How the DQSA Will–And Won’t–Protect The Supply Chain, Part 2

Superhero right to leftLast week I published an overly long essay about how the supply chain provisions of the new U.S. Federal DQSA will and won’t protect the pharma supply chain.  Believe it or not, I had more to say on the subject, but because that essay was already too long, I withheld my additional thoughts until now.  Part 1 took another look at a number of supply chain crimes that have occurred over the last 5 to 6 years and attempted to determine how the new Drug Supply Chain Security Act (DSCSA) that is contained within the DQSA will add new protections that will or won’t help prevent crimes like them in the future.

In this Part 2 essay I want to look at the issue in a different way.  I’d like to compare the approach that the California pedigree law was going to take with that of the new DSCSA, and also compare them with the authentication at the point of dispense (PoD) approach that has taken hold in Europe and perhaps elsewhere.  From this comparison we can learn something important that is not immediately obvious.  First, California.


The California law was to require unique serial numbers on every drug package that was distributed into the State by 2015 and 2016.  Just to be clear, it has now been preempted by the Federal DQSA/DSCSA and so it now longer exists.  I am only looking at it in retrospect to explain the way it was designed to protect the supply chain.  That protection did not come so much the unique serial number—that was only needed as a database lookup key to assist with finding and updating the epedigree associated with each package—it came from the fact that each company who bought drugs were expected to check the validity of the pedigrees they received.  The protection came from that check.  California pedigrees protected the supply chain by securing the transaction history documented within the pedigrees.  The transaction histories were to be secured through digital signatures (the same technology that makes Bitcoins impossible to counterfeit by the way).

Criminals could easily copy the serial numbers from legitimate drug packages and apply them to their counterfeit packages, but they couldn’t copy the epedigrees without easy detection by the buying company when they performed their check.  You can’t counterfeit a digital signature unless you have the owner’s private key, which they are obligated to keep secret (see the Wikipedia article, “Public-key Infrastructure”).

But companies didn’t like the idea of having to check every digital signature on every epedigree, which could have been one for every drug package in the supply chain.  That’s a lot of checking and a lot more CPU cycles.  So when the DSCSA language was being debated by Congressional staff and the industry, through the Pharmaceutical Distribution Security Alliance (PDSA), a different way of protecting the supply chain was sought.


The DSCSA will begin requiring unique serial numbers on every drug package throughout the U.S. supply chain in late 2017.  The law does not require the use of digital signatures or the protection of the contents of the transaction histories that must be passed from the seller to the buyer.  Instead, the seller must provide a transaction statement which asserts that the history is accurate and has not been knowingly modified.  There is no such thing as a check of the transaction history.

But there is the concept of product identifier authentication (PIA), called “verification” in the DSCSA.  Anytime someone in the supply chain becomes suspicious that a drug might not be what it seems, a supply chain member or regulator can exercise the manufacturer’s verification system to check the validity of the NDC, lot number or serial number.  The DSCSA mandates the deployment of the manufacturer’s verification system by late 2017, although it does not place any technology requirements on that service so it could be based on a manual/visual lookup/response, or an internet-based automated lookup/response.  The drug manufacturer will have 24 hours to respond to any request for verification so there is no realtime response requirement for at least the first 10 years.  The main reason a manufacturer will want to automate this service is because of the potential volume of requests.

In my opinion, the protection of the supply chain by the DSCSA comes from the ability to prosecute those who are found to have violated their assertion that they did not knowingly modify the transaction history they provided the buyer.  Criminals probably won’t fear that very much because there is no way for the buyer to check its truthfulness, so that alone probably won’t have much of an effect on their willingness to forge transaction histories.  If a criminal can copy the serial numbers on legitimate drug packages and forge the transaction histories, it might take a while before anyone becomes suspicious of the counterfeits and that might provide the criminal enough time to get paid and get away.

