2016 Product Security Report

Nicholas Basta;

2016 Product Security Report

May 5, 2016

Nicholas Basta

Publication

Article

Pharmaceutical CommercePharmaceutical Commerce - May/June 2016

Pharma spends heavily to secure its supply chain, while politicians bring out the re-importation topic

For the moment, let’s all breathe a sigh of relief that no major counterfeiting scandal has erupted in the US in the past couple years; although there are always underpublicized cases of drug diversions or the improper purchase of prescription drugs from online, self-proclaimed “pharmacies,” nothing on a par with the bogus anti-cancer drugs from the Middle East showing up in oncologists’ offices in 2014 has occurred. Which is not to say that counterfeiting, diversion and stolen pharmaceutical cargo are not global problems: the situation in Africa and other parts of the underdeveloped world is still dire, and counterfeiters and diverters still knock on the doors of national pharmaceutical supply chains around the world.

Fig. 1. The US’ timeline extends to 2023. Credit: Acsis

And while counterfeiting remains the ultimate in evil criminal practices, product security needs to be looked at more broadly. As this story was going to press, news was breaking of a major scandal in China, involving millions of doses of childhood vaccines that were improperly stored (and therefore inactivated) by a small group of traders who then sold the drugs to local pharmacies across the country. The distribution apparently did not result in patient deaths (unlike earlier scandals involving adulterated infant formula), but is turning into a black eye for government regulators, who reportedly sat on the news for over a year and have now further eroded the Chinese public’s trust in its healthcare system. Pharma supply chain managers know that improper storage can be as damaging as fake products; but that knowledge dwindles as drugs move into commercial distribution.

For brand-security and product-integrity managers in pharma, much of the attention is currently devoted to fulfilling the mandates of the US Drug Supply Chain Security Act (DSCSA). Operational managers in packaging and trade relations met, by and large, the January 2015 deadline for conveying lot-level data to trading partners along with the physical movement of the drugs in the supply chain. The next step, for retail pharmacies to verify the incoming information and store that data for FDA inspection, was delayed twice during 2015, and is currently being complied with at the local pharmacy level.

Pharmaceutical Commerce’s annual round-the-pharma-distribution-circle looks at the key areas of brand integrity:

Serialization and traceability, now occurring globally
Online pharmacies and online drug promotion to consumers
Cargo security
Anticounterfeiting technologies

Serialization milestones

At the very beginning of 2015, US wholesalers were mandated to begin recording lot-level data on shipments they receive from their pharma suppliers. That is one of the earliest deadlines to be met by the Drug Supply Chain Security Act (DSCSA) and, by most accounts, the mandate was met successfully. The next deadline was for that data to be on hand at retail pharmacies, but that deadline was delayed twice and only went into effect this spring. Industry observers say that the biggest pharmacy chains have been well equipped to receive this data; smaller chains or independents are relying on their distributors to keep the data on hand.

Manufacturer activity is ramping up rapidly for the next step—providing item-level serialization by November 2017. To accomplish this, manufacturers and their contract packagers need to install a 2D-barcoding device on their packaging lines (or, alternatively, to arrange for delivery of already-printed labels to be applied), and a machine-vision system to record the serial data and verify its placement.

Fig. 2. The EU is setting up a pan-European authentication data repository. Credit: EFPIA

A parallel development is occurring in Europe, where the Falsified Medicines Directive (FMD) was officially implemented in February by the European Union. A three-year timetable, to early 2019, is now the goal for the EU to have an authentication system in place whereby pharmacies can check with a national (or EU-wide) online database to verify the authenticity of a drug package prior to dispensing it to a patient. (Relative to the US, this program is starting a little later and is scheduled to conclude a little sooner; from a packaging line perspective, the requirements are very similar.) A growing number of other nations, including China, South Korea, Brazil, Argentina, India and others, have their own timetables, although some of them seem to shift as their implementation date approaches.

Two North American companies—Systech International and Optel Vision—have been competing aggressively for the packaging-line equipment segment. Although neither company releases financial data, the momentum currently seems to belong to Optel, which opened a center in Ireland last year, is opening two additional centers—in Brazil and India—this year, and expects to employ nearly 50% more employees (to a total of almost 700) by year-end.

