Pharmaceutical manufacturers should be aware that there is a lot of uninformed misinformation going around out there lately about the need for them to supply aggregation data to their trading partners to meet the Drug Supply Chain Security Act (DSCSA) (for more on aggregation, see “Pharma Aggregation: How Companies Are Achieving Perfection Today”, “DQSA: Will U.S. Pharma Distributors Mandate Aggregation Data In Phase 1?”, and “Does The DQSA Require Manufacturers To Provide Aggregation Data? Survey Says…”). In my view, prior to 2023 you can collect aggregation data if you want to, but don’t let anyone tell you that the DSCSA requires you to. It doesn’t. And I also encourage you to be skeptical of any claims that wholesale distributors will not accept your product anytime soon unless you provide them with aggregation data. Feel free to ask them to confirm or deny it, but I believe it is very unlikely they will even be capable of accepting, let alone making any use of massive quantities of aggregation data for many years to come. Pilot quantities, yes. Massive quantities—from every supplier—no.
To be accurate, I am not a lawyer so for interpreting the DSCSA, check with your internal counsel, but I can tell you I am not alone in my understanding. I was on a panel at a conference a couple of weeks ago and a co-panelist from a large manufacturer shared my opinion. And I listened in on one of those monthly DSCSA calls offered by one of the major wholesale distributors last week, when a caller raised the topic. After the wholesaler somewhat fumbled the question about requiring aggregation data sometime in the future, someone else from a large manufacturer burst in to say that his company had been a member of the Pharmaceutical Distribution Security Alliance (PDSA) who had worked on proposed language for the DSCSA last year and he explained that the intent of the current language was to ensure that aggregation was not needed prior to 2023. That’s when the DSCSA shifts into what is called the Enhanced Drug Distribution Security (EDDS) phase. He also wanted to make it clear that his company had no intention of supplying aggregation data to anyone until just prior to that time (I’m paraphrasing here).
I was not a party to the negotiations that went on behind closed doors between the PDSA, FDA, Congressional staff and others to develop the text of the DSCSA that was eventually enacted. Of course, the final text of HR 3204 was the sole responsibility of the members of Congress, but the underlying desire of the politicians was to develop a law that the industry could live with and (hopefully) support. In the end, most people think they were successful. I’m not aware of any significant segment or organization in the supply chain that did not support the enactment of the DSCSA.
I think it’s not perfect, but the process resulted in something that can work, and I think it will have a positive impact on securing the supply chain. But in order to get the PDSA to support the bill in general, certain characteristics needed to be present. In my reading of the DSCSA text, I can see different clauses that were clearly required by different segments of the supply chain so that they would support the bill. One of those characteristics is certainly the one that drug manufacturers would not be required to collect and provide aggregation data to anyone prior to 2023. Without that one characteristic I think the pharma manufacturers and their industry organizations would have walked away. But they didn’t walk, and that’s because, they got it. No amount of reading between the lines or bending certain clauses will bring mandatory aggregation back until 2023.
THE OTHER SIDE OF THIS ARGUMENT
The argument in support of mandatory aggregation data beginning on November 27, 2019 goes something like this. On that date, when investigating suspect product, wholesale distributors must begin to verify “…the product at the package level, including the standardized numerical identifier” [from DSCSA, Section 582(c)(4)(A)(i)(II)]. The same goes for saleable returns [DSCSA, Section 582(c)(4)(D)]. How can the distributor “verify” the product, including the SNI, without receiving aggregation data?
Let’s back up a little and start with the DSCSA definition of the word “verify”. Remember, I warned readers not to skip the DQSA definition of terms section (see “Don’t Skip The DQSA Definition of Terms Section”). For a full section-by-section explanation of the DSCSA, see my book “The Drug Supply Chain Security Act Explained”. Anyway, the definition is:
“(28) VERIFICATION OR VERIFY.—
The term ‘verification’ or ‘verify’ means determining whether the product identifier affixed to, or imprinted upon, a package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager, as applicable in accordance with section 582.”
The key word here is “or”, as in “…the standardized numerical identifier or lot number…”. But, the clauses I referenced by section numbers above effectively modifies this definition for wholesale distributors when investigating suspect product or saleable returned drugs after November 27, 2019. The modification results in requiring the verification process to always include verifying the SNI of the homogeneous case, or, the package if the product is not in a sealed homogeneous case. Of course, if the manufacturer had previously provided the wholesale distributor with accurate aggregation data, the distributor could simply look up each SNI in the collection of suspect or returned cases or units to “verify” that they match SNI’s that the manufacturer or repackager affixed. But this isn’t the only way to verify that the manufacturer or repackager affixed the SNI. The distributor could simply contact the manufacturer or repackger and ask them if these SNI’s are valid.
