Product Identifier Authentication (PIA)

iStock_000015985566SmallerIn my last essay I touched on the use of Product Identifier Authentication, or PIA, as an alternative to the collection and distribution of aggregation data to allow wholesale distributors and repackagers to meet the verification requirements of the Drug Supply Chain Security Act (DSCSA).  Starting in November of 2018 for repackagers and in November of 2019 for wholesalers, the DSCSA will require these companies to verify that the standardized numerical identifier (SNI)—commonly referred to as “the serial number”—corresponds with one that the manufacturer originally applied to drugs that are found to be suspect, and for any returned drug that will be resold.

As I pointed out in my previous essay (see “The Aggregation Hoax and PIA”), manufacturers and repackagers may be able to choose to pass on aggregation information that would allow wholesale distributors to meet their requirements, or they might choose to offer a PIA service that would allow these companies to check the authenticity of one or more SNIs via a web service.

PROBLEM IS, DISPENSERS CANNOT USE AGGREGATION DATA FOR VERIFICATION

The problem is, dispensers—that is, pharmacies, hospitals and healthcare practitioners who dispense drugs directly to patients—will also have to meet a similar requirement for verifying suspect drugs beginning in November of 2020.  I do not see how dispensers will be able to comply with their DSCSA requirement to “[verify] that the product identifier, including the standardized numerical identifier, […] corresponds with the product identifier for such product…” using aggregation.  That’s because the aggregation data they would be provided would come, not from the manufacturer, but from the wholesale distributor.  Remember that the DSCSA defines the word “verify” to mean determining that the SNI on the product corresponds to the SNI assigned to the product by the manufacturer or repackager.  To verify that the SNI corresponds to the product identifier assigned by the manufacturer, dispensers cannot use aggregation data supplied by their wholesale distributor.  They must go directly to the manufacturer.

It appears to me that the only reason wholesale distributors and repackagers may be able to use aggregation data instead of contacting the manufacturer is that the manufacturer is the entity that would supply them directly with that aggregation data.  Because it is the manufacturer providing that data, they are telling the wholesale distributor that these particular SNIs were assigned by them.  The wholesale distributor can then use that data as their way of determining that the SNIs they later read on drug packages do correspond to SNIs assigned by the manufacturer or repackager.  But that is not possible for the dispensers because they would be supplied a different set of aggregation data which will be generated by their wholesale distributor, not the manufacturer.  It would only be the wholesale distributor who is claiming that these SNIs are valid, and that’s not what the DSCSA requires [see DSCSA Section 582(d)(4)(A) and the DSCSA definition of “Verify”].

MANUFACTURERS MUST RESPOND TO “REQUESTS FOR VERIFICATION”

In fact, the DSCSA requires manufacturers to deploy some kind of service by November 27, 2017, that can be used by all downstream trading partners—including dispensers—to fulfill their verification requirements [see DSCSA Section 582(b)(4)(C), Requests For Verification].  The DSCSA does not require this service to be implemented with computers—manufacturers may take up to 24 hours to respond to any given request—but considering the possibility that the number of requests could skyrocket whenever a widespread suspect drug “scare” occurs (think Avastin), medium to large manufacturers should think twice about relying on phone calls, emails and manual methods to implement this requirement.  For these companies, a PIA service should be very attractive.

AntaresVision.v3
Antares Vision supports cancer research. Click here to learn more.

Also, keep in mind that any downstream trading partner choosing to use aggregation data to fulfill their verification requirement would need to store the aggregation data for all of their incoming shipments for the DSCSA’s full 6 year record-keeping requirement.  This is because an investigation into a suspect drug that would trigger the need to verify the SNI on a package of drugs could occur at any time during those 6 years.  Because this verification requirement for suspect product and saleable returns are the only DSCSA requirements before 2023 that require the use of SNIs, only a tiny fraction of the aggregation data would ever be needed for that purpose.  But these companies would have to store it all, just in case, if they wanted to use aggregation data to avoid using the manufacturers required verification service.

This doesn’t seem to make sense.  Why would a wholesale distributor voluntarily store all aggregation data—a very large amount of data—for six years just to avoid using the manufacturer’s verification service in the rare instance they need to verify a drug?  That’s a huge cost with no real benefit.  Interestingly, the storage of large amounts of data was one of the arguments against the use of GS1’s Drug Pedigree Messaging Standard (DPMS).  I think it applies here even more than it did against DPMS, so I don’t think wholesale distributors are likely to use aggregation data for this purpose.