Both companies work with a variety of equipment vendors (cameras, barcode printers and scanners, as well as packaging equipment manufacturers of cartoners, bundlers and case-packing equipment). For its part, Systech has rebranded its software offerings as UniSolve and UniSecure; Darryl Brown, marketing manager, says that UniSecure, a proprietary method of using the optical image of a label itself as an authentication technology, is generating substantial interest in Europe. “UniSecure bridges a gap that enables consumers to connect directly with the pharma manufacturer,” by using a smartphone to authenticate the label with a manufacturer’s online database. “That can be important for communicating patient medication guides and the like, in the language that the patient prefers.”

Meanwhile, a number of European companies, including Antares Vision (from Italy) and Adents (from France) have opened offices in the US. Antares brings substantial experience from Turkey, where its systems serialize and verify 50% of the drugs being distributed in that country, according to Adriano Fusco, global marketing director at the firm. (Turkey was one of the first countries to establish a national drug-tracking system, both as protection against counterfeiting, and to digitize its health system reimbursement program.) The company also makes packaging line equipment; and its US facility is more than a sales office—it includes a sizable warehouse and production facility, which not only stocks units produced in Europe, but also manufactures several models on premises. The facility also features a laboratory for full solution testing, a team for technical support and a team of project managers.

Adents, which has experience in serializing food and cosmetics in Europe, opened a US office early last year, headed by Ed Cummings, an experienced systems integrator. He says that as opposed to his competitors, who provide their own cameras and visual-inspection equipment, Adents will work with nearly any equipment supplier—including working with vision equipment that might already be installed online. “We’re a pure-play software vendor,” he says, noting that the company is the pharma-serialization partner chosen by Siemens, a dominant industrial automation vendor, to provide packaging automation to the pharma industry.

Other players in the packaging automation field include Covectra, Seidenader (part of Körber Medipak), and Rockwell Automation.

Fig. 3. Antares All-in-One automated case packer handles aggregation.

Aggregation aggravation

The barcoding/serialization process itself is fairly straightforward; the main issue is selecting serial numbers and then applying them to each package (the verification part of this process, however, is another story). But at the end of many packaging lines, individual packages go into cases or bundles, and those into pallets, and this “aggregation” step is a longstanding impediment to smooth packaging and distribution operations. Because wholesalers and other pharma customers do not want to open each case of product when it is received to verify its contents, they want a near-perfect accounting of what serialized items are in each case. The structure for doing this is to assign a “parent-child” relationship between the multiple barcodes of packages in a case, and a barcode for the case itself. (At this year’s HDMA Distribution Management Assn. conference and expo, one speaker alluded to a “grandparent-parent-child” relationship, including the barcode that would go with an entire pallet of product.)

Aggregation is expensive: industry experts agree that including aggregation more or less doubles the cost of a packaging line serialization project. Manufacturers know that the DSCSA does not specify aggregation in its mandates; however, most major wholesalers will insist on it as a term in their supplier contracts. “When you include aggregation, you have more control over what is happening in your packaging and warehousing operations,” says Antares’ Fusco. “For this reason many companies are going with aggregation, even if not expressly mandated.”

Fig. 4. Antares Vision’s manual casepacking station can be added into existing packaging lines.

Antares and others provide automated, semi-automated and manual aggregation stations: either robotic equipment assembles a layer of packages, validates it with the camera and continues to fill up a case, or an operator performs either both the filling and the validation with a handheld scanner, or just the filling step. Systech’s Brown says that his company’s software has included process steps for aggregation for many years; it can also provide data on cases that might include both serialized and non-serialized product. (The issue of “grandfathering” pharmaceutical packages being made today, but which are not serialized, and will be in circulation for several years to come, is yet another worry of wholesalers.)

Jean-Pierre Allard, chief technology officer at Optel Vision, has presented data in company workshops that adding aggregation after a serialization project increases overall costs by 27%, as compared to incorporating it at the same time as the serialization; but he also suggests that it is possible to approach the task stepwise, especially if there is an expectation that aggregation equipment will improve by the time it becomes necessary for a fully compliant traceability system.

Special mention should also be made of a key transfer that usually occurs within a pharma company’s four walls: from the production area to warehousing. While some of the serialization vendors offer a dedicated warehouse tracking system, and big logistics software companies like JDA Software or Manhattan Research offer comprehensive warehouse and logistics IT systems, there are at least two vendors—Acsis and Roc-IT—that offer so-called “edge” systems that interact with the site-level serialization software and extend it into the warehouse. In the warehouse, serial data and location information—often collected by handheld scanners—can be compiled and stored. The systems provide a critical link between the output of the packaging lines, and the output of the warehouse as product moves out from the manufacturer to its customers.

