2017 Product Security Report

click to enlarge

Fig. 1. Industry has a long hill to climb for DSCSA compliance[/caption]

Pharmaceutical Commerce

has used

the term ‘Year Zero’ in talking about 2017 and the deadlines for compliance with the US Drug Supply Chain Security Act, simply because the key next step—having a unique serial number on each package of product leaving packaging lines—must be met by November 27. Previous deadlines, for lot-level tracking and for reporting various bits of information to regulators, have mostly been met, while future deadlines—tracing pharmaceutical shipments all the way from point of dispensing back, and a fully electronic, interoperable traceability system—are contingent on this serialization step. And because so many pharma companies around the world ship product to the US (and thus have to be compliance with DSCSA themselves), along with the national traceability efforts going on in some 40 countries globally, the US effort is something of a hinge that will shift worldwide pharmaceutical security practices.

In particular, the Falsified Medicines Directive (FMD) within the European Union has a February 2019 deadline for serialization combined with national or pan-European data collection, to secure distribution of drugs that routinely cross national borders there, and/or are repackaged for cross-border sales. Beyond the EU, “the serialization efforts going on in China, Brazil and Russia have all picked up pace recently,” notes Brian Daleiden, VP, industry marketing, at TraceLink, a leading software vendor in the field. “Additionally, India, which has one serialization program for export, and another for domestic traceability, is making progress.”

Fig. 2. Schreiner MediPharm’s Booklet-Label

The internationalization of pharma traceability is one key reason why speculation about the US program’s future course is more settled. With the arrival of the Trump administration, there has been speculation that DSCSA provisions could be delayed or even cancelled; however, with traceability as a global priority (and with US-based companies concerned with export of their products), there has been little to no resistance by the pharma industry to DSCSA compliance.

It is highly likely, however, that 100% compliance with the serialization mandate will not be met come November. Numerous programs at pharma companies and their contract manufacturing/packaging organizations (CMOs) are only just getting started; most industry experts say a time frame of up to 18 months is needed for a well-thought-out program. FDA has had a pattern with previous DSCSA milestones of using “enforcement discretion” in applying its deadlines; the likelihood is that this will also occur come November. “There are plenty of Big Pharma companies who are not complete with their serialization projects,” says John Jordon, VP, business strategies, at Vantage Consulting Group, a Hillsborough, NJ firm performing traceability implementations and other types of manufacturing automation. “The real crunch will occur with virtual pharma firms who are dependent on CMOs,” which makes that choice a critical one for the virtual company.

Fig. 3. Covectra’s StellaGuard label

On the other hand, many major pharma companies are well along with their programs. “We have been packaging and distributing serialized product for more than three years in the US,” says Mike Rose, VP, supply chain visibility, at Johnson & Johnson. “We have conducted several pilots with our wholesaler customers and are starting to use serialization data to assess and validate returned products. This information gives us insight into movement of product in the supply chain.”

J&J is also moving along the “beyond compliance” path, where businesses are expecting to derive value from their traceability programs. “We are investigating additional appropriate use cases in the areas of brand protection, brand marketing programs, sample management and customer connectivity,” says Rose.

Fast startup

The picture is different at many CMOs. While major players like PCI, Sharp Packaging and others not only have implementations in place, but are promoting their serialization services as a premium offering for manufacturers, others are just getting started. For the past six months or so, vendors of serialization equipment (the barcoding applicator and the machine-vision system for checking barcode quality, along with digital communications equipment to receive and transmit serial data). Systech promotes a ‘Serialize by November’ program that includes site and line management configuration, factory acceptance testing, and site acceptance testing, with an offer that future technical requirements will be met with no additional purchases. Optel Vision offers the Fast Series of five individual stations, for serializing and packing items or cases, with manual, semiautomatic or fully automatic functionality, and a promise to deliver within six weeks.

Vantage’s Jordon mentions another factor being contested among buyers of serialization equipment: aggregation. The term refers to the ability to match the unique serial codes of a few (or few dozen) packages inside a shipping case, with the unique code of the case itself. Wholesalers are demanding aggregation for the most efficient processing of deliveries inside their distribution centers; without it, each case would need to be opened to verify its contents. However, aggregation is not part of DSCSA compliance. By some industry estimates, incorporating aggregation into a packaging line can double the cost of an implementation on that line. “It’s entirely feasible to do serialization to meet the November deadline without aggregation,” he says, “but it will become necessary eventually. So, a client needs to consider turning a single project—serialization with aggregation—into a two-step project, and validate it all over again, with a substantial increase in overall costs.”

