What’s So Hard About Unique Identifier Verification?

Both, the Drug Supply Chain Security Act (DSCSA) in the US and the Falsified Medicines Directive (FMD) in the EU make use of unique identifier verification in one way or another.  Under the FMD, verification is the centerpiece of patient protection.  Under the DSCSA, verification is used as a tool to help resolve higher risk use cases, like saleable returns to wholesale distributors, and anytime someone becomes “suspicious” about a collection of drug packages.  On the surface, verification of unique identifiers seems simple, but there are some sticky problems that make it complex in some circumstances (see also “Drug Verification: EU Vs US”).


In Article 11 of the EU Delegated Regulation (EUDR) “Verification of the authenticity of the unique identifier” is defined as:

“When verifying the authenticity of a unique identifier, manufacturers, wholesalers and persons authorised or entitled to supply medicinal products to the public shall check the unique identifier against the unique identifiers stored in the repositories system referred to in Article 31.  A unique identifier shall be considered authentic when the repositories system contains an active unique identifier with the product code and serial number that are identical to those of the unique identifier being verified.”

In Section 581(28) of the US DSCSA “VERIFICATION OR VERIFY” is defined as:

“The term ‘verification’ or ‘verify’ means determining whether the product identifier affixed to, or imprinted upon, a package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager, as applicable in accordance with section 582.”

In both cases, the unique identifier (known as the “product identifier” in the DSCSA) contains a product code plus a serial number that is unique for that product code (see “The ‘Unique Identifier’ in the EU Delegated Act”).  In the DSCSA the combination of the product code (known as a National Drug Code, or ‘NDC) and the serial number is referred to as the Standardized Numerical Identifier (SNI) (see “Anatomy Of The National Drug Code” and “FDA Aligns with GS1 SGTIN For SNDC”).


In the EU, a system of repositories will hold data describing the full set of unique identifiers of saleable drug package in the supply chain.  Drug market authorization holders (MAH) must submit that data, plus an indication of the target region(s), to the European Medicines Verification Organization’s (EMVO) central repository (the EU Hub) at the time they put units into the supply chain.  The EU Hub will send that data to the national medicines verification system (NMVS) repository(ies) designated for the target region(s) specified by the MAH.  Most unique identifiers in the EU will be verified and “decommissioned” through the local NMVS by “persons authorised or entitled to supply medicinal products to the public” (which I will refer to as, simply “dispensers”, as they are in the US).  But a few will be verified and perhaps decommissioned by just about any supply chain entity, including the MAH, wholesale distributors, repackagers, parallel importers, parallel distributors and dispensers (see “Decommissioning Under the FMD/EUDR”).

Just how protective the FMD turns out to be for patients depends entirely on how reliably the data in the system of repositories reflect the true status of unique identifiers.  The problem is, there are lots of reasons that data can become unreliable.  Here are the ways I can think of:

  • A dispenser fails to decommission the unique identifier when dispensing the product to a patient;
  • A dispenser assumes their supplier decommissioned the unique identifiers in an incoming shipment but the supplier failed to do so;
  • A dispenser who relies on their supplier to decommission their drugs, returns drugs and that entity fails to revert their status before re-selling them;
  • The MAH or wholesale distributor exports drugs outside the FMD-covered market and fails to decommission their unique identifiers;
  • The MAH sends blocks of unique identifiers to the EU Hub representing drugs that are destined for regions where the local NMVS is not yet operational;
  • A wholesale distributor mistakenly decommissions a shipment of drugs on behalf of a dispenser who does not expect them to do so;

Odds are these problems will occur more often at the beginning of the operation and get better as things get rolling everywhere and people get more familiar with their obligations, but until then, things could be confusing for some dispensers.

