Drug verification is at the heart of most pharma serialization regulations. It is the point at which someone in the supply chain or a patient uses the unique identifier on the drug package to determine that the drug is probably authentic, or definitely is not. We can tell a lot about the intent of a given serialization regulation by looking at the specific language that determines by whom and when a unique identifier must be verified.
I’ve written about the E.U., U.S. and Brazil unique identifiers (see “The ‘Unique Identifier’ in the EU Delegated Act”, “The DSCSA Product Identifier On Drug Packages”, and “The ANVISA Unique Medicine Identifier (IUM) on Drug Packages”), but what does each regulation say about the verification of those identifiers? Of course, the Brazil regulation is currently under reconsideration (see “The Official Suspension of the Three-Lot Pilot in Brazil“) so we can set it aside for now, but we can compare the verification requirements of the E.U. Delegated Regulation (EUDR) and the U.S. Drug Supply Chain Security Act (DSCSA) (see also “Product Identifier Authentication (PIA)”).
A few weeks ago I published an essay that compared the data, human-readable and machine-readable image requirements of the EUDR and the DSCSA (see “Meeting U.S. and E.U. Drug Serialization Requirements With A Single Solution”). This current essay will be a good complement to that one.
The EUDR contains a nice explanation of when products should be verified in paragraph (4) of the introduction. It reads, in part:
“This Regulation sets out a system where the identification and the authentication of medicinal products is guaranteed by an end-to-end verification of all medicinal products bearing the safety features, supplemented by the verification by wholesalers of certain medicinal products at higher risk of falsification. In practice, the authenticity and integrity of the safety features placed on the packaging of a medicinal product at the beginning of the supply chain should be verified at the time the medicinal product is supplied to the public, although certain derogations may apply. However, medicinal products at higher risk of falsification should be additionally verified by wholesalers throughout the supply chain, to minimise the risk of falsified medicinal products circulating undetected for lengthy periods of time.”
Reading further, this paragraph provides a high-level explanation of how verification works under the EUDR:
“The verification of the authenticity of a unique identifier should be performed by comparing that unique identifier with the legitimate unique identifiers stored in a repositories system. …”
Paragraph (15) of the EUDR introduction differentiates the aims of the two safety features that are defined by the regulation, the anti-tampering device and the unique identifier:
“The verification of both safety features is necessary to ensure the authenticity of a medicinal product in an end-to-end verification system. The verification of the authenticity of the unique identifier aims at ensuring that the medicinal product originates from the legitimate manufacturer. The verification of the integrity of the anti- tampering device shows whether the packaging has been opened or altered since it left the manufacturer, thereby ensuring that the content of the packaging is authentic.”
Paragraph (24) explains the benefits of unique identifier verification:
“The verification of the authenticity of a unique identifier is not only paramount to the authentication of a medicinal product but also informs the person performing the operation of whether that product is expired, recalled, withdrawn or indicated as stolen. Persons authorised or entitled to supply medicinal products to the public should verify the authenticity and decommission a unique identifier at the time the medicinal product is supplied to the public so to access the most up-to-date information concerning the product and avoid that products which are expired, recalled, withdrawn or indicated as stolen are supplied to the public.”
Interestingly, the EUDR allows wholesale distributors to verify products that are at a higher risk of being falsified to perform the verification step at either the item-level or a higher aggregated code level, which would allow “…the simultaneous verification of multiple unique identifiers”. Paragraph (20) of the introduction reads:
“The verification by wholesalers of the authenticity of medicinal products at higher risk of being falsified would be equally effective whether performed by scanning individual unique identifiers or an aggregated code allowing the simultaneous verification of multiple unique identifiers. In addition, the verification could be performed at any time between the reception of the medicinal product by the wholesaler and its further distribution, to equal results. For those reasons, it should be left to the choice of the wholesaler whether to scan individual unique identifiers or aggregated codes, where available, or the timing of the verification, provided that the wholesaler ensures the verification of all unique identifiers of those products at higher risk of falsification in his physical possession, as required by this Regulation.”
As I have pointed out in earlier essays referenced above, the EUDR defines the term “unique identifier” to include all of the data fields that must be encoded into the datamatrix barcode. For that reason, “verification” of the “unique identifier” by “…comparing that unique identifier [on the product package] with the legitimate unique identifiers stored in a repositories system” means that the following data must be compared each time:
- product code;
- serial number;
- national drug registration number (where required);
- lot #; and
- expiration date.
First, the term “Product Identifier” is defined in Section 581(14) of the DSCSA as:
“ PRODUCT IDENTIFIER.—The term ‘product identifier’ means a standardized graphic that includes, in both human-readable form and on a machine-readable data carrier that conforms to the standards developed by a widely recognized international standards development organization, the standardized numerical identifier, lot number, and expiration date of the product.”
The “standardized numerical identifier” (SNI) was defined by the FDA back in 2010 in a final guidance document (see “Anatomy Of An FDA SNI” but remember, the California Pedigree Law no longer exists) as the drug’s National Drug Code (NDC) combined with a unique serial number. So the DSCSA product identifier must contain the drug’s
- serial number;
- lot number; and
- expiration date.
The DSCSA explicitly defines the terms “Verification or Verify” in Section 581(28):
“VERIFICATION OR VERIFY.—The term ‘verification’ or ‘verify’ means determining whether the product identifier affixed to, or imprinted upon, a package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager, as applicable in accordance with section 582.”
Section 582(a)(9)(a)(B) provides some indication of how a product identifier may be “verified”:
“verification of the product identifier may occur by using human-readable or machine-readable methods.”
