Ever since the E.U. Falsified Medicines Directive (FMD) was passed in 2011 my European friends have touted the fact that their government mandated solution would take a “bookend” approach. The implication was always that it would be much less complex than the ePedigree approaches that were being planned by various U.S. states, and then by the U.S. federal government with the passage in 2013 of the Drug Supply Chain Security Act (DSCSA).
My friends always liked to point out how simple authentication at the point of dispense was. In their eyes, the U.S. approach required a much heavier investment to move documents down the supply chain to maintain a documented chain of ownership for each drug than was necessary to protect patients. In their view, all that was necessary to protect patients was for the manufacturers to put a machine-readable serial number on each drug and provide an electronic authentication service, and every dispenser would use that service to authenticate each drug before it was given to a patient.
That approach does seem simple enough, and adequate for protecting patients. And given the significant differences in the structure, operation and regulatory oversight between the U.S. and the E.U. drug supply chains, I do agree that a simpler approach was warranted in the E.U. than the U.S.. In fact, because the E.U. supply chain is so much more complex, it makes sense to aim serialization efforts at protecting patients directly using authentication at the point of dispense (POD) (see “Product Identifier Authentication”). With the simpler U.S. supply chain, it is believed that patient protection will be one of the indirect results of protecting the supply chain itself from the introduction of illegitimate product, and so the sterilization efforts are aimed at that. I think that’s a logical belief.
But with the final publication of the E.U. Delegated Regulation (EUDR) last month, we can now get a better idea of exactly what will be necessary to accomplish patient protection through POD authentication, and it is surprisingly complex. The basic structure of the “book-end” approach is there, but there are also requirements for wholesale distributors to authenticate a significant number of drugs, and there are requirements that can only be accomplished by the capture and passing of aggregation data down the supply chain (see “Pharma Aggregation: How Companies Are Achieving Perfection Today”). POD authentication was not supposed to require aggregation data, and neither the FMD nor the EUDR mentions it. So aggregation is not mandated, but I believe it will be necessary! Let me explain.
Let’s start by looking at what happens when a dispenser (or as the FMD/EUDR calls them “Persons authorised or entitled to supply medicinal products to the public”) is just about to give a drug to a patient. They will scan the 2D barcode on the pack and wait a split-second (we hope) for the response. If the response says the serial number is OK, then the patient gets the pack and the operation is complete. If the response says that there is a problem with that serial number, the dispenser will withhold that pack and will probably try another one, assuming they have another one in their local inventory.
What must the system do to confidently make the decision that a serial number on a drug is OK and the drug it is attached to may be consumed by a patient? Article 11 of the EUDR says:
“A unique identifier shall be considered authentic when the repositories system contains an active unique identifier with the product code and serial number that are identical to those of the unique identifier being verified.”
An “active unique identifier” is defined in Article 3 as:
“‘active unique identifier’ means a unique identifier which has not been decommissioned or which is no longer decommissioned”.
“‘decommissioning of a unique identifier’ means the operation changing the active status of a unique identifier stored in the repositories system referred to in Article 31 of this Regulation to a status impeding any further successful verification of the authenticity of that unique identifier”.
So an active unique identifier (also referred to by me and others as just a “serial number”, see “DSCSA ‘Serial Numbers’” for a U.S.-focused explanation of my use of this term) must be present in the E.U. system of repositories and not be in a “decommissioned” state. To make a serial number “active” in the E.U. repositories, a manufacturer or repackager must intentionally add it. In the GS1 world, that step is known as “commissioning” a serial number by associating the unique identifier with a physical product instance. Interestingly, the EUDR uses the term “decommission”, but not the term “commission”.
DECOMMISSIONING
Under the EUDR, decommissioning can be done by just about anyone in the supply chain with an account in the system of repositories. This includes manufacturers, repackagers, wholesale distributors and dispensers (“Persons authorised or entitled to supply medicinal products to the public”). Here are the things that require someone to decommission a unique identifier under the EUDR (this is probably not a complete list):
- When it is replaced by a different unique identifier, the old one must be decommissioned. This would be done by a repackaging operation. See Article 16.
- When a product is being exported outside the E.U.. See Article 22(a).
- When a product is returned to a wholesale distributor and it cannot be returned to saleable inventory. See Article 22(b).
- When a product is intended for destruction. See Article 22(c).
- When a product is requested as a sample by competent authorities. See Article 22(d).
- When a person who is authorised or entitled to supply medicinal products to the public, does so. This decommission may occur at any time the medicinal product is in the physical possession of the healthcare institution as long as it occurs before the product is supplied to the public. See Article 25.
