mandate that pharmaceuticals be identified by GS1 standard barcodes or RFID, in many cases that strongly implies that one would use GS1’s Serialized GTIN’s (SGTIN’s), though probably not in the case of any country where the government supplies the serial numbers, such as Brazil and Italy.
On the other hand, consider the FDA’s non-binding Standardized Numeric Identifier (SNI) guidance of last year. (See https://www.rxtrace.com/2010/03/fda-aligns-with-gs1-sgtin-for-sndc.html). They didn’t mandate the use of any GS1 standards, but because their SNI definition aligns so well with GS1’s SGTIN (a.k.a., GTIN plus serial number” as GS1 likes to call it in the barcode world), it lays the foundation for them to do a similar alignment with higher-level GS1 standards in their future track and trace guidance. We’ll find out in the next couple of years.
Speaking specifically about Brazil, I was referring to their apparent requirement for use of GS1 barcodes in their regulation. (See the Pharmaceutical Commerce article at http://www.pharmaceuticalcommerce.com/frontEnd/1502-Serialization_Efforts_Energize_Track_and_Trace_Technology.html.) Admittedly, by not mandating the use of GS1 standard identifiers this is a very minimal GS1 reference.
2. Stephen said: “Your explanation for “Certification” sounds like it’s pedigree, but you describe pedigree reporting separately. So I assume it’ something other than pedigree – if so, what is it exactly?”
“Certification” is just as I defined it. It is the attachment of individual or corporate assertions of truthfulness to the track and trace data in order to fulfill specific requirements to do so. Some believe that GS1 EPCIS standard and/or the future GS1 Discovery Services standard used in the form of a track and trace system can be used to fulfill the current California Pedigree Law. If something like that is ever to be accomplished, then certifications must be a part of the data because it is specifically called out in the law as one of the contents of “the pedigree”.
I suggest that you not think that the concept of “certifications” is inseparable or indistinguishable from the concept of “pedigree”. You can easily have a pedigree regulation that does not require certifications (see the U.S. Prescription Drug Marketing Act, PDMA). The concept of “pedigree” is actually fully contained in the “trace” portion of “track and trace”. See my essay about these terms at https://www.rxtrace.com/2010/10/terminology-track-and-trace-and-pedigree.html.
You could define a “track and trace” regulation that also does not require certifications. But in any given regulation that specifies that a full track and trace system must be implemented, nothing would prevent the requirements from including the need for certifications that covers some or all of the data. Without a certification the data probably offers little value in prosecutions of criminals who game the system. See my recent essays on certifications at https://www.rxtrace.com/2010/10/certifications-in-a-california-compliant-drug-pedigree.html and at https://www.rxtrace.com/2011/01/electronic-message-security-and-more-on-certifications.html.
3. Stephen said: “You talk about centralized number management as a requirement, but then say the system needs to be flexible since some jurisdictions will give the numbers. Fair enough. But just to add – some companies will consider a third way, which is that the numbers will come from the “bottom up” within their own operations, such as concatenating date/time with other line-level data.”
A “bottom up” approach to serial number management can work as long as you add “intelligence”, as GS1 calls it, to the numbers. That is, dedicate the most significant X digits of the serial number to indicate the facility that commissioned it. This prevents the assignment of duplicate serial numbers within a given GTIN. GS1 doesn’t recommend the addition of “intelligence” to serial numbers, but I think what they mean is that you not add something that your trading partner must know about in order to extract and interpret some data that is embedded into the serial number. In this case, the intelligence is simply an internal device that serves a valid purpose within your four walls. I don’t see anything wrong with that and, in fact, I have recommended it myself in certain instances.
However, over the many year lifespan of some products, this approach will require you to keep track of your own rules for adding the intelligence so that duplicates are never generated. If you can handle that kind of long-term rule enforcement within your organization, go for it.
4. Stephen said: “Finally, I was a little surprised that you didn’t specifically call out support for aggregation as a topic to evaluate carefully. I believe that the data management requirement goes up significantly if, in addition to serial number reporting/management, aggregation is required.”
You are exactly right. I should have included the attribute of aggregation in my list. Thanks for catching my omission.
Just wanted to follow up on your blog post in regards to South Korea to add some clarification.
South Korea have named GS1 identification standards in their regulation which was revised in January 2008. The law introduces a Korean Drug Code (KDC) – a unique code for identification of individual pharmaceutical products in accordance with GS1 Standards. All drugs must have a GS1 barcode including small items of 15ml(g) or less; All ethical [prescribed] and other specified drugs must have a GS1 Data matrix or GS1-128 to represent the expiration date and lot number. For OTC drugs it’s GTIN only. Their timelines are: From 2010 onwards all drugs including small items must be marked with GS1 barcode with KDC; From 2012 onwards all specified drugs must be marked as described above and From 2013 onwards all ethical drugs must be marked also as described.
In regards to RFID, actually this is a pilot project being run by one of Korea’s major pharmaceutical manufacturers who stated (end 2009) that RFID tags would be attached to every item level of their products. But it is not a government mandate. The Korean government is supporting a separate research project to develop a common platform to proved different services for multiple industries, the first is track and trace for pharmaceutical products. GS1 locally understand that in the future, besides DataMatrix, RFID tags might also be allowed and that serialisation could be mandatory from 2015 onwards. According draft regulation is under discussion at the moment…
Hope that helps!
Thank you for your excellent clarifications. For those who are interested in learning more about the pilot and GS1’s activities around the South Korean pharmaceutical mandate you might contact the GS1 Member Organization in South Korea. They may be able to connect you with others who are involved. Their contact information can be found here.
Comments are closed.