More standards

The great majority of this serialization activity is codified in standards established by the GS1 organization; its standards specify how a serial code is to be created and printed (both as a 2-D and a human-readable barcode), and the broader standards for global location numbers (GLNs) and a host of other codes. At a higher level, it has also established the EPCIS standard, which codifies how “events” are to be described in a traceability system. (An event is a step in the distribution process, such as a delivery of a shipment, stocking a case and the like. This event information ultimately becomes part of the “transaction history” required by DSCSA.) EPCIS 1.1 has been out for over a year; an updated ver. 1.2 is being released imminently, according to Peter Sturtevant, senior director in the GS1-US section. (Last July, EPCIS was accepted as ISO/IEC 19988 by the ISO organization, which gives it a broader applicability.) The GS1 Healthcare organization (a subset of GS1 for pharma and healthcare) conducts regular workshops, and maintains workgroups that continually refine the standards.

In theory, if everyone more or less agrees on the form of EPCIS data, packaging line equipment and plant-level IT systems should simply be able to process the data, right? In practice, however, most of the vendors (even those claiming GS1 certification) involved in serialization technology have their own methods of communicating these data, and transfers from, say, the plant floor to the enterprise level require configuring interfaces at multiple steps. With five years or so of pilot projects, multiple already-installed lines, and the inherent competitive stance of vendors call for establishing a plant-automation communications standard.

Optel, joined by Systech and several other firms (with some pharma companies, who are paying for all this technology, coming along) have started an initiative to establish an open, global standard. And while its actual elements are still in flux, the direction the group, called the Open Serialization Communication Standard Work Group, is going in is to develop a standard in conjunction with ISA International (the former Instrument Soc. of America), and with the ISO organization in Europe. The standard is structured off the framework of ISA-95, a long-established standard in industrial automation, which specifies a “stack” of control (Level 1: sensors; Level 2: line controllers; Level 3: site automation; Level 4: enterprise data systems).

So far, a relatively small group of companies are either contributing funds to the effort, or providing internal resources to move the project forward. The progress has been slow: initial meetings were held in 2014, and a planning document was written last year by Charles Gifford, an industry consultant acting as executive director. That document looked to a June 2016 date for a draft standard, but the effort is still in the planning stage.

“It is not our core business to sell professional services to customize the IT connections from our packaging line and plant server platform to the various third-party platforms such as corporate serialization servers, MES and ERP systems,” says Louis Roy, Optel CEO. “For Optel Vision, having a single standard IT connection scheme with all our partners means that we will spend less time on every project and be able to deploy faster. For the manufacturers, it means that they are less vendor-locked with the interoperability such standard allows and, of course, they save money. Billions of dollars of integration can be saved for the industry with the Open-SCS standard.”

This initiative is a worthy one and could provide substantial savings to pharma manufacturers and their contract manufacturing partners; the problem is that developing a standard when the vendors in the field are competing heavily (think of the early days of Apple Computer and Microsoft); and because the clock is already ticking on serialization deadlines and thousands of packaging lines have already been converted, time could be running short for an effective standard.

Enterprise level

The vision for DSCSA is that pharmacies or doctors’ offices can verify the authenticity of a drug package with an online data depository, and state pharmacy regulators can review the movement of a drug through the supply chain at a moment’s notice. How data ultimately will be collected and made accessible remains to be determined; in the meantime, manufacturers need systems that can interact with their trading partners for at least that one-to-one data exchange.

At this enterprise level, companies like TraceLink, Axway, RfXcel, Frequentz (and Systech, with its UniSphere IT system solution) are offering or have installed systems to collect the massive amounts of data from a commercial-scale distribution perspective. The field is undergoing a step change as SAP introduced its Advanced Track and Trace for Pharma (ATTP) system late last year; previously, companies had been adapting existing SAP general-purpose tools (OER and AII) to meet the enterprise-level challenges, but the company, whose enterprise software is widely used in pharma, committed to an industry-specific system in ATTP.

Part of the problem these enterprise systems have to contend with is that each country or region has its own reporting requirements, so the systems have to be adapted to those nations with the addition of reporting modules. There are also capacity constraints; the data accumulated during, for example, daily warehousing operations at a wholesaler’s distribution center are massive, and yet for the purposes of verifying the accuracy of a delivery, those data need to be accessible in almost real-time.

