The intent of the Drug Supply Chain Safety Act (DSCSA) is to ensure that every pharmaceutical item dispensed to a patient has a known path that is traceable through the supply chain. Seems reasonable, right? Consumers want safe pharmaceutical products that can be proven to have followed a legitimate path to the customer. But deploying the systems to enable this level of traceability is easier discussed than done.
The DSCSA enforces traceability by requiring two technology-driven activities. First, pharmaceutical manufacturers must print a unique identifier, including a serial number, on each package of pharmaceutical product at the saleable and homogenous case level. Second, all parties in the supply chain must record transaction information each time a pharmaceutical product changes ownership; from manufacturer to distributor to dispenser.
In order for the traceability process to work, the information recorded by one party must be able to be read and understood by another party. In the early stages of DSCSA, each party is required to pass along historical transaction data to its downstream trading partner, which allows for lot-level traceability at each step.
However, in later stages, each party must be prepared to communicate traceability data at the serialized level, including in response to inquiries from FDA or other parties in the event of an investigation. The key to delivering data as it is requested is having accurate information that is easily accessible, easily reportable and meets the requirements of the requesting party.
Companies that implement serialization and traceability solutions want to believe they have everything they need to not only meet the technology requirements, but the reporting and sharing requirements as well. Unfortunately, depending on which serialization and traceability partner you choose, that may not be the case. And not being able to share data opens up companies to security risks and fines, and can negatively impact brand and reputation.
Here’s why you may be at risk. All the data you collect is of little use if the receiving party cannot understand what you, as the sending party, are trying to say. Not all technology platforms have been built equally, but the worst time to discover this is the first time you’re asked to share data that is unreadable or requires mountains of time to restructure into usable reports.
This leads us to data standards. This is exactly why data standards are so important: they provide a common language that allows everybody to understand what other parties are saying.
Enter the EPCIS standard
Fortunately, a standard language for communicating serialized DSCSA information already exists. The foundation of this language is a GS1 standard called Electronic Product Code Information Services, or EPCIS. Nothing in FDA regulations mandates the use of GS1 or EPCIS. However, the serialization and traceability industry is aligned on using EPCIS as the de facto standard because it’s more effective and more efficient to track serialized items through the supply chain when everyone uses the standard communication format. At Verify Brand, we think of this standards-based approach as “future-proofing.” It’s in the best interest of all serialization participants to ensure their capabilities support EPCIS so nobody (e.g., the solution provider, clients and trading partners) gets painted into a corner with a proprietary approach.
This standard defines the “grammar” of transaction information, in which each transaction record indicates what serialized products were involved, when the transaction took place, where the shipping and receiving facilities are located, and why the transaction occurred in terms of the business process. This four-part structure of what, when, where and why allows all parties in the supply chain to gain a common view of what happened, not only for DSCSA compliance but also for other business processes, such as recall, anti-counterfeiting, new product introduction and so on.
Two other components round out the definition of the standard language. The EPC Core Business Vocabulary (CBV) provides standard definitions of data elements that populate the what, where and why dimensions of EPCIS data. If EPCIS defines the grammar of the language, then CBV defines the vocabulary all parties use to construct sentences within that language.
Finally, the GS1 US Implementation Guideline for Applying GS1 Standards for DSCSA and Traceability gives detailed, complete instructions for creating EPCIS data that contains all of the data elements required to meet the information requirements of the DSCSA regulation. If EPCIS is the grammar and CBV the vocabulary, the GS1 US Implementation Guideline tells you how to write the stories in that language to comply with DSCSA.
How this affects you
Whether you are a manufacturer, distributor, pharmacy, hospital, CMO or 3PL, you want to make sure that your serialization software is entirely capable of sending and receiving EPCIS data, in full compliance with the standards.
The reason is simple: you are responsible for ensuring that you meet the DSCSA’s requirements for data exchange.
If you are receiving product from upstream parties, you are responsible to receive transaction information according to DSCSA, otherwise you cannot receive the product. Conversely, if you are shipping product to downstream trading partners, you are responsible for sending transaction information according to DSCSA, otherwise your partner may reject the shipment.
Either way, you and your partner need to speak a common language—you can’t process the data if you don’t know what it means, and neither can your partner. The most efficient way to make this work is if you and all your partners, upstream and downstream, speak the same language—namely, EPCIS as specified in the GS1 US Implementation Guideline.