Even if a manufacturer were to choose to offer wholesale distributors aggregation data so that wholesale distributor customers might be able to fulfill their verification requirement, the manufacturer will still be required to implement the verification service in some way so that others in the supply chain are able to verify their SNIs (and lot numbers too).  Manufacturers will need to decide whether or not the PIA service is implemented as a manual data entry web page, an automated web service, or just a phone number to call or email address to send to verify SNIs and lot data.  If a manufacturer chooses to pass aggregation data, this would be done voluntarily in addition to this mandated verification service.

PIA is a way for any authorized trading partner in the chain of supply to contact the manufacturer or repackager directly and ask if a given SNI corresponds to one that was applied to the product.  It does not require any data to be passed from company to company down the supply chain.  It only requires the manufacturer or repackager to keep a record of which serial numbers are valid for a given product, which is something the DSCSA already requires them to do anyway so this is nothing new.  Offering a PIA service would not require manufacturers to collect aggregation data because all they would need to do is respond about the validity of specific serial numbers—whether package level or case level—and not their containment relationships.

PIA IS THE SAME AUTHENTICATION USED IN POD AUTHENTICATION

PIA is a “new” concept here in the United States because the DSCSA is the first U.S. law that requires “verification”, or “authentication” of serial numbers on products.  But it is not new to companies selling drugs into the European Union market.  Another name for PIA is POD, or “Point of Dispense Authentication”, which is a concept that has been marketed by the European Federation of Pharmaceutical Industries and Associations (EFPIA) and others for a long time as the best solution to securing the European drug supply chain.  The operation of that supply chain is significantly different from that of the U.S. so authenticating package serial numbers at the point of dispense makes sense for reasons that do not exist here.  I have touched on POD authentication in a number of earlier RxTrace essays in comparison with state pedigree laws (see “How Counterfeit Avastin Penetrated the U.S. Supply Chain” and “Illegitimate Drugs In The U.S. Supply Chain: Needle In A Haystack”).  The only real difference in these models is exactly when product identifiers must be authenticated.

Using the PIA approach to meet the DSCSA can be accommodated in such a way that downstream companies would use a single, lightweight directory service to find the PIA service for a given product.  In this way, companies would not need to figure out which manufacturer-specific PIA service they need to contact and they would not need to maintain a directory of their own, but would contact the same directory service each time.  It could work the same here in the U.S. to meet the DSCSA verification requirements as it would to meet any POD authentication requirements in the E.U.  A single service serving the two largest markets in the world would really help economize the investments that pharma manufacturers will need to make to meet these two laws.

What we need is a standard for the directory service, the message choreography, the messages themselves, the data, and the security mechanisms.  If you want to help define these things, I recommend that you join GS1’s Event Based Traceability (EBT) work group at the global level.  That’s where these things are being, or will be, worked out.  Fortunately, GS1 already has the simple, lightweight directory service.  It’s called Object Name Service (ONS) and it was designed to work in a way that is analogous to the Domain Name System (DNS) that is called on your behalf every time you use a web browser and some smartphone apps.

Manufacturers will need to decide if they wish to collect and pass aggregation data to their immediate customers.  They will also need to decide if they will implement a PIA service before November 2017 or just take verification requests via phone or email.  The decisions will need to be made early enough so that systems and Standard Operating Procedures (SOPs) for verification can be developed, tested and deployed.  Ideally, a single, standard approach to a PIA service used by all manufacturers choosing to automate it would be the ideal situation so that downstream trading partners only need to implement a single capability for all products.  To achieve that level of agreement would require some organization, education and debate.  Where is that going to occur?  PDSA?  HDMA?  NACDS?  GS1?  GS1 US?  GS1 Germany?  GS1 Healthcare?  NCPDP?  One of these organizations should pick up this ball and carry it to a decision.  The clock is running.

I am going to deliver a webinar along with Grant Hodgkins of USDM on June 26 entitled “The Latest Drug Supply Chain Security Act (DSCSA) News” where we will have a few things to say about this and other DSCSA topics.  You can register for that event here.

In my view, there is no DSCSA requirement and no benefit for manufacturers to pass aggregation data to their customers.  And wholesale distributors have no real need for that data either, until 2023.  Disagree?  Leave a comment below.

Dirk.