All posts by Dirk Rodgers

Dirk is the founder of RxTrace where he writes regularly on the intersection between the pharmaceutical supply chain, track and trace technology, standards and regulatory compliance. He has written hundreds of essays on those specific topics. A logical thinker, Dirk is skilled at making complex technical topics understandable to non-technical readers and listeners. An Electrical and Computer Engineer by education, Dirk has worked as a consultant, software architect and automation engineer during a career spanning 30 years. Overall, Dirk's thought leadership has helped to expose hidden complexities and reveal surprising consequences and implications of drug serialization and pedigree laws around the world. Dirk is the author of "The Drug Supply Chain Security Act Explained". View Dirk's LinkedIn Profile Follow Dirk on Twitter
FIPS, Florida Pedigree Law, lobbyists, paper pedigrees, serialization

The Florida Pedigree Law

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.What is the fundamental goal of today’s drug pedigree laws? Certainly it has something to do with making it harder for criminals to introduce illegitimate drugs (counterfeit, stolen, diverted, up-labeled, improperly stored, adulterated) into our legitimate drug supply chain. But exactly how they are to accomplish that is sometimes hard to see. Like most of our laws, pedigree laws seem to suffer from design-by-committee and then they are contorted beyond comprehension by lobbyists. If a lobbyist can’t prevent new regulations from being enacted in the first place, the next best thing seems to be to ensure that the law that is passed is so twisted that it doesn’t entirely make sense.

The Florida pedigree law is a case in point. Well intentioned, but apparently designed by people who were not entirely familiar with the massive number of drug packages that pass through distribution centers and on to pharmacies in our modern pharmaceutical supply chain. This law centered around a paper document for every transaction. The proposed law went through many modifications on its way to being enacted, and even then, the legislature continued to modify it as multiple lobbies convinced state senators and representatives of their particular dislike for various requirements. The law that eventually went into effect on July 1, 2006 had a number of strange provisions.

  1. It’s paper-based
    The final law had been modified to allow an electronic representation of a pedigree, but it remained essentially a paper pedigree. Though you could store it and transmit it electronically—they required very secure FIPS standards (Federal Information Processing Standards) for the electronic version—when an inspector wanted to inspect it, the very secure electronic document had to be printed out and presented on paper. A secure electronic pedigree that is printed out onto paper loses all of its security and can be faked very easily.
  2. Pharmacies could return within 7 days without updating the pedigree
    Shortly before the law went into effect, the legislature and governor passed a modification that allows pharmacies to purchase drugs from a wholesaler and then return them to the wholesaler without providing an updated pedigree, as long as both transactions are completed within 7 days. This allows drugs to be re-introduced into the supply chain with pedigrees that legally do not reflect all of the transactions that have occurred, thus hiding potentially important transactions.
  3. Primary wholesaler invoice statement
    Also shortly before the law went into effect a provision was inserted that allowed primary wholesalers to create a “pedigree” by simply printing on their customer’s invoices a statement that asserts that the drugs on the transaction were purchased directly from the manufacturer. Any wholesaler who cannot purchase directly from the manufacturer must purchase their drugs from one of the primary wholesalers. Those drugs must come with a fully documented pedigree that the primary wholesaler created (not the kind with the simple invoice statement). A fully documented pedigree is much harder and much more expensive to generate and maintain.
  4. No manufacturer requirements
    In Florida, the manufacturer of each drug is not involved in the creation and maintenance of drug pedigrees. The first wholesaler to purchase the drugs from the manufacturer must start the pedigree to reflect that purchase. They must then update the pedigree to reflect the sale of the drug to their customer. All of this is necessary whenever the drugs are sold to another wholesaler. If they are sold directly to a pharmacy, the simple invoice statement “pedigree” is sufficient, as described above.
  5. No serialization
    The Florida law requires careful tracing of every package of drugs from first purchase from a manufacturer until distributed to a pharmacy, but without the benefit of a serial number attached to each unit. This is hard to do without costing a lot of time and money because each shipment of a given drug has a different history. It must be traced separately from all other shipments of that same drug. Without serialization, the processes necessary to do it must be performed carefully and exactly. Any mis-step can cause a break in the trace which results in drugs that cannot be sold in the state.
  6. Allows information to be redacted
    Finally, a bizarre late addition allows certain information to be redacted (removed) from a pedigree document if the information is considered sensitive. But when pedigrees are held electronically using the required FIPS standards, any modification will cause the pedigree to be broken. That is, it will appear as though someone has tampered with it—the very condition that would lead a buyer to fear that the drugs may be counterfeit or otherwise illegitimate. The provision that allows redaction is in total conflict with the provision that requires use of FIPS standards.

