Mixed Signals From Russia

I’m not talking about the mixed signals from Russia in your daily political newsfeed, I’m talking about the mixed signals we see between the Russian Federation decrees for their pharma serialization and traceability mandate, and the announcements of the government’s designated technology contractor to develop that system:  CRPT, LLC.  Considering how short the deadlines are, these mixed signals are counterproductive because they cause companies to pause while they figure out what they should do.  Let me explain.

On December 14, 2018 the Russian Federation published three new decrees and an order related to their “system of monitoring the movement of medicines for medical use”.  These include Decrees #1556, #1557 and #1558, and Order #2828-r from December 18, 2018. 

Of particular interest is #1556/2018, “Regulations On Monitoring System For Movement Of Medicinal Products For Human Use”.  This is the formal publication of the regulatory requirements for their drug track and trace system that drug manufacturers must implement with milestones starting as early as July 1, 2019 (see decree #1557).  I’ve seen two different English translations of Decree #1556 but I cannot supply either one to you at this time.  One of those is available to members of GS1 Healthcare.  So far I have not found any available versions on the open internet, so for now, you will have to take my word for it, or run the documents linked above through Google Translate.  (If you are going to market drugs in Russia after this year, using Google Translate effectively is a skill you need to develop now.)

Decree #1556 contains the kind of requirements we have seen in the text of the Drug Supply Chain Security Act (DSCSA) or perhaps the EC Delegated Regulation.  While not nearly as easy to follow and understand as those earlier documents, this is where you will go to find the contents of the unique identifier, the type of barcode, what data must be uploaded to the government repository and when, etcetera.  It fills the same role as the guideline that was published in 2017 to establish the requirements of the Russian pilot (see “The Russia Serialization Pilot Guideline”).  Interestingly, most countries who do a pilot usually wait to define the final requirements until their pilot report is complete so they can incorporate the lessons learned from that pilot.  Not so here.

Decree #1556 officially adds the crypto-code to the data encoded into the barcode on secondary packaging (primary packaging if there is no secondary) (see “New Direction For Pharma Serialization In The Russian Federation” and “More Details On The Russian Crypto-Code”).  According to the decree, the crypto-code (a.k.a, crypto-tail), is composed of two data fields:  a 4 character verification key and an 88 character “digital signature”.  Both fields are alphanumeric.

Just like the pilot, the serial number data element of the barcode must be exactly 13 alphanumeric characters long, but unlike the pilot, Decree #1556 says nothing about randomizing the serial number.  I assume that’s because the government feels that the crypto-code improves on the security benefits of randomization, thus eliminating the need to randomize.  It is true, if you are a counterfeiter trying to come up with a valid set of serial numbers for a given product, the guessing the crypto-code that matches the combination of GTIN+serial number would be orders of magnitude harder than if you just had to guess valid GTIN+randomized serial numbers alone. 

But to me, that’s a lot of overkill in your technology choices, if that’s all you are going for (but I think the crypto-code is also intended to enable a crude form of verification in remote areas).  Remember, to get the necessary crypto-code for each package, manufacturers will need to define their planned GTIN+serial numbers, and then submit them via an internet web service call to CRPT, the Russian technology vendor holding the contract to provide the centralized government services for this system (made official in Order #2828-r).  Or you can get one of their hardware devices (a “black box”) and submit all of your GTIN+serial numbers to it to extract the corresponding crypto-codes locally (this option appears to be only available to domestic packaging facilities).  Then you encode your GTIN+serial numbers and their corresponding crypt-codes into individual Datamatrix barcodes for application to each saleable package of drugs.

As I pointed out in my last essay on this topic, drug manufacturers participating in the pilot have found the size of the resulting Datamatrix barcodes to be very difficult to work with (see “More Details On The Russian Crypto-Code”).  That is, they are significantly larger than typical serialized drug barcodes aimed at other countries, and if you try to reduce the dimensions by using a smaller dot size, the increased density quickly makes them unreadable.  Companies who have gotten them to work have had to spend many hours working with different system and device settings, and have had to clean their printheads very frequently.  This resulted in an outcry from those companies indicating that the crypto-code was unworkable.

So, four days after Decree #1556 was published last month, CRPT published an announcement indicating that they are willing to reduce the length of the crypto-code so that these problems are addressed.  The announcement does not mention any new size specification for the signature data element, but it does say that the reduction will not apply to drugs that target the “12 high-cost nosologies”. 

Does that help?  I guess it does for the majority of prescription drugs on the Russian market—particularly those that are dispensed in high volumes—but if you are making a drug targeted at those high-cost nosologies, you’ll have to work hard to get readable barcodes.

But my question is this:  can CRPT, a government technology contractor, legally change the technical requirements that were just issued four days earlier in a government Decree?  I’m not sure how that works in Russia, but anywhere else, that would require some kind of official notice from the government agency that oversees these Decrees.  That’s what I mean by “mixed signals”.  Who do you believe as you aggressively work on getting your serialization systems ready to comply?