One way to thwart these criminals is to make it difficult to figure out which serial numbers are legitimate.  Under the California law it was not really beneficial for companies to randomize their serial numbers because the protection came from securing the transaction histories within the pedigrees.  But without a way to secure the transaction histories, the only thing left is to randomize the serial numbers.  As long as the counterfeiter does not have access to a large number of valid serial numbers, they would only be left to guess which numbers are real and which are not.  Randomizing in a way that ensures that you can’t figure out which serial numbers are valid, even if you know one or even a handful of valid serial numbers, would enable the manufacturer’s PIA service to detect any serial numbers that were just guessed at.  This relies on the fact that there are many times more possible invalid serial numbers than there are valid serial numbers.  Of course, this still requires someone to get suspicious of something before they are required to request the PIA check (the “verification” check, to use the language of the DSCSA).

So why does the DSCSA not require randomization of serial numbers?  I don’t know, so it is up to each manufacturer to recognize that it is to their own advantage as a brand protection mechanism to randomize their serial numbers.  Companies who were not planning to randomize for California should change their direction and add randomization capabilities to their serialization solutions before the 2017 date.


This is exactly the mechanism the E.U. Falsified Medicines Directive (FMD) will use to protect the drug supply chain when it becomes effective in the next few years as well (see Mark Davison’s recent essay, “Transatlantic Alignment”).  The FMD and the associated Delegated Act (to be enacted in 2014) will require randomization of serial numbers because the authors recognized that serial number non-determinism is critical to the success of their approach.  Both China and Brazil also require serial number randomization for the same reason.  Anywhere authentication of the drug identifier and serial number at the point of dispense is employed, serial number randomization will be essential to blocking and detecting criminal activity.


California did not need randomization because the primary protection mechanism was going to be the immutability of the epedigrees themselves.  Regulatory approaches that do not require immutable pedigrees will then need to use randomized serial numbers as their primary protection mechanism.

So what exactly is a random serial number and how do you create them?  Those are topics for future essays.  Stay tuned as we take a closer look at serial number randomization including a special interview with GS1 standards expert Ken Traub.


5 thoughts on “How the DQSA Will–And Won’t–Protect The Supply Chain, Part 2”

  1. Compared to the California e-Pedigree regulations, the new DSCSA regulations do not do very much for the Pharmacy purchasing drugs to assure that what they have received from their supply is “safe”. Assuming that the parties that counterfeit drugs are going to get more sophisticated with time, they are going to leave little opportunity for your average pharmacy receiving products to “suspect” that there might be a problem. Combine that with the fact that your average pharmacy receives hundreds of items each day and you create an environment where other issues that need handling will take a higher priority.

    In some regards, this reminds be of the driver’s license check that occurs when someone gets pulled over for a possible driving infraction. Currently, when the driver is stopped, the police officer obtains the driver’s license and “runs it” (i.e., enters it into the Department of Motor Vehicles, DMV, database). The system responds with history information about that particular driver, including whether or not the license information is valid. To me, that sounds like the previous California e-Pedigree system; everything is checked as it comes to the person at the point of the stick (the pharmacy in this case, the police officer in the DMV example).

    Using the police stop analogy mirrored after the new DSCSA regulations, the police officer would only “look at the driver’s license” and as long as it “looks OK” nothing else would be done. You won’t catch many crooks that way and, in fact, it may create the opportunity for more crooks, since it is easy to beat the system. This all sounds like a giant STEP BACKWARDS to me. This whole issue of CPU cycles is STUPID. We have computer systems today that can easily handle the volume of transactions needed to support real-time verification similar to what California was proposing (if you don’t believe me, talk to Amazon, they’ve figured it out).

    Most modern pharmacies (particularly hospital pharmacies), scan items that come into the pharmacy to load them into the pharmacies inventory management system and to check what the distributor provided to them. I would be designing a system that at the point of scanning the product into inventory, that it would automatically send a PIA (product identification authentication) Verification request to the vendor. I would also demand that the primary drug wholesaler that I did business with would also be doing the same PIA verification for EVERYTHING that they brought into their system. This is the only way that we are going to be able to protect the patients that we (healthcare providers) take care of. Without that type of verification, we will be following my STUPID DMV license checking mechanism which is designed NOT to catch problems before harm can be done to the general public.