PRODUCT IDENTIFIER AUTHENTICATION SERVICES—PIAs
Smaller manufacturers and repackagers may be able to get by with responding to these requests through emails. But if investigations into suspect drugs and saleable returns are frequent occurrences (saleable returns happen pretty frequently for some products), larger manufacturers are not going to want to receive a bunch of phone calls or emails asking them to verify sets of SNIs. But collecting and distributing accurate aggregation data is not likely to be the most cost effective way to address this problem in 2019. I suspect that these manufacturers will deploy something known as “Product Identifier Authentication” (PIA) services instead.
A PIA is a web-based service that authorized companies can use to confirm that a given product identifier—the SNI in this case—is authentic. That is, that the SNI was affixed to a product that was sold into the supply chain by the manufacturer or repackager. These services will be much less costly than aggregation systems and they are a logical extension to the GS1 EPCIS-based serialization event repositories that most pharma manufacturers and repackagers are likely to have deployed by the end of 2017 to meet the serialization requirement of the DSCSA.
It just so happens that GS1 has been working on a PIA capability that will make use of the EPCIS standard as part of their Event Based Traceability work group. PIA is just one of several workstreams that group is working on.
WHY INVEST IN AGGREGATION BEFORE THE REGULATIONS REQUIRE YOU TO? HERE’S WHY…
Eventually pharma manufacturers will probably be required by the DSCSA to invest in full aggregation data collection, but not before the end of 2023. This results in what I referred to back in 2011 as “plateaus” of pharma supply chain security. A nicely paced upward ramp of security measures that has multiple “plateaus” which allow companies to stabilize their IT environments and business operations before being required to deploy the next level of security functionality (see “Plateaus of Pharma Supply Chain Security”, and “SNI’s Are Not Enough In a Plateau-Based Supply Chain Security Approach”). Manufacturers will deploy serialization by the end of 2017 (repackagers by the end of 2018) for one major plateau, which will last for a couple of years before the need for the next plateau, which will include the PIA by the end of 2019. That plateau will last a few more years until the beginning of the next plateau, which will begin at the end of 2023 and will probably include aggregation. (I say “probably” here and elsewhere because we don’t know yet exactly what role aggregation will play in the EDDS phase that begins in 2023. It is slightly possible that smoothly operating PIA systems could eliminate the need for aggregation even then.)
(A unique twist to the timeline spelled out by the DSCSA is that repackagers will be required to verify the manufacturer’s SNI during investigations of suspect product starting on November 27, 2018, one year prior to wholesale distributors. The volume of drugs that are repackaged for the U.S. market is so small that I don’t think this will cause many drug manufacturers to deploy PIAs before November of 2019, but that is a possibility.)
So if I just went to great lengths to explain how and why the DSCSA does not require aggregation data collection, why do I then say that manufacturers and repackagers should voluntarily capture it anyway? Because by capturing it and keeping it in-house they will be able to know exactly which initial customer was shipped a given package of drugs, even though it was buried inside of a case and the case was buried on top of a pallet when the order was fulfilled. By keeping the aggregation data in-house it does not have to be perfect every time and occasional lapses in accuracy will not result in good product to be quarantined throughout the supply chain, as it might if that data were provided to customers. This difference in the accuracy needed in the aggregation data collected between these two approaches leads to a big difference in the cost of implementation.
Later, when that PIA authentication request comes in during a suspect or saleable return drug investigation at a wholesale distributor or elsewhere, the manufacturer or repackager will know exactly which customer originally received that product and when and can use that knowledge as part of their determination of the validity of the request. This could be valuable information that could expedite these kinds of investigations—either removing suspicion or elevating it. It may also provide clues about which customers are complying with the manufacturer’s distribution services agreements (DSA) and which may not.
If aggregation data is a pharma manufacturer’s enemy, then a PIA is a pharma manufacturer’s friend. The “plateau” between 2017 and 2019 is the time to get these services working smoothly and perhaps demonstrate that sending aggregation data down the supply chain may not even be necessary in 2023.
Let’s all agree that the DSCSA does not require drug manufacturers and repackagers to pass aggregation data before 2023 and move on. Pretending otherwise will lead to companies making investments based on inaccurate information, which can only lead to waste and inefficiency. Those offering aggregation systems should sell them based on the actual benefits so that buyers can maximize the value of their investments. When that happens, everyone wins.
In a future essay I will tie this concept to the need to randomize serial numbers for the U.S. market, even though the DSCSA does not require it. Watch for that.
Comments? Leave them below and let’s debate it.