So with the addition of these strange provisions, what is the Florida pedigree law really accomplishing? I don’t think it is having the effect that was hoped by the original creators. As far as I can tell by reading the original version, it appears that the goal was to force each buyer of drugs to actively verify that the supply chain history shown on each drug pedigree was accurate.

In this way, the responsibility for detection of criminal activity was distributed to all participants in the supply chain, rather than remaining solely with the few inspectors from the Florida Department of Health. This is the one piece of genius in the otherwise flawed law.

Considering the original proposed law and the six strange provisions listed above, a summary of the primary failures of the Florida Pedigree Law would have to include the following:

  • It’s paper-based
  • It doesn’t involve the manufacturer
  • It doesn’t rely on package serial numbers
  • It is full of holes designed to accommodate special interests

I’m afraid this pedigree law is so flawed that it has simply resulted in higher costs with little or no additional protection from criminals; nearly the worst possible outcome. Why have pharma supply chain crimes apparently decreased in Florida since the law was enacted? In my opinion, it’s entirely because the same law greatly increased wholesaler licensing requirements and the penalties for crimes.

With the development of the Florida law as backdrop, California stepped up with the intention of creating a better pedigree law. Were they successful where Florida failed? I’ll discuss their attempt soon.

BlogSpot, email subscription, FeedBurner, Google, RSS, Yahoo

Subscribing to RxTrace

The easiest way to stay up-to-date with the RxTrace blog is to register your email address with FeedBurner in the box in the upper right corner of this screen. After registration, FeedBurner will send you a small email every time a new post is entered into the RxTrace blog. That email will contain a URL that takes you directly to the new post. Really simple and very convenient.

And don’t worry about the possibility of spam generation. FeedBurner and BlogSpot are both owned by Google, which means that they are very careful with your email address. You can read Google’s Privacy Policy here, or you can just take my word for it…they don’t sell your email address to spammers.

Alternatively, you can also stay up-to-date with this blog without subscribing via email through the use of an RSS reader. I use Yahoo!’s “myYahoo” as my browser default home page. I have a pretty large myYahoo configuration with two pages and lots of news feeds–one of which is RxTrace. Sadly, it doesn’t seem to refresh so it has not reflected the last couple of posts. I need to look into that because it’s supposed to keep you current.

But there are other RSS Readers out there. To subscribe to any of the many RSS feeds, just click on the “Posts” button under the “Subscribe to RxTrace” banner to the right and select your favorite reader.

Any way you access this blog, I’d like to thank you for reading.

EPCglobal, GDSN, GLN, GS1, GS1 General Specification, GS1 M.O.'s, GS1 U.S., GSMP, GTIN, passive RFID, Traceability, UHF RFID

GS1

I’ve been an active GS1 participant since EPCglobal was first acquired by GS1 in 2003. It is an interesting organization, often both vital and frustrating at the same time. GS1 is a single source for essential supply chain standards that have global applicability. Rather than attempting to dictate those standards they invite people and companies to work with them on the definitions and the application of their standards. They have really great facilitators for some of their work groups with the very best being Mark Frey and Gena Morgan. The quality of their standards documents is quite high. And they have some really smart people in their EPCglobal Architectural Review Committee (ARC), notably Ken Traub, John Williams and Sanjay Sarma.

My hope is that this blog will be of some value to both members and non-members of GS1, but, I can only cover topics related to the organization and their public documents. Specific details about work group activities cannot be covered. However, I do not think that is too limiting and I think members and non-members will find something of interest.

GS1 is a not-for-profit member organization. The way it is organized reminds me of something out of the UN with affiliate “Member Organizations”, or M.O.’s—one for each country in the world—which participate in developing and maintaining their global standards on behalf of end-user companies within their borders. End-user companies are also able to represent themselves … if they can afford the membership fee which is based on company global revenue (and that’s on top of the fees paid for use of your GS1 Company Prefix). Consequently, standards development proceeds mostly with input from employees of GS1 affiliates and from employees of large corporations. There are notable exceptions and GS1 has made a significant effort to recruit participation from hospitals and smaller pharmacies, traditionally under-represented because they are small.