    1. Ray,
      I like your driver’s license check analogy. The DSCSA does not seem to limit what it is that may cause a member of the supply chain to feel suspicious about a drug package. Pharmacies that buy from sources other than a direct-purchase wholesaler may wish to exercise the manufacturer’s PIA service for the first few shipments received and then periodically as a general practice. I suppose nothing prevents them from doing that with every drug they receive, regardless.

      I’ve said for quite a while that any PIA system deployed by manufacturers–even those that are optional–must be developed with enough CPU and internet connection horsepower to be able to respond to verification requests for every drug package they sell. In case of some unforeseen national terrorism event that calls into question every drug package out there, you will find that everyone is checking everything overnight. Your systems have to be able to handle that kind of overnight spike in usage.


  2. Ray, Dirk,
    Unit scanning in the pharmacy with an auto check back to the manufacturer would be logical check for verification from the initial product source.
    Pharmacies on the other hand are being to their limit on prescriptions processed, checked, and issued in a timely manner. Scanning 2D bar codes for every daily received unit is not currently in the work stream. Jumping to RFID would ease that pain. As I inquired to pharmacists that this may be a good solution to identifying counterfeit meds, the response was the same; Are you nuts? we’re crazy busy now, let alone with another med “check.”
    Establishing an interoperative system is an excellent answer that starts with the manufacturer. Who will be the payor? The electronic and suupply chain solutions are the easy part. Implementation is tricky.
    Amazon, I-tunes, and Departments of Motor vehicles have spent much time and money developing their respective systems. The pharmaceutical supply chain can take the lessons learned and apply them, but the resource investment is still significant.
    Another logical solution would be to employ a non-profit interoperable check system which is funded by all members of the supply chain to spread the costs among the users.

    1. Geoffrey,
      Pharmacists may be crazy busy now but if it is found to be necessary that they scan a 2D barcode on every drug package they receive each day in order to protect their patients, then they will just have to make time and do their jobs. If it is not necessary to take that time then they should not be asked to do it. So the question is: Is it necessary?

      RFID is not an acceptable solution for the kind of accuracy necessary. The technology is seeing a big surge in use in the apparel industry, but those use cases provide an ROI even if they are only 80% accurate. You should take notice of RFID for use in the pharma supply chain as soon as you hear that Kohls is allowing customers to pass their shopping cart through a scanner at checkout and letting the customer walk out without someone looking at the contents individually. That would require 99.99% accuracy. That’s the kind of use case and accuracy we would expect for a pharmacy but is not possible with today’s RFID technology and so no one at Kohls or anywhere else is talking about it.

      And besides, pharmacies won’t want to pay for manufacturer’s to put RFID tags on all of their packages. In fact, no one will. RFID won’t make a dent in the pharma supply chain until someone is willing to pay for it. And don’t make the taxpayers pay for it if it isn’t at least 99.99% accurate AND reduces the workload for supply chain companies instead of increasing it.


  3. This debate all reflects back on the fact that the federal system converted a true “track & trace” system designed by California and watered it down to a “trace-able” system. Until the industry aligns itself by tying payments to scans, i.e. “buying & selling serial numbers” on the packages as the currency of pharmaceuticals trade, we again are designing and implementing a system of trust with the capability of verification instead of PIA at each node of transfer. The notion of each trading “partner” harboring commercial information for fear of being dis-intermediated out of the chain or losing competitive advantage is archaic and leaves us all vulnerable to many trade violations including unauthorized diversion and fraud. A true track & trace system would “clean up” the supply chain resulting in better inventory management for everyone, reduction in expired inventory, improved recall processes, reduction in drug shortages due to better supply/demand balancing, ELIMINATION of costly chargeback reconciliations and reduction of returns errors/fraud. This is just another example of how health care is lagging in adoption of electronic business intelligence systems which could help improve the efficiency and effectiveness of the tasks which deliver safe medicines to our patients. If in fact the US drug supply chain is 99.5% safe, then lets flip the T&T switch and go beyond just being compliant to DQSA and make our supply chains 99.5% efficient as well.

Comments are closed.