More Concerns With The FMD/EUDR Big Bang Start

iStock.Licensed.criminalThe key part of Article 50 of the European Union Delegated Regulation (EUDR) says:  “This Regulation…shall apply from 9 February 2019.”  That’s the date of the “big bang”—the date everything takes effect.  On that date, all drugs entering E.U. markets (except in Italy, Belgium and Greece) must contain the two safety features called out by the regulation on their packaging, including an anti-tamper device and a compliant Unique Identifier (see “The ‘Unique Identifier’ in the EU Delegated Act”).  It is the date by which “National Competent Authorities” in each of the EU member states (except the three listed above) must offer a data repository for the covered drug products that are targeted at their local market.  And it is the date on which dispensers (called “persons authorised or entitled to supply medicinal products to the public” in the text) must begin using the system of repositories to “…verify the safety features and decommission the unique identifier of any medicinal product bearing the safety features they supply to the public…”.  All on the same day.  The day of the “big bang”.

This “big bang” start will result in some problems.  I’ve already written about one of them (see “Insufficient Transitional Measures Doom The FMD-EUDA”), but there is another.  This one has to do with the core principles that the entire Falsified Medicines Directive and EUDR are based on.

TO EASE THE PAIN, START APPLYING THE UNIQUE IDENTIFIER BEFORE THE “BIG BANG”?

It seems impossible to imagine every drug manufacturer and repackager targeting the E.U. switching on their shiny new serialization solutions on February 9, 2019.  That may be totally impractical.  In fact, to ease the pain, some of these companies have been selling some drug packages into the E.U. market with the EUDR unique identifier on them for many months now, and that practice will likely continue to grow over the next three years.

But wait!  Not so fast.  Last October, apparently someone from the European Commission (EC) spoke at the GS1 Healthcare conference in Budapest and claimed that companies should not ship serialized product into E.U. markets until the data repository for the target market is operating and capable of receiving the data related to those unique identifiers, and so they can be verified and decommissioned (I can’t find any reference to that statement except in the essays linked below).  Apparently, retroactive uploading of the information into those repositories will not be permitted.

This statement was recognized as a serious problem for the industry by Tim Marsh of Supply Chain Security Partners who wrote a very nice essay to explain his horror that the EC would interpret the EUDR so strictly (see his excellent “Prohibition on Proactive EU FMD Serialization: The Profound Implications for Industry and Ultimately the Success of the European Stakeholder Model”, and also see the rebuttal from Graham Smith, director and chief sales officer of Aegate Ltd, “FMD Delegated Act – the letter of the law or the spirit?”).

The concern is that drug packages containing the unique identifier and entering the supply chain but without the corresponding data in the system of repositories will fail verification at some point in the future.  That failure will cause those drugs to appear to be counterfeit, or otherwise illegitimate even though they are not.  Therefore, the EC does not want companies to flood the market with these marked packages until they are able to upload the data to the appropriate target repository.  I understand the EMVO is working hard to get those repositories operational as soon as possible.  But bringing those repositories online early is not going to be sufficient.  There is yet another problem.

DECOMMISSIONING IS THE KEY…AND THE PROBLEM

The foundational principle of the FMD and EUDR—the principle that enables it to secure the supply chain better than before—is that every drug package entering the E.U. supply chain will have a unique identifier commissioned in the repositories (EUDR Article 33) and applied to it in barcode and human readable forms (EUDR Chapter II), and then as the package leaves the supply chain (through dispensing to a patient, export, theft or destruction), the unique identifier will be decommissioned (EUDR Chapters V and VI).

Decommissioning is critical to the security added to the supply chain by the FMD/EUDR.  Loose adherence to the EUDR decommissioning requirements will result in loss of supply chain security.  In fact, widespread loose adherence could actually result in lower security than existed before the law was enacted, because healthcare workers could develop an undeserved sense of security and may therefore ignore safe sourcing practices.