My own experience as one of those employees of an end-user member company, who has participated in standards-making work groups and the end-user groups within GS1 and EPCglobal, has been very positive. I have met and collaborated with a wide range of very smart people from my own industry and others, from the U.S. and from around the globe. I’ve learned a lot about supply chains in general and about how to perform the kind of “techno-negotiations” necessary to move forward a work group of people with very diverse backgrounds and interests toward a positive conclusion. Sometimes it’s thrilling. Sometimes it’s aggravating. It’s always a lot of hard work, but I highly recommend it to anyone considering it.

GS1 also runs “adoption” end-user groups out of their M.O.’s. The purpose of these groups is to encourage the adoption of GS1 standards within the country that the M.O. represents. For example, the GS1 U.S. Member Organization operates the GS1 Healthcare U.S. group which has work groups targeted at accelerating the adoption of GTIN, GLN, GDSN and Traceability the GS1 way in the healthcare sector. These work groups do not work on standards, but they work on guidelines for use in applying those standards to solve various supply chain problems within the U.S. (also known as “toolkits”).

Actual standards have traditionally been developed in two different sub-organizations of GS1: EPCglobal and GSMP (Global Standards Management Process). GS1 is currently in a state of transition as they move the standards development arm of EPCglobal into GSMP. That’s a good thing, because these two organizations have had different approaches and, at times, seemed to operate as two independent organizations. Unfortunately, in my view, EPCglobal’s process operated better than GSMP. So far I am encouraged by the little evidence I have seen that they are retaining the good parts of the EPCglobal approach. We’ll see how far it goes.

One very commendable thing that EPCglobal has done that GSMP has not is to make their ratified standards documents freely available for download on the internet. The GSMP approach is to roll all of their diverse standards into a single and very large document known as the “GS1 General Specification” (or, “GenSpec”) and they’d like to charge you for a copy of it. Fortunately there are enough M.O.’s around the world that make it available that you can usually find a copy for free download by simply Googling it. I hope that the merged GSMP does not fold the individual EPCglobal specifications into the GenSpec and keep them hidden until you pay, but I must admit, even ANSI and ISO charge for their ratified standards documents.

GS1 also has a lobbying arm which applies pressure to governments around the world to adopt policies that are favorable to GS1 and the technologies that their standards are based on. For example, they applied considerable effort to get governments around the world to open up RF frequency bands around 915MHz so that UHF passive RFID tags could operate worldwide without violating the law somewhere. They have been very successful in that effort, as I understand it.

Another example of GS1 lobbying is when they act as technology experts before U.S. state and federal regulatory agencies. Here GS1 provides guidance toward the adoption of regulations and laws that can be met through the use of their standards. I get a little concerned about this type of lobbying because I fear that GS1 makes themselves out to be unbiased when, in fact, they do have a bias. I hope these agencies are aware of that and take it into consideration.

GS1 will be a frequent topic of this blog since they are focused on the same “intersection” as I am (see the tag line for this blog on the masthead).

crimes, Dangerous Doses, Florida, pedigree laws

Dangerous Doses

If you have chosen to read this blog but you still haven’t read Dangerous Doses by Katherine Eban, you have made the wrong choice. The book is a great read. It documents the events in the early 2000’s that led the State of Florida to pass the first state pedigree law in 2003. You can draw a straight line between those events and all of the state pedigree laws that came after it. The book is a detailed accounting of crimes that occurred after a few criminals realized that law enforcement and the courts would not take seriously any drug crime that did not involve illegal drugs. But a small group of detectives and a lone prosecutor took them on and eventually brought them to justice. The book alternates between narratives of the crimes, the pursuit of the criminals by the detectives, and Eban’s explanation of how the pharmaceutical supply chain worked back at that time.

