Pharma Serial Number Randomization Under The Falsified Medicines Directive

Drug companies who serve markets within the European Union (EU) have until February 9, 2019 to add serial numbers within a Data Matrix barcode to their drug packages, among many other specific requirements (see “The ‘Unique Identifier’ in the EU Delegated Act”).  The specific requirements are outlined in the EU Delegated Regulation (EUDR).  I’ve written a lot about the EUDR over the last few years (see RxTrace: Delegated Regulation).  Today I want to highlight and explain a problem that may be brewing in the implementation of the system of repositories as established by the non-profit European Medicines Verification Organization (EMVO).  The potential problem is related to the way the EMVO may treat the randomization of serial numbers that are sent to the European Hub—the central repository intended to eventually collect the Unique Identifiers (UI) of all drug products distributed within the EU supply chain after the deadline.

Article 4 of the EUDR spells out the serial number randomization regulatory requirement: 

“(b) The unique identifier shall consist of the following data elements:”

“(ii)a numeric or alphanumeric sequence of maximum 20 characters, generated by a deterministic or a non-deterministic randomisation algorithm (‘serial number’);”

“(c) The probability that the serial number can be guessed shall be negligible and in any case lower than one in ten thousand.”

The EUDR was officially published in February 2016, but three years earlier the European Federation of Pharmaceutical Industries and Associations (EFPIA) published the most recent version of their “European Pack Coding Guidelines”.  In this document, EFPIA made a number of recommendations related to the identification of drug packages marketed in the EU supply chain.  One set of those recommendations were about the approach to serial number randomization.  These include:

“In order to provide a reasonable level of complexity within the serial number, the probability that a valid serial number can be guessed should be no less than 1 in 10,000 (i.e. ≤ 0.0001). Also, in order to minimise the opportunity for a counterfeiter to estimate the randomisation pattern from two or more samples, the following randomisation rules or equivalent apply:

The following is guidance as to achieve better randomness:

Given a sufficiently large set of (randomised) serial numbers for a product, the randomisation substrings of the serial numbers have to fulfil the following randomisation criteria:

  1. The randomisation substrings must be equally distributed. e.g. the serial number substring should not contain fixed blocks of fixed digits.

  2. Any randomisation substring must be independent of other substrings.

  3. The randomisation substrings must not be built using an algorithm that is easy to find out when knowing the given set of serials or a subset thereof.”

Notice that only the first concept of this recommendation actually made it into the formal regulation.  In my view, that’s for good reason.  Achieving a probability that a valid serial number can be guessed that is less than (EFPIA said “no less than”, but they clearly mean “less than”) 1 in 10,000 is a reasonable and fully sufficient barrier to a counterfeiter.  There are any number of straight forward ways companies can implement a serial number selection algorithm that meets this specification.  The additional guidance #3 above is reasonable, but the additional recommendations that EFPIA makes in 1 and 2 above add no additional barrier to counterfeiting beyond the 1 in 10,000 requirement and the difficulty in finding out the algorithm.  But those two additional guidelines could force companies to make significantly greater investments to implement them.  That greater investment is purely not justifiable from a regulatory or even a patient protection standpoint.

Luckily when the final language in the EUDR was being debated they decided to only include the sufficient barrier proposed by EFPIA and rejected their excessively expensive additional recommendations because they add no benefit to safety.  So what’s the problem?

HERE’S THE PROBLEM

The problem is, the EMVO European Hub repository requires companies to go beyond the basic regulatory requirement of the Delegated Regulation.  Here is what the “European Medicines Verification Organisation:  Requirements for the European Medicines Verification System – URS Lite”, version 3.0, dated March 7, 2017, says about serial number randomization:

“3.2.1 General Principles”

B.5 The randomisation of the serial numbers is a key success factor of the medicines verification concept. Therefore, the following quality criteria on randomisation apply:

  • The probability that a valid serial number can be “guessed” should be in accordance with Commission Delegated Regulation (EU) 2016/161 Article 4(1)(c)

Given a sufficiently large set of (randomised) serial numbers for a product, the serial numbers have to fulfil the following randomisation criteria:

  • They must be equally distributed.