What to watch for
Ensuring that the serialization and traceability solution you deploy is capable of supporting EPCIS data shouldn’t be difficult—yet it can be. Each software provider should be transparent and able to define exactly what types of data they collect, the standards they support and how they handle sharing across systems.
But that’s not always the case. Not every serialization and traceability solution provider is capable of supporting EPCIS (due to technology limitations or their own business choice). Those that have fallen behind in managing solutions to these accepted standards have come up with a new strategy—focus on partner networks and connection points rather than the language structures required for actual transaction reporting and sharing.
When evaluating partners, each one will claim membership in a large network of supply chain trading partners across the pharma industry. But look for partners that have proven their ability to interoperate with any trading partner using the EPCIS standard, created by the international standards body known as GS1. Member companies dedicate time and effort to ensure EPCIS continuously evolves to meet regulatory compliance, supply chain and industry needs across the broadest community of countries and industry sectors to support standards-based data reporting and sharing.
Get the details and the dialect right
So you’ve found a partner that says they support EPCIS—great! But there’s one more step.
Like many languages, EPCIS has evolved over time. For compliance with industry requirements and, most importantly, DSCSA, it is vitally important to use the correct version, specifically EPCIS 1.2 and the detailed data specifications given in version 1.2 of the GS1 US Implementation Guideline. EPCIS 1.2, ratified by GS1 in September 2016, and version 1.2 of the GS1 US Implementation Guideline, released by GS1 US in November 2016, are specifically enhanced from previous versions to meet DSCSA data requirements. As was true with the creation of the EPCIS 1.1 version in 2014, and subsequent GS1 US Healthcare guideline, EPCIS 1.2 is the result of a dedicated working group enhancing the standard to meet real-world scenarios captured as part of pharmaceutical serialization implementations. Specifically, EPCIS 1.2 addresses the ability to correct prior erroneous events and also provides further standardization for key pharma-specific and DSCSA required data elements, such as lot number and item expiration date.
Want quick proof? Poll your 3PL or many of your downstream customers about the EPCIS version they require. The resounding feedback will show the industry has long since moved on from the original EPCIS version 1.0 to the more recent versions. Therefore, your serialization software must be able to receive and communicate in the latest EPCIS version—it’s as simple as that. All major US 3PLs, most of which are arms of the Big Three drug wholesalers, have specified that EPCIS version 1.2 is their preferred serialization communication standard.
As you are making decisions about which serialization and traceability software to use, pay particular attention to the vendor’s compliance with the correct version of the standards. It’s not enough for the vendor to say “yes, we support EPCIS”—make them prove it to you by providing samples of data, and then confirm that these samples are in every detail consistent with the examples in the GS1 US Implementation Guideline.
Don’t give up
It can be beneficial to engage an outside expert to help confirm that any prospective partner has the level of support for the version of standards that you need. Unlike human languages, computer languages are unforgiving, so you won’t achieve true interoperability with your trading partners unless your software systems adhere to the standards exactly.
With standards, there’s always an upside—but determining how to implement the right technology platforms can be confusing. Don’t give up and don’t allow marketing messages to dictate what’s important in a technology solution. It can be challenging to weed through all the options and compare software apples-to-apples. But for DSCSA, the benefits (and in most cases the necessity) of having a system that supports version 1.2 of the GS1 US Implementation Guideline and EPCIS is guaranteed to offer compliance right now, when you need it, more business benefits and value tomorrow and give you fewer headaches down the road.
ABOUT THE AUTHOR
Haris Kamal, senior vice president at Verify Brand, brings almost two decades of regulatory and serialization expertise. With experiences spanning across life science, retail and other industries, Kamal’s passion for harnessing technology to improve business processes help the Verify Brand team provide value beyond compliance for pharma companies and manufacturers.
Verify Brand serialization platform
Verify Brand’s flexible platform is designed to quickly and efficiently serialize, verify and track individual products or groups of items at all levels from the packaging line to the enterprise and thence to trading partners or government entities. From materials and suppliers to manufacturing and distribution, our approach generates rich data insights to create track and trace data points, alerts and customizable reports that increase visibility across the supply chain. Our security and quality control, our GS1 EPCIS foundation, our single-tenant (one instance per client, more control, lower future compliance validation workload), and event source architecture were all developed while working with brands in a variety of verticals, including the pharmaceutical market.