The packaging line equipment is considered to be Level 1 or 2 in the common ISO framework for industrial automation; Level 3 is the site level, and Level 4 is the enterprise or cross-organization environment. Besides the packaging line equipment, a functional serialization system needs a Level 3 or 4 IT system to store and communicate serialization data; some vendors insist that Level 3 cannot be skipped, and requires the provision of a site data server; others maintain it depends on the size of the organization and the communication needs.

In any case, Levels 3 and 4 are the realm of the IT vendors, where competition is hot and heavy between TraceLink, SAP, Axway, Adents and several other firms, with more showing up as time goes on. TraceLink touts a user base of more than 600, with several hundred thousand accounts registered to the cloud-based communications platform it maintains (one organization might have multiple accounts, and accounts include trading partners who simply communicate with a manufacturer, but don’t perform serialization themselves). SAP, which came out with an updated version of its Advanced Track and Trace for Pharma (ATTP) solution at the end of last year, is popular among major multinationals, many of whom use SAP tools for other parts of manufacturing execution or operations.

Standards setting

As the pharma traceability field grows and matures, the need for better standardization among vendors has become clearer. Optel, Systech and several other firms started an initiative, the Open Serialization Communication Standard (Open-SCS) Group a couple of years ago; it currently has 23 members* ranging from equipment and IT vendors to pharma manufacturers. Meetings are being held roughly quarterly.

“At this time, we’re looking to around the third quarter of this year for a proposed standard for Level 3-4 communications,” says TraceLink’s Daleiden, “with Level 2-5 standards possibly out in 2018.”

Open-SCS is meant to be complementary to the years-long initiative of the GS1 organization, a global body focused on barcode technology and product identification. GS1 is the source of EPCIS, which is the guideline for how serialization is to be written and communicated between trading partners; EPCIS and other GS1 formats are already in use in numerous other industries around the world.

Another effort—not for standards development per se—is coming from the Healthcare Distribution Alliance (HDA), which has had a pilot program for handling pharmaceutical returns for a couple years, and is now launching a data repository service, Origin (see box). HDA has had working groups that provide feedback to FDA and federal legislators even as DSCSA was coming together, and has continued with working groups addressing barcode quality. A current effort, on how exceptions to the framework set up for DSCSA compliance, is ongoing. (“Exceptions” would be cases where something occurs that simply doesn’t fit with normal processes—an example would be a legitimate package of drugs, but with an unreadable barcode. At current count, the HDA working group has identified 29 such situations.)

Fig. 4. The GS1-defined Global Trade Item Number-14

Anti-counterfeiting redux

Ten years ago or so, prior to the focus on serialization mandates, there were many technology offerings for anti-counterfeiting or product authentication. And while DSCSA, by most expert evaluations, provides a high bar for counterfeiters to surpass, it is not a thorough defense against counterfeit products entering supply chains. Beyond that, through sales channels such as illicit or foreign mail-order pharmacies, a substantial amount of counterfeit product—valued in the billions of dollars by some estimates—is entering the US market anyway. (No one involved in illicit mail-order pharmacies is going to be paying attention to DSCSA compliance.)

These conditions, in part, are renewing interest in applying anti-counterfeiting measures to pharma packages. In truth, the technology never went entirely away; high-value biologics and popular lifestyle drugs have incorporated them all along. But a growing number of vendors are now offering solutions, many of which ride alongside the serialization effort.

At the Interphex tradeshow this spring, Covectra, which has been marketing a traceability solution for many years, introduced a new label, StellaGuard. Working with a technology partner, the company offers a label with a random mix of patterns on it; the serialization data that Covectra itself provides can be printed on this label. With the proper imaging capture (which could be a simple smartphone), and a cloud-based online authentication service managed by Covectra, a client can get a reading of the authenticity of the package. Manufacturers concerned with tracking their products’ distribution can do quick and easy field checks.