Dispensers must trust the system, which could be disruptive when they unexpectedly find out some—or all—of the packages of a given SKU they have in stock are already decommissioned.  They are not allowed to dispense those drugs.  Because it was unexpected, and because they have a significant investment in those drugs—not to mention patients who abruptly cannot be properly treated—they will need to investigate the problem with their supplier.  Are these drugs counterfeits, or perfectly good, but were mistakenly decommissioned?  In some cases, this could lead to localized shortages of the SKUs involved.

The law allows supply chain entities to “revert” unique identifiers to active status when they were mistakenly decommissioned too early, but that process will take time and careful coordination.  Only the entity who mistakenly decommissioned the unique identifier is allowed to revert it, and they only get 10 days to do it.  If a dispenser has this problem, and they find out their supplier decommissioned the unique identifier too early, odds are they will just dispense the drug without bothering to have the supplier revert it, and then have to decommission it again themselves.

If these problems happen more often than real counterfeit or stolen drugs are found in the supply chain, dispensers are not going to like the system and that could result in even less reliance on the system.


Verification of unique identifiers will not be necessary in the US as often as it will be in the EU, so the problems will probably be less frequent and more isolated.  The most frequent type of verifications will probably occur as the result of wholesale distributors processing saleable returns (see “DSCSA: Saleable Returns Verification”).  Last year, the Healthcare Distribution Alliance (HDA) and the “Big-3” wholesale distributors settled on two approaches for fulfilling their 2019 saleable returns verification requirement (see “DSCSA Serialization: What Wholesalers Expect”).  Both approaches require drug manufacturers to do something and, to satisfy “direct purchase” wholesale distributors, each manufacturer can choose one approach or the other.

Approach What Manufacturers Must Do
Verify original shipment by manufacturer Include list of SNIs in each shipment
HDA Verification Router Service (VRS) Respond to “requests for verification” by implementing the VRS “responder” service and connecting to a VRS service
Table 1:  Manufacturer approaches to help solve the saleable returns verification problem faced by "direct purchase" wholesalers.

According to last year’s HDA DSCSA manufacturer’s serialization readiness survey, about 60% of respondents said they intend to capture aggregation data for the drugs they introduce into the supply chain (see “HDA’s 2017 Manufacturer Serialization Readiness Survey Results”).  Having aggregation data available makes it much easier to provide wholesale distributors with a list of the SNIs included in each shipment, which would satisfy the first approach listed in the table above.  The remaining 40% will be forced to implement the HDA’s VRS, the second approach listed above, so that the “Big-3” can continue selling their products.

But notice this only solves the saleable returns verification problem for “direct purchase” wholesale distributors—those who purchase their stock directly from the manufacturer.  Secondary purchase wholesale distributors, who buy their stocks from one of the “direct purchase” wholesalers, have the same problem.  They will also be required to start verifying the saleable returns they receive.  The first approach in the table above doesn’t work for those companies because the list they would receive would not come directly from the original manufacturer or repackager.  Instead, it would be their supplier—another wholesale distributor—who provided it, so it could not be used to “verify original shipment by manufacturer”.

In that case, the HDA VRS is the only efficient way for these non-direct purchase wholesalers to perform the verification of saleable returns.  But wait, if that’s true, then that means every drug manufacturer will need to implement the HDA VRS, not just those who do not capture aggregation data.  That is, implementing the VRS appears to be a necessity for drug manufacturers, to satisfy the needs of non-direct purchase wholesalers.  And that means the first approach listed in the table above is just an optional approach.  The benefit to everyone of that optional approach is that it will reduce the overall verification traffic that goes through the VRS, thus making it perform better.

This problem was first highlighted by our friends at McKesson.  I first heard them talk about it at the December 2017 FDA DSCSA Public Meeting (see “FDA DSCSA Public Meeting #2, Still A Gulf”).  Kudos to them.

But even if these wholesale distributors are willing and able to implement the VRS, drug manufacturers might not respond to requests for verification submitted by these non-direct purchase wholesalers.  In fact, at the recent FDA DSCSA public meeting (see “FDA DSCSA Public Meeting #3: A Difference?”) multiple manufacturers said that, even today, they are rejecting verification requests from anyone they did not sell to directly.  But wait, aren’t they required to respond to all “requests for verification”?