So under the DSCSA, verification occurs when someone compares either the NDC and serial number, or the lot number and expiration date contained within the product identifier printed on the package in either human- or machine-readable methods, with the set of those assigned to that product by the manufacturer or the repackager.
This is slightly modified by Section 582(b)(4)(C) which explains what drug manufacturers must do when they receive requests for verification after November 27, 2017 (drug repackagers have a comparable requirement after November 27, 2018):
“REQUESTS FOR VERIFICATION.—Beginning [November 27, 2017], upon receiving a request for verification from an authorized repackager, wholesale distributor, or dispenser that is in possession or control of a product such person believes to be manufactured by such manufacturer, a manufacturer shall, not later than 24 hours after receiving the request for verification or in other such reasonable time as determined by the [FDA], based on the circumstances of the request, notify the person making the request whether the product identifier, including the standardized numerical identifier, that is the subject of the request corresponds to the product identifier affixed or imprinted by the manufacturer. If a manufacturer responding to a request for verification identifies a product identifier that does not correspond to that affixed or imprinted by the manufacturer, the manufacturer shall treat such product as suspect product and conduct an investigation as described in subparagraph (A). If the manufacturer has reason to believe the product is an illegitimate product, the manufacturer shall advise the person making the request of such belief at the time such manufacturer responds to the request for verification.”
So after November 27, 2017, the same date after which drugs packaged by the manufacturer must contain the DSCSA Product Identifier, verification by the manufacturer requires the comparison of the entire “product identifier”, not either the SNI, or the Lot and Expiration date. Because “product identifier” is defined as the NDC, serial number, lot and expiration date, this seems to imply that after that date, drugs without a serial number cannot technically be “verified” by a manufacturer. This appears to be confirmed by the wholesale distributor requirements for handling the verification of saleable returned product in Section 582(c)(4)(D) after November 27, 2019:
“…the wholesale distributor shall verify the product identifier, including the standardized numerical identifier, for each sealed homogeneous case of such product or, if such product is not in a sealed homogeneous case, verify the product identifier, including the standardized numerical identifier, on each package.”
The same reference to the “product identifier” is used for the verification of saleable returned product for repackagers. This DSCSA section also demonstrates that, like the EUDR, wholesale distributors may choose to verify drugs using the case-level product identifier, as long as the case is homogeneous in makeup and is still sealed (although there is nothing in the DSCSA like the EUDR anti-tamper device requirement). However, this does not imply that aggregation data must be included.
All segments of the supply chain must also verify drugs that are found to be “suspect”, but there is a very subtle difference in the language between those similarly focused sections. The manufacturer, repackager and wholesale distributor’s section regarding verification of suspect product requires “…verifying the product at the package level, including the standardized numerical identifier” (after a period of years from enactment) without using the term “product identifier”. But the comparable sections for dispensers investigating suspect product requires “…verify the product identifier…”.
It is hard to tell whether these semantic differences were carefully crafted by the authors to establish some hair-splitting compliance actions, or if they are just the result of a large complex document being developed over a number of years by a large group of people, each with differing interests and objectives. It will be up to the FDA to determine exactly how they intend to interpret these differences and how they will enforce them. Just don’t expect them to tell us anytime soon.
Of course, on November 27, 2023 the entire definition and use of verification will change to fit into the Enhanced Drug Distribution Security (EDDS) system that the FDA must define in guidance between now and then. At this time it is almost impossible to have confidence just what that guidance will specify, except maybe that it will somehow make greater use of GS1’s EPCIS standard. This will be the objective of multiple industry pilots, public meetings and dockets over the next 5 or 6 years (see “FDA To Hold DSCSA Pilots Workshop”).
WHAT DOES ALL THIS MEAN?
There appear to be a lot of similarities between the EUDR and the DSCSA regarding drug verification, but the plain language used in the EUDR make it more clear when verification is required, and how it works. We know that the DSCSA was written by that large and diverse group of people, and it appears that the EUDR was written by a smaller group of very focused people who perhaps shared a common set of goals.
That’s one way to explain the difference in clarity, but there are other big differences that contributes to the difference in clarity. One is that I only quoted from the introduction of the EUDR but I quoted from the actual regulatory text of the DSCSA. In fact, the introduction is a very nice addition to the EUDR because it allowed the authors to explain in prose how things are intended to work before they get to the actual, more stilted regulations that impose it all.
Also, the DSCSA was intended to allow the industry to transition to the more complex and costly requirements over a period of years so that the full cost could be spread over multiple financial years and therefore multiple budgets. Each segment has a different schedule. The EUDR is designed as a Big Bang, with all requirements taking effect for all segments on the same day (see “Insufficient Transitional Measures Doom The FMD-EUDA”). The former is a lot harder to do clearly than the latter.
The differences between how verification is performed between the E.U. and the U.S. will not be too great, but the differences between when and how often is big. In the E.U., every drug must be verified by the dispenser before it is dispensed or administered to a patient. In the U.S., prior to 2023, the only drugs that will be verified will be those that are viewed by someone as “suspect”, and those saleable drugs that are being returned to someone. It will be interesting to watch how smoothly things roll out between the two markets.
Remember, the price of the second edition of “The Drug Supply Chain Security Act Explained” is much lower than it was for the first edition eBook. This paperback is only $59.99 and available at www.CreateSpace.com using your Amazon.com login credentials, or directly from Amazon. If you need to understand the DSCSA and all of its implications I suggest you get a copy.