One of the most recent improvements that California made to their drug pedigree law was to spread out the compliance dates by supply chain segment. Previously, all segments had to comply with the regulation by January 2011. Now drug manufacturers will need to comply with half of the products (or sales) by January 2015 and the remainder one year later, distributors must comply by mid-2016 and the pharmacies by mid-2017. As I understand it, this spread was intended to help the industry fully prepare for the new requirements in their businesses. Companies would now have time to adjust to the changes implemented by their upstream trading partners according to their earlier deadlines.
This staggered start pleased a lot of people—particularly distributors and pharmacies. However, to me, the staggered start of the current California regulation doesn’t address the issue of complexity very well and a different kind of ramp up to full operation would be more practical and have better odds for success.
I discussed complexity in my last essay, “U.S. Pharma Supply Chain Complexity”. I tried to show what it is about the supply chain that leads to difficulty in the setup and execution of a drug pedigree system. On its own, the U.S. pharma supply chain is naturally complex. A truly workable and protective pedigree system needs to deal with that natural complexity without exploding in its own complexity and cost. As I pointed out in that essay, the problem with the more popular pedigree models (like DPMS and the various distributed pedigree models) is the large number of the point-to-point data connections that are necessary to reflect the natural complexity of the supply chain. That adds a lot of complexity.
THE PLATEAUS OF SECURITY
No matter which model the industry implements, starting it up will have its own complexities. In my view, regulators and industry should define a clear endpoint for whatever track & trace and/or pedigree model is selected, but they should establish a roadmap to achieve that endpoint over a period of years using what I call “plateaus of security”. The point of using this approach is to help the industry take smaller steps on its way toward the ultimate goal of a fully operational system.
Unlike the staggered start dates for each segment that currently exists, the plateaus approach would require all segments to add some capability and functionality at each plateau. Plateaus would be staggered across a number of years so that all companies could spread the costs of their deployments over a number of budget cycles and they would have time to adjust to each increment of new functional and process complexity until the ultimate goal is reached.
There are many ways one could divide the full adoption of a track & trace / pedigree system across a number of years. Some ways might vary depending on the model selected. To illustrate the concept, here is one way it might be done. I’m not saying this is the best way to do it—that should be worked out between the industry and the regulators. The dates are purely illustrative.
PLATEAU 1. SERIALIZATION, 2016
In this first plateau, pharma manufacturers would be required to put Standardized Numeric Identifiers (SNI’s) on all unit-level packages of prescription drugs, but they wouldn’t need to serialize cases and they wouldn’t need to generate any aggregation information. All downstream trading partners would be required to begin reading the unit-level SNI’s and keep track locally of the information about them (received from, shipped to, etc.) but only if the units are removed from their cases as part of a normal business process. Units received and shipped without being removed from cases would not be read or documented.
PLATEAU 2. SNI AUTHENTICATION, 2018
In this plateau, pharma manufacturers would need to write simple records that define the SNI’s (GS1 EPCIS Commission events perhaps) into a secure data repository that is accessible securely through web access by downstream members of the supply chain. Starting in this plateau, those downstream members would be required to make a web service call whenever they remove units from their manufacturer-packed cases, or when receiving units not packed in a manufacturer’s case. The web service call would simply authenticate that the SNI is valid, return that information to the caller and record which company did the asking. This is a big step because it requires the industry to create new large, secure data repositories and make a bunch of connections. Which model the industry decides to implement would determine how complex this part would be.
PLATEAU 3. AGGREGATION, 2019
In this plateau, manufacturers would be required to serialized shipping cases and document the containment hierarchy of the unit-level SNI’s in each case. Distributors would need to do the same for containers (totes, boxes, etc.) that they ship drugs in. Containment information would need to be passed, or otherwise made available (depending on the model selected) to the next downstream buyer of the drugs. Distributors who sell full manufacturer-packed cases would need to pass, or make available (depending on the model), the manufacturer supplied aggregation information to their customer.
Downstream members of the supply chain would need to read the case/tote serial numbers and may use the supplied aggregation information to “infer” the unit-level SNI’s in their shipping and receiving operations. Whenever units would be unpacked from these shipping containers in any business process the current owner would need to continue to authenticate them using the service established in Plateau 2 and confirm the aggregation against the information supplied by the upstream trading partner.
Aggregation errors would need to be reported back upstream through each prior owner to the company who originally established the aggregation. That company would need to reply, indicating if the discrepancy indicates a potential security breach, or a simple error. Errors would not impede the ability of the current owner to sell the product forward in the supply chain. Of course, those units involved in a potential security breach would need to be quarantined until the issue has been investigated and resolved.
PLATEAU 4. FULL PEDIGREE AND SUPPLY CHAIN TRANSACTION AUTHENTICATION, 2021
In this plateau, all trading partners would be required to update an electronic pedigree or a secure track & trace data repository whenever drugs are bought and sold. Inference would continue to be used in the way described in Plateau 3. All previous supply chain transactions would be checked whenever each drug is bought from an upstream trading partner, whether this check is performed by the buying company or by a contracted third-party (which depends on the model selected). Drugs with incomplete histories would have to be refused by the buyer unless the seller could correct the deficiency.
HOW SHOULD WE MEASURE SUCCESS
Success in any pedigree or track & trace system intended to protect patients and the supply chain should be measured by the following outcomes:
- Criminals cannot introduce illegitimate drugs into the legitimate supply chain without being detected well before patients are threatened;
- Criminals who attempt to scam the system are more easily identified and more easily prosecuted using evidence produced by the new system;
- Legitimate supply chain members can quickly and clearly differentiate between likely criminal activity and innocent unintended errors;
- The number of businesses in the supply chain who enter bankruptcy as the result of the additional compliance costs is minimized;
- The cost added to finished pharmaceuticals delivered to patients as the result of the new complexity is minimized.
Measured this way, I believe that it is possible to achieve a high level of success. The first step is to select the industry model that has the right balance of complexity/cost and risk. The second step is to define an adoption/deployment roadmap that provides a smooth on-ramp to the full system for the entire industry. Failure in either step will likely result in a failed system.