In fact, since there will not be a central repository in the US, the DSCSA requires drug manufacturers (starting November 27, 2017) and repackagers (starting November 27, 2018) to respond to “requests for verification” from authorized repackagers, wholesale distributors or dispensers.  The FDA announced last year that they will not enforce the manufacturer’s requirement until November 27, 2018 (see “FDA Delays Enforcement of DSCSA November Deadline: What It Means”).

The problem is with the word “authorized” in the list of entities that manufacturers and repackagers are required to respond to.  That word is defined within the DSCSA as:

AUTHORIZED.—The term ‘authorized’ means—

‘‘(A) in the case of a manufacturer or repackager, having a valid registration in accordance with section 510;

‘‘(B) in the case of a wholesale distributor, having a valid license under State law or section 583, in accordance with section 582(a)(6), and complying with the licensure reporting requirements under section 503(e), as amended by the Drug Supply Chain Security Act;

‘‘(C) in the case of a third-party logistics provider, having a valid license under State law or section 584(a)(1), in accordance with section 582(a)(7), and complying with the licensure reporting requirements under section 584(b); and

‘‘(D) in the case of a dispenser, having a valid license under State law.”

Companies are only allowed to trade with “authorized” companies, so that means everyone needs to keep track of the current “authorized” status of everyone they buy from and sell to.  That’s a big chore for companies who have lots of suppliers and/or customers.  It takes a lot of time and effort to keep track of all that.

But when a secondary purchase wholesale distributor submits a verification request to a drug manufacturer, by definition, that manufacturer does not have a direct trading relationship with them.  For that reason, the manufacturer hasn’t kept track of the current “authorized” status of that company, so they cannot quickly determine that status.  That’s why they reject or ignore these requests.  They don’t know that the requester has a valid state license.  They can’t be sure the request is valid.

Interestingly, the FDA maintains a database of wholesale distributor licenses as required by the DSCSA (see “FDA Posts Wholesale Distributor and 3PL License Database”).  But I’ve heard that the quality of the data it contains is so low that companies feel that it is totally unreliable, and therefore unusable.  The problem is that the data is self-reported, not verified and is only updated annually through the annual reporting requirement (see “FDA Posts Guidance For Wholesale Distributor and 3PL Annual Reporting”).  In a perfect world, wholesale distributors would update the FDA database whenever something changes in their licensure, but they are only required to do that once per year.  And with no verification, it’s hard to trust it.

So what will it take to allow secondary purchase wholesale distributors to fulfill their requirement to verify saleable returns?  Maybe the FDA will clean-up the license database so drug manufacturers and repackagers can safely rely on it.  Maybe it could be incorporated directly into the VRS so that all verification requests passed to the manufacturer are already confirmed “authorized” by that service.  Maybe drug manufacturers should accept standardized evidence of state licenses by non-direct purchase companies to allow them to submit requests for verification for the next 30-days.

By the way, if a drug manufacturer refuses to respond to a request for verification from a non-direct purchase wholesale distributor, what can that wholesale distributor do with the returned product?  Based on the DSCSA requirement to “verify” the product before it can be re-distributed, if they have no way to verify, those drugs cannot be resold and must be treated as non-saleable returns.  That is, they must be destroyed.  In effect, these non-direct purchase wholesale distributors cannot take saleable returns for drugs that the manufacturer will not allow them to verify.  But it also seems to mean that these companies are unable to fully investigate “suspect product”—another reason the DSCSA requires them to verify drugs with the manufacturer.  This appears to be a problem that wasn’t addressed in the DSCSA.

The concept of verification is important in the implementation of both regulations.  If verification isn’t successful in one or the other market, supply chain security, as envisioned by the authors of these two major regulations, will suffer.  We won’t have long to wait to see how successful they are.