- When a dispenser has medicinal products in their physical possession that cannot be returned to wholesalers or manufacturers. See Article 25.
- The person responsible for placing medicinal products on the market, including the original manufacturer or, in the case of parallel imported or parallel distributed, the person who repackages a product and places it on the market, shall decommission that product under the following circumstances (see Article 40):
- When the product is to be recalled or withdrawn;
- When the product has been stolen and the unique identifier is known;
- In E.U. Member States that require it, when a manufacturer, repackager or wholesale distributor intends to distribute to a person or institution as the following [see Articles 19, 22(e) and 23]:
- persons authorised or entitled to supply medicinal products to the public who do not operate within a healthcare institution or within a pharmacy;
- veterinarians and retailers of veterinary medicinal products;
- dental practitioners;
- optometrists and opticians;
- paramedics and emergency medical practitioners;
- armed forces, police and other governmental institutions maintaining stocks of medicinal products for the purposes of civil protection and disaster control;
- universities and other higher education establishments using medicinal products for the purposes of research and education, with the exceptions of healthcare institutions;
- prisons;
- schools;
- hospices;
- nursing homes.
Apparently the persons and institutions in this last sub-list are not expected to have access to the system of repositories and therefore cannot check for authenticity nor decommission unique identifiers themselves.
HERE IS THE PROBLEM
Here’s the problem. The FMD and EUDR do not require the capture, storage or exchange of aggregation data, which is the serial number-based, parent-child relationships of the packaging hierarchy. Typically, aggregation data includes the logical combination of unit-to-bundle, unit-to-case, bundle-to-case and case-to-pallet, depending on how the products are actually packed. Aggregation data is essential any time you need to know the unit-level serial numbers involved in a transaction or step, but the units are currently enclosed within a bundle, or a case or a pallet. It enables the use of “inference” to infer the unit-level serial numbers from the higher level serial numbers without tearing down pallets and opening cases.
So when an EU-based wholesale distributor exports a shipment of drugs to a non-EU country—say, Switzerland, or Turkey, or Norway, or somewhere in Africa—the EUDR requires them to decommission all of the unit-level unique identifiers in that shipment. For that, they will need aggregation data to make it efficient. Further, when a truckload of palletized drugs are stolen anywhere in the E.U. in a major cargo theft, the only way to know which units to decommission will be to have the aggregation data and the case or pallet serial numbers known to be on the truck. Based on history, it is only a matter of time before this happens. For the safety of the citizens of the E.U., it will be critical to decommission these units. Otherwise these illegitimate drugs can appear back in the legitimate E.U. supply and the system will still verify the unit-level serial numbers as authentic. For this reason, I say that aggregation data will be necessary under the FMD.
But because the FMD/EUDR does not require aggregation data, the current design of the system of repositories as they are being built by the European Medicines Verification Organisation (EMVO) (they still appear not to have their own website) is incapable of accepting, storing or exchanging it. Which means that any aggregation data captured by the manufacturer or repackager (or wholesale distributor) will need to be supplied to downstream trading partners outside of the EMVO system of repositories. Such “out-of-band” data transmission will be subject to significant interoperability issues unless someone steps up to establish its contents, format, timing, etc. Who is going to do that?
I have feared for a long time that the “book-end” approach to patient protection may actually encourage criminal activity like cargo theft and diversion (see “What are Pedigree Laws Trying to Accomplish Anyway?”, and “How Counterfeit Avastin Penetrated the U.S. Supply Chain”). If aggregation data is not routinely captured by pharma manufacturers and made available to downstream trading partners in the E.U., I believe that’s exactly what will happen. Criminals will quickly discover that drugs stolen or diverted at certain stages in the supply chain will not be decommissioned, and so they will be easy to unload for a huge profit. The serial numbers will actually cause a false sense of security in this instance.
I hope the larger manufacturers and wholesale distributors serving the E.U. market are already aware of this “hole” in the FMD/EUDR and are planning to provide and make use of aggregation data. We’ll see.
Dirk.
The conclusion is obvious from reading the FMD. There is not a simple things like POD as the entire security of the system relies of the ability to decommissioned the serial numbers. If we want to avoid aggregation, then we need to study additional measure that are definitely not included in the regulation where the serialization information is combined with anti counterfeiting solutions.
Hi, Dirk! Thanks for putting together all my concerns regarding the EU FMD. I cannot stop hoping that EMVO will finally realize this deficiency and do further improvements on the EU-Hub to create the ability of receiving aggregation data.
Well said. Thanks for analysis. Just one minor correction: Norway and Switzerland are part of EU FMD covered area, Norway due to EEA and Switzerland due to opt-in (which was requested by the local industry).