TraceLink committed to a full-blown cloud-based offering several years ago, and has benefitted from the flexibility that cloud-based computing offers (it partners with Amazon Web Services in this regard). Other companies offer both cloud-based and on-premises versions; SAP, which is putting more and more of its resources into cloud computing, offers its own hosting capacity.

In March, TraceLink announced that it had successfully managed commercial-scale data exchange—with full EPCIS compliance—with one of the Big 3 wholesalers and a leading pharma company in the US; the project started in 2015 and in February 2016, according to a company statement, “TraceLink processed more than 1,300 EPCIS events with more than 10,000 serialized units per event—and more than 230 EPCIS events with more than 100,000 serialized units per event. TraceLink can process these large-scale EPCIS events at operational speed, where traditional databases take hours to do the same. As a result, TraceLink customers are able to run their serialized operations and maintain the same level of productivity and efficiency they experienced prior to shipping products with serialization information.”

Safe online pharmacies?

One of the criticisms of DSCSA leading up to its passage was that it would barely make a dent on the trade going on with online “pharmacies” (many of which are pharmacies in name only, and which operate not only outside national pharmacy standards, but outside legal commerce). The National Assn. of Boards of Pharmacy (NABP), which has led a battle against these drug dealers for years, succeeded in getting the responsibility from the ICANN organization (which manages Internet domain names) to manage the “.pharmacy” name extension (technically, the “top level domain name”) last year, enabling it to at least prevent the online sites from using “.pharmacy” as part of their name.

As of October, NABP had authorized 227 entities (pharmacies as well as governmental boards and a handful of manufacturers) to use the .pharmacy name; most of them met NAPB’s criteria as validated pharmacy sites, and there are discussions going on with other nations over the naming convention and how it is to be regulated.

The seriousness of the online pharmacy situation can’t be understated. In its annual update of spurious online pharmacies, NABP reported in January that it had identified 10,668 websites operating outside US and NABP standards for pharmacy practice; more than half of them did not list a physical location, and a comparable number offer drugs not approved in the US for use. At the same time, reports are mounting of the sale of unapproved or counterfeit controlled substances; there was a rash of deaths in California recently from fake Xanax laced with fentanyl, a powerful analgesic. FDA, US Customs and Interpol, among others, run an “Operation Pangea” annually to crack down on illicit online pharmacies, shutting down thousands and confiscating fake drugs; the 2016 event has not yet occurred.

There was no little irony in an announcement, last August, that a federal indictment had been unsealed charging Ram Kamath, PharmD, and thirteen other organizations and individuals related to the sale of $78 million worth of mislabeled and counterfeit drugs. Kamath, an Illinois resident, was also the director of pharmacy policy and international verifications for PharmacyChecker.com, a New York-based organization that promotes purchasing drugs from non-US sources. It also claims to provide a verification process of its own; however, one of the companies cited in the indictment, CanadaDrugs.com, as well as others in the past, have been shut down or had their executives arrested for counterfeit-drug distribution or selling controlled substances illegally.

“For years, millions of patients and physicians have relied upon PharmacyChecker.com and CanadaDrugs.com, believing they are getting genuine drugs from a real Canadian pharmacy,” said Libby Baney, Alliance for Safe Online Pharmacies founder and executive director, in a statement. “The DOJ indictment evidences that these entities have been touting myths, giving US physicians and consumers a false—and consequently dangerous—sense of confidence.”

The online pharmacy scene also highlights a related worry for pharma brand owners: improper use of their brand names for online sales or other purposes (one obvious example: a batch of drug being offered for sale on Ebay.com or elsewhere). Google, Bing and several other online information sites agreed to police the appearance of drug names and online pharmacy promotion on their sites several years ago (Google paid a $500-million fine to the US government leading up to this effort). Another company, MarkMonitor, offers brand security services to pharma companies and other brand owners.

Security and resilience

Close observers of global pharmaceutical supply chains are aware of hot spots around the world where pharmaceutical shipments are being targeted by thieves, or where natural catastrophes can interrupt, for example, deliveries from a contract supplier. Within the US, elaborate tracking systems are managed by trucking companies to secure cargoes, with onboard cellular or satellite-based systems tracking the shipments in real time to identify theft or diversion situations. (There’s an arms race here: thieves have developed scanner-jamming devices; while security suppliers develop jamming-resistant technology.)