Article 3.2(c) of the EUDR defines the term ‘decommissioning of a unique identifier’ as:

“… the operation changing the active status of a unique identifier stored in the repositories system referred to in Article 31 of this Regulation to a status impeding any further successful verification of the authenticity of that unique identifier;”

Decommissioning is critical under the FMD/EUDR because when a drug is dispensed, exported, stolen or destroyed; decommissioning of its corresponding unique identifier is the only thing that prevents a counterfeit drug with that same unique identifier from being verified as a good package by the system of repositories.  (For thoughts on decommissioning in the U.S. supply chain, see “The Coming Battle Over Decommissioning At The Pharmacy“.)

The problem is, drug manufacturers and repackagers will begin applying unique identifiers to the products and loading that data into the system of repositories well before wholesale distributors and dispensers are likely to begin decommissioning the packages that leave the supply chain on a large scale.  Nothing in the EUDR blocks those companies from verifying and decommissioning the unique identifiers on drug packages before February 9, 2019, but do you really think they are likely to do so in large numbers?  Of course not.  It’s a “big bang”, remember?

DON’T WORRY, CRIMINALS DON’T READ RxTRACE

You can bet that counterfeiters are paying attention and are looking for lapses in security to take advantage of.  Here is an example of what they will find.  Drugs that are packaged for the France market are frequently bought by wholesale distributors and exported to French-speaking countries in Africa and elsewhere.  After February 9, 2019 those wholesale distributors will be required to decommission those packages at the time of export.  But before that date, they are unlikely to voluntarily make that effort because it will add cost.  Even with the use of aggregation and inference, that cost will impact profits.  These serialized-but-not-decommissioned packages will remain valid and verifiable (‘active’ in EUDR terminology) within the France data repository until their expiration dates.  Those dates could be long after dispensers must begin verifying 100% of the drugs they dispense in France.

All criminals need to do to scam the system is collect the unique identifier information on drugs that end up in Africa and elsewhere before the “big bang” date, and apply those same identifiers to their own counterfeit drug packages.  Or, they could simply ship those same drug packages back into the E.U. without declaring them (this is diversion) and they could be sold (illegally) at a higher profit (remember, these are criminals).  The fact that the unique identifiers on both of these products will verify as “good product” in the system of repositories means that these criminals will be much harder to catch, and it is very likely their illegitimate products will be consumed by patients—the worst-case scenario.  How will the criminals collect these un-decommissioned identifiers?  Just go to Africa, or wherever E.U.-targeted drugs are imported and visit the receiving warehouse.  Then just scan all of the barcodes on those packages and you have what you need–in quantity.

Notice that drugs that do not have a unique identifier printed on their packages are not open to this criminal opportunity.  That’s because those drugs are incapable of being verified by the system of repositories before or after the “big bang” date.  It is only the drugs that leave the E.U. with unique identifiers on them, that have not been decommissioned in the system of repositories, that are exposed to this vulnerability.

WHAT’S THE SOLUTION?

It’s too late to stagger the effective dates of each segment, but if you could, it would be better to require wholesale distributors and dispensers to verify and decommission any drug package that contains a unique identifier before manufacturers and repackagers begin shipping products with those identifiers on them.  That way every commission would be followed by a decommission.  The next best thing, and probably the best we can expect to do, is for drug manufacturers and repackagers to voluntarily hold off until the last possible date (but not after February 9, 2019) to begin shipping serialized packages into the supply chain.  But that will take precision planning.

Fortunately the “transition measures” (EUDR Chapter XI) seem to allow companies to continue shipping unserialized product from their distribution center even after the “big bang” date, so they just need to turn on serial number application on their packaging lines (and the data upload) on, or just prior to, that date. (see “Insufficient Transitional Measures Doom The FMD-EUDA”).  Maybe those transitional measures will turn out to be less “doom” and more “boon” for the FMD-EUDR, proving my earlier analysis to be backward!

What do you think will happen?

Dirk.