But that’s just it. The book was written at a time when things were different than they are now in some very important ways. As I understand it, back then, you could have spent less money on a license to distribute pharmaceuticals than you would if you obtained a license to open a bar. As a consequence, there were thousands of drug wholesalers licensed in Florida. But in 2003 the state toughened its licensing laws, greatly increased the cost of the licenses and increased the penalties for crimes related to wholesale distribution of pharmaceuticals. The HDMA cataloged the significant changes to Florida’s drug distribution regulations as the result of those changes. The number of licensed wholesalers plummeted to only a few hundred in the following years.

Oh, and they passed a pedigree requirement too.

I have to admit that I don’t have a good window into what exactly is going on in the Florida crime scene today but given the heightened awareness in the press of counterfeiting and diversion stories, I have to think that there is not nearly the problem that there was back in 2002, or we would hear about it.

So that pedigree requirement really worked, right? Maybe, but I have to think that the increased licensing fees and other requirements, the increased penalties and the increased interest by the courts are the things that really caused criminals to think twice about getting into that business.

Dangerous Doses is a great book and I still highly recommend it to anyone, especially those like me, who are responsible for working on pedigree, serialization and track & trace systems for companies in the supply chain. But as you read it try to keep in mind, that era doesn’t exist anymore. Since that time many other states have taken comparable steps to strengthen their licensing and toughen penalties. And many of them have also passed some type of pedigree law. Stay tuned for more about some of those laws in later posts.

Do drugs still get counterfeited and sold in the U.S.? Probably, but the criminal activity seems to have moved from the supply chain to the internet where criminals can hide just across the borders. Check your spam folder for the evidence.

DPMS, EPCIS, GS1, pedigree, Pharmaceutical Commerce, standards

The Importance of Standards

1 Comment

I’ve written before about the importance of supply chain standards and how pedigree standards can be categorized as “communications standards”. I drew the analogy of the importance of standards in making cell phones work together. Because U.S. cell phone companies agreed to make use of certain standards, you are able to call your friends who chose to buy service from Sprint, when you have chosen to buy your service from Verizon, or any of a number of other U.S. carriers. Without those standards and the agreement of each company to use them, you would only be able to call people who happened to sign up with the same phone company that you did.

I won’t reproduce the whole article here but its contents are just as pertinent today as they were two years ago when it was published in Pharmaceutical Commerce magazine. That article stressed the importance of the GS1 Drug Pedigree Messaging Standard (DPMS, a.k.a. the GS1 Pedigree Ratified Standard), but any approach selected by an individual company to address pedigree legislation has to consider interoperability with whatever approach their trading partners choose. Interoperability is the goal of standards but right now there are two standards-based approaches to pedigree out there and they are not currently interoperable. That’s a problem for everyone, because the supply chain is so interconnected and diverse at the same time.

The two standards are DPMS and EPCIS–both from GS1. The history of these two standards and the differentiating characteristics of each one is too complex to cover in a single post so I’ll just provide an introduction here. I’ll continue the discussion in later posts, although I don’t plan to make the whole thing contiguous because there are other topics that I also want to cover over the same timeframe.

EPCIS (Electronic Product Code Information Services) is a GS1 standard that defines a set of interfaces for the purpose of capturing and querying serial number “visibility” data. “Visibility” data is meant to be observations and transactions that are based on observations of serial numbers that are attached to items and logistical containers of products within supply chains. I still haven’t found an easy-to-understand way to explain it, but I think those two sentences describe it fairly concisely and accurately. If you have a better way to explain it, please post a comment below.

Notice that the description doesn’t say anything about pedigree or regulatory compliance. EPCIS is a standard, but it’s a general purpose IT thing that you have to apply a specific way in order to make it work as a pedigree system. The standard is designed to be very flexible and for serialized product, it could be quite powerful if used right. There are a couple of problems for those who want to use it as a pedigree system, however.

  • There is currently no standard that describes exactly how to apply it as a drug pedigree system that would ensure interoperability across the supply chain;
  • There is the general tendency to talk about ways to turn EPCIS into a pedigree system, but I haven’t heard one yet that is likely to comply with existing pedigree laws.

I’ll cover those issues in more detail in later posts.

DPMS (Drug Pedigree Messaging Standard) is a GS1 standard that was specifically created to assist the pharmaceutical supply chain with creating an interoperable system to trace drugs in a way that can comply with existing pedigree laws. That includes Florida, California, the PDMA and all of the other states that currently have pedigree laws. The problem is, it doesn’t do much to assist companies with all of the many problems they face dealing with serial numbers on items. DPMS can take serial numbers and use them to trace those items, but there are a lot of other, non-compliance issues that must be dealt with first.