Charles Forsaith, a security director at Purdue Pharma and head of the Pharmaceutical Cargo Security Coalition, a volunteer group in the US, notes that truck thefts in the US have been declining for several years after his group and others began working to improve coordination between local law enforcement and trucking companies. “The spirit of cooperation, particularly within the pharma security groups, remains at a very high level,” he says. More recently, a subgroup with PCSC has begun analyzing “last mile” incidents, frequently involving the vans used to deliver daily shipments to local pharmacies.

Several independent organizations, as well as the multinational logistics companies, can monitor shipments around the world, including ocean freighters and air cargo at airports (technology and regulations prohibit tracking aircraft in flight). FreightWatch International, a subsidiary of the cold-chain technology provider Sensitech, is one such service company; others include LoJack Supply Chain Integrity and CargoNet, a subsidiary of Verisk Analytics, a global fraud-protection and business continuity provider.

Last fall, in its eighth annual Pain in the (Supply) Chain survey, UPS Healthcare Logistics found that life sciences companies have made substantial progress over the past several years investing in IT systems and cargo protection, but that contingency and business-continuity planning was lagging, with only 60% of respondents considering this a priority. “Even as unplanned events have impacted healthcare supply chains over the past several years, a large percentage of supply chain decisionmakers still do not consider contingency planning important,” the report concluded.

Fig. 5. DHL’s Risk and Resilience report recommends a comprehensive view of business continuity

DHL came out with its own study this spring, Insight on Risk and Resilience,* in conjunction with a recently developed information and analytic service, Resilience360, which assesses global logistics threats (natural disasters, war, labor relations) for its clients. One of the offshoots of this service is the Supply Chain Risk Exposure Index, a customized assessment of manufacturers’ business risks. “The life sciences industry has high-value products on which lives depend; in addition it has more stringent regulatory requirements than most industries,” says Angelos Orfanos, president, DHL Life Sciences & Healthcare. “Outsourced logistics providers like us have invested heavily in resources to ensure product safety and risk reduction.”

The public health aspects of pharma’s supply chain integrity are the focus of a US organization, Healthcare Ready, which arose out of the follow-up to Hurricane Katrina in 2005 to coordinate private businesses and public health agencies (such as the Federal Emergency Management Administration) to prepare for natural disasters. “We’ve been working with state and federal public health and emergency response organizations to ensure that when the next natural disaster strikes, the medicine and healthcare supplies that affected people need will be available,” says Emily Lord, executive director.

Fig. 6. Gartner envisions a future state where serialization data transforms supply chains into “value creation networks.” Credit: Gartner

Too many silos

The centrality of serialization-based traceability systems to all these aspects of supply chain integrity is a key theme stressed by Andrew Stevens, an analyst for Gartner Group, the IT consulting firm. Besides noting the overlap among US, EU, and other nations’ and regions’ traceability initiatives, he puts the context of traceability in a business value context.

“One of the problems with traceability is that it is looked on only as a compliance issue, and focusing on making it work on packaging lines,” he says. “But once this data becomes available throughout supply chains and throughout pharma organizations, a very different perspective appears.” Even now, attention should be paid to how traceability will improve quality management in manufacturing, and soon will be of value to brand management teams, patient support services and a wide range of other functional areas (see Fig. 6).

As Stevens sees it, traceability will be a gateway to a future state of “digital business technology” that meshes well with where healthcare itself is going: value-based therapy management; connectivity with patients; and as-yet unrealized new business models. Improved supply chain performance—in the form of lower inventories, better visibility in distribution channels and more accurate forecasting—is just the first wave of change.

Greg Cathcart, president of Excellis Health Solutions, another IT consulting firm, sees a similar set of issues with how traceability is being handled now. One example comes from health systems where, once the serial data that is to accompany the physical arrival of drug shipments is integrated into internal IT systems (which won’t be a regulatory requirement until 2023), hospital administrators could have a datastream that is salable back to pharma manufacturers. “Collaboration with business partners is a big technical problem, but it will also be a big opportunity.”

COMPANIES MENTIONED IN THIS REPORT

ACSIS

Marlton, NJ | www.acsisinc.com

JDA SOFTWARE

Scottsdale, AZ | www.jda.com

ADENTS US INC.

East Windsor, NJ | www.adents.com

NATIONAL ASSN. OF BOARDS OF PHARMACY

Mt. Prospect, IL | www.nabp.net

ALLIANCE FOR SAFE ONLINE PHARMACIES

Washington, DC | www.safeonlinerx.com

LOJACK SCI