Meanwhile, for a couple years now, Systech, which offers the UniSeries for Level 1-4 serialization and data communications, has also been marketing UniSecure, a method of authenticating labels by means of the minute discrepancies from one label to another as they are printed. The patented technology has had some takeup in consumer packaged goods, the company says, and pharma interest is rising.

A third option comes from Schreiner MediPharm, which produces labels and other attachments, typically for vials or syringes used in healthcare settings, as well as labels for conventional drug cartons. The new Booklet-Label offering combines necessary product identification with three levels of security: a recorded random pattern integrated into the physical label, which can be detected with appropriate software (and a smartphone) but which is invisible to reproduction efforts; the KeySecure tracing system, employing a unique serial identifier and an integrated RFID chip, is also detectable with near-field capable smartphones. This label combines the security features with tamper evidence—another component of the EU’s FMD mandate.

Finally, Applied DNA Sciences, which has devised a method to mass-produce DNA-like chemical signatures, which can then be incorporated into printing inks (or even onto drug tablets themselves), is renewing marketing efforts to the pharma industry for its technology, which has already gained some acceptance in the textile industry.

Security inks, holograms, covert codes or patterns have traditionally been used in document authentication for years; the technology is fairly advanced (just look at any modernized paper currency to see its use). For the pharma industry, the problem has rarely been the slight added cost of the security measure, but the communications infrastructure to perform field verifications and derive value from it. Higher cost pharma products are easy to justify; generic or lower-cost branded products, less so.

click to enlarge

Fig. 5. HDA’s vision of resolving GTIN-14 data[/caption]

Cargo security

Supply chain managers have been intensively focused on the impact of traceability on their distribution channels, but at the same time, they cannot overlook the importance of basic theft or diversion protection of their shipments, regardless of the channel. Trucking companies have been waging a longstanding counteroffensive against hijacking and other on-the-road risks. “Johnson & Johnson Supply Chain takes a strategic and holistic, end-to-end approach to identifying, managing and mitigating the risk,” says George Harry, director of North American Transportation at J&J. “In terms of cargo security, for example, J&J has a multi-layered, risk-based approach that includes covert GPS application, route geo-fencing, third-party active monitoring, and other pick-up security controls that are used in our supply chain to protect our most important and most valuable shipments.”

An industry group, the Pharmaceutical Cargo Security Coalition (PCSC), has been aggressively advancing the state of the art in this regard; the field was energized after the infamous theft of tens of millions of dollars’ worth of products from an Eli Lilly warehouse in Enfield, CT in 2010.

Chuck Forsaith, executive director of the group, says that at least as regards US cargo security, the problem has nearly vanished in trucking theft; a handful of incidents were recorded in 2016 by the group. More recently, it has looked into the problem of “last mile” theft—the vans or trucks that take drug product from distribution centers for delivery to local pharmacies or hospitals. “Everyone thought this was a major problem,” he says, “but in reality, out of the tens of thousands of deliveries made annually, only 60 were identified in the past year.” It’s a concern, and there are useful steps to prevent such incidents, but it’s hard to contemplate how to drive the incidence lower.

Meanwhile, PCSC is now looking into another aspect of cargo security-pilferage that can occur in logistics facilities or vehicles. One pattern that has emerged is that the problem increases around the time of holidays—typically when major logistics providers expand their temporary workforce. The assumption is that these workers are less vested in obeying the law. One countermeasure is to reduce the amount of identification on shipping packages that identify its contents as pharmaceuticals; for example, using an acronym rather than a full company name. There are always reasons to be vigilant with pharmaceutical cargo security.

Internationally, the cargo security question is much more complex, with dramatic thefts of shipments occurring in South America, parts of Europe and the rest of the world. For local issues, the industry is dependent on law enforcement in each region; for international trade itself, there is a benefit to be had from participation in the Customs-Trade Partnership Against Terrorism (C-TPAT), set up originally by the Customs offices of the US, and now part of the Dept. of Homeland Security. Forsaith is on an industry advisory committee interacting with Customs and Border Patrol on updating C-TPAT standards. While they were originally set up to protect against terrorist acts (by requiring inspection of packages prior to going onto planes or ships), the site security and other provisions also provide overall cargo security. Pharma companies have been enthusiastic partners of the voluntary program, with many pharma companies (and the logistics providers they work with) achieving Tier 3 status, the highest level of security.

Save

Save

Save