  • They must be independent.

  • They must not be built using an algorithm that is easy to find out when knowing the given set of serials or a subset thereof.”

The document says data will be considered invalid if it fails to meet several criteria, including “…insufficient randomisation…”.  It appears that the EMVO views these extra randomization criteria, over and above the EUDR requirement, to be mandatory.  Why is that?

I don’t know, but my best guess is that it is hard to create a data validation algorithm that can calculate the probability of guessing a serial number, but it is easy to create one that measures that a block of them are “equally distributed”.  But serial numbers that are “equally distributed” are not the only set of serial numbers that will meet the regulatory requirement of 1:10,000.  In fact, if you end up with a perfect “equally distributed” set of serial number, they will definitely not meet the 1:10,000 requirement, so EMVO’s algorithm has to have some flexibility left in so it even allows any true randomization.  I contend that any attempt to enforce “equally distributed” serial numbers will cause almost any randomization algorithm to fail unless the algorithm used to validate the randomness is exactly the same algorithm that generated them.  The bottom line is that the EMVO’s approach is unnecessarily restrictive and should be changed.

HOW TO FIX THIS SITUATION

In my view, the EMVO should relax their test for “sufficient randomisation” to simply check for some obvious poor approaches.  Their current test correctly waits until it receives “…a sufficiently large set of … serial numbers for a product…” before it checks for “sufficient randomisation”.  Certainly you can’t check the “randomness” of a single serial number, but you also should not check even a small set. 

You also should not concern yourself with whether or not the serial numbers are initially selected or submitted sequentially (monotonic).  In the end, once you have a large set of serial numbers, what difference does it make if the market authorization holder generated them in a sequence, or “jumped around”?  The end result is the same set.  A counterfeiter is going to see them as a set of valid numbers, and those valid numbers have exactly the same values whether they were generated in an ever increasing sequence, or in a scrambled sequence (jumping around).  The selection sequence is not important.  What is important, is that the you cannot guess a valid serial number in the resulting set with odds greater than 1 in 10,000.  If we can achieve that measurement using an inexpensive sequential selection algorithm that cannot easily be identified or predicted, then why not?

The EMVO should come up with some simple statistical analysis to detect foolish algorithms, like someone simply adding a fixed value to the last serial number to calculate the next one.  Even if that fixed value is equal to or greater than 10,000, it would result in a set of serial numbers that would be easy to guess the valid ones after observing just a few actual serial numbers.  I don’t know that much about statistical analysis so I am not the person to come up with the right collection of formula’s, but it seems like EMVO would do something to:

  1. determine that there is sufficient variation in the magnitude of the gaps between sequential serial numbers that are used, and
  2. the large set of those gap magnitudes should average 10,000 or greater to establish the 1 in 10,000 measurement.

The first test is a measure of “randomness” and the second measures the “sparseness” of the serial numbers.  Both are properties of randomization algorithms (see “Randomization—An Interview with Ken Traub—Part 2: Properties of Randomization”).  The foolish serial number assignment algorithm of simply adding 10,000 to the previously chosen serial number would pass the sparseness test, but it would fail the randomness test.

Quite literally, the best resource on the entire internet for understanding serial number randomization and all of the considerations for pharma serialization using GS1 standards is the five part interview series I did with Ken Traub three years ago.  If you have reached this far in this essay, make sure you read that series: 

The EMVO is in a difficult situation.  Obviously they have concluded that the randomization requirement spelled out in the official EU Delegated Regulation is not sufficient by itself to be a barrier to counterfeiting.  But that is the regulation.  I think it is fine to notify companies when their approach to randomization fails to meet the regulatory requirement—perhaps even reject those values—but it is another thing to block serial numbers that meet the regulation, but may be inadvisable.  I hope the EMVO has a way of dealing with this difficult situation.  It would be nice if they would publish a statement that explains their planned approach so that companies will know what to expect.  They should not fear that counterfeiters will be tipped off just by making it clear how they intend to handle weak, but compliant approaches to serial number generation.

Dirk.