So there are problems with both standards. Perhaps an obvious solution is one that I, and others, proposed last year to combine EPCIS and DPMS to create a system that benefits from the best of both standards.

As you might imagine, there is a lot more I could discuss on this topic in later posts. But I’m going to try to stay out of the details and talk more about implications of each approach. Stay tuned…

pedigree

Fundamental Law of Commerce

Over the last few years I have been kicking around an idea that helps identify an important characteristic that will be necessary in any successful supply chain pedigree or track and trace technology/regulation. I can sum it up as follows:

When regulations mandate that a product’s value is determined by the ability to show, at any time, specific information about the product’s history, then the buyer of that product must receive all of the necessary information from the seller at the same time the product is received.

Take, for instance, a secondary wholesaler in Florida today. Florida requires a secondary wholesaler to be able to show an inspector a complete pedigree for any prescription drug in their possession. If the wholesaler cannot show the proper pedigree, then the product cannot be sold in Florida. The value of the item is reduced, perhaps to zero. If this drug-without-a-pedigree can legally be shipped to sites or customers outside of Florida the reduction in value is equal to the cost of the extra shipment, extra handling and perhaps a temporary out-of-stock situation until the unexpected loss can be backfilled (and possibly a fine).

Now imagine what would happen if there were no other place to legally ship drugs whose pedigree information is unavailable when called upon. The value of the drugs would certainly be zero, or worse. That’s a risk that can be avoided by ensuring that all of the information necessary for the pedigree is in the possession of the secondary wholesaler at the time they purchase the drug.

What would cause the information to not be available? Some technical approaches to maintaining pedigree information under discussion within the industry right now might result in something I call a “distributed” pedigree. That is, one that is stored across multiple organizations; the previous owners of the drug. When it is necessary to show a complete pedigree–to an inspector, a law enforcement organization, or just to a buyer–these other organization must be called upon to provide their part of the pedigree. The occasion that leads to the need to show a complete pedigree will probably occur somewhat unexpectedly (especially in the instance of a regulatory inspection or a law enforcement action). If one or more of the organizations holding part of the pedigree information are temporarily or permanently unable to provide their part of the pedigree, the product cannot be sold and thus has lost all of its value.

The real problem with a distributed pedigree occurs when the supply chain extends beyond just two trading partners. For example, the third owner of a drug in the supply chain probably doesn’t have any business relationship with the manufacturer (the first owner). That’s why they bought the product from the second owner. There is probably no contract between the current owner of the drug and the previous owners (except the most recent seller) so there is no way to ensure that these earlier owners will provide their necessary components to the pedigree when it is called for.

The solution is to make sure that all of the necessary data for the pedigree is always supplied by the seller at the time of purchase. That way, if any of the earlier owners have technical (or other) difficulties that prevent them from being able to serve up data, it won’t affect the value of the drugs that are downstream in the supply chain. In short, a “distributed” pedigree won’t work.

I believe this concept is a corollary to the fundamental law of commerce known as “Buyer Beware”. Transmitting a full pedigree at the time of the sales transaction is one way of arming the buyer with sufficient information so they can beware.

Uncategorized

Welcome to rxTrace

1 Comment

My intent for this blog is to publish my personal ideas and opinions regarding technology issues related to regulatory compliance within the U.S. pharmaceutical supply chain. I hope to cover topics like GS1 Standards, pedigree, track and trace, and issues surrounding those things, using publicly available information. This blog contains my own ideas and opinions and not those of my current or former employers and so I am solely responsible for them.

In general, the more ideas presented for consideration, the better. Most ideas will end up in the scrap heap. When I present ideas here and elsewhere, I try not to worry whether or not they might end up being rejected, because sometimes an idea that sounds bad initially can turn out to be the most innovative. Sitting on it for fear that it will be rejected would limit the chances of discovering the best idea.

All ideas benefit from collaboration with other people where they can be refined into better ideas. I hope my readers will respond often with refinements and counter-ideas. Please don’t hesitate to respond.

Thanks for reading. I hope this blog remains interesting to you.