The regulatory landscape for Indian pharmaceutical companies has recently undergone a titanic shift with the public notice from the Directorate General of Foreign Trade (DGFT) and the Ministry of Health and Family Welfare (MOHFW) that impose stringent requirements for combating the counterfeit menace that has plagued our industry. The DGFT ruling was the result of the scandalous presence of drugs in foreign markets that are allegedly made by reputable Indian companies, but which are actually counterfeit variants that have either reduced or no medicinal value. The hard-earned image of the Indian pharmaceutical industry as an excellent source of high-quality medicines thus came under direct attack, for which the Indian government took serious and immediate measures to protect the National image. The domestic market was not immune to this problem, which in turn led to the MOHFW directive.
The two rulings are now well known to industry and hence not being detailed here. But one thing is clear — the mandate to Indian pharma is to undertake an immediate and robust programme of product serialization that in turn serves to create a Track & Trace programme. These twin requirements are inseparable because serialization alone is not an effective tool, and Track & Trace cannot be undertaken without product serialization. Consequently, I advocate that the solution provider must not only be able to undertake high-volume serialization and associated data management, but that the same vendor must of necessity also provide a full Track & Trace solution.
The challenge faced by industry then is how to go about choosing the right vendor. With this in mind, I have created this guide based on my own experience in the industry combined with the considerable information I have gathered from talking to experts, regulators, and fellow colleagues. Rather than simply write an “article”, I have opted to create a guide that is focused on some critical issues that must be met, and in doing so the parameters that need to be considered while selecting a vendor.
I conclude with some thoughts on how the answers should be interpreted by way of a score card and how the cost of the solution must be balanced with the benefits offered so that the value proposition is adequately assessed. This guide is divided into three sections that cover the important elements that will need to be separately assessed — A) Serialization, B) Track & Trace, and C) Hardware implementation.
A) Unique number serialization
1. Are the security codes guaranteed to be unique for eternity?
Yes No
Issues to consider:
Here is a potential scenario. The security code on one of your products just happens to be the same as that on another product of yours, or perhaps even that belonging to another company. Your product no longer has a unique identity now, and therefore fails the core regulatory requirement of “uniqueness”. And once that happens, all bets are off on the robustness of the coding system employed by your company, which in turn will likely lead to an audit failure, especially if you are exporting to regulated markets. This is a very real scenario, given the millions of products being produced by most Indian pharma companies each year, and the billions of products manufactured throughout the entirety of India.
Some vendors use a centralized serialization system that ensures codes are never replicated. Other vendors provide security code generation directly at the plant level. This can be problematic because the same system deployed at another plant may also generate the same code by random chance. In such systems, the only way to guarantee uniqueness is if there is cross-checking between all of the installations at other locations. Given the difficulty of this task, a centralized system provides the best assurance of uniqueness, so long as the vendor has the means to internally verify uniqueness as the codes are being generated, and thereby provide a guarantee that the same codes will never be generated again for anyone, anywhere — for eternity.
2.Does the solution provider use a closed system for delivering the security codes?
Yes No
Issues to consider:
Security codes can be delivered to the client in many ways. The most common is to send a file (.csv, spreadsheet, text, etc.). This is a risky proposition for two reasons. First, there is no guarantee that the same file may not mistakenly be duplicated and sent elsewhere, thereby destroying the core requirement of uniqueness, as discussed above. The second concern is that a file containing visible codes in text form can be theoretically copied, emailed, printed, or exported by a variety of means. Regulators do not like such open systems for this very reason.
A highly acclaimed solution to this problem is to ensure that the security codes remain “invisible” until they are actually printed on a product. In this regime, the codes are stored in an encrypted manner so that there is nothing to duplicate, copy, export, or steal. A few vendors offer such a “closed” system, which should be the preferred choice of brand owners because ultimately the objective is to combat counterfeit drugs. The solution will only prevail if the technology itself is immune to corruption, and therefore the current state-of-the-art should be adopted.
3. Does the vendor provide a domestic anti-counterfeiting programme with consumer empowerment through SMS verification?
Yes No
Issues to consider:
Flexibility is important. Although the major objective right now for many Indian pharma companies is to comply with current regulatory demands (DGFT and MOHFW), there exists a possibility that the Ministry of Health will demand a domestic programme for consumer authentication to reduce the menace of counterfeit drugs in the Indian marketplace. Therefore, it is wise to ensure that any investment being made now in a security system has the flexibility to adapt to such a requirement when it is imposed. The solution provider should already have in place (not something that they will later develop) a system for consumer authentication via mobile means (SMS, GPRS/3G) using the very same security code technology for export products. The vendor should also have a well-established market surveillance program to track incidents and report them to the brand owner.
4. Does the solution provider use a non-database system for security code storage and management?
Yes No
Issues to consider:
Although this is the last question in this set, it is actually the most important. Many vendors create security codes using a random number generator and then store those codes in a database. There are two major concerns with this process. The first is security. Databases are vulnerable to attack from external (or even internal) sources. There have been several examples of entire databases either destroyed or data stolen. The important consideration here again is security, given that the entire purpose of this exercise is to secure the brand owner’s products in a global marketplace. The very real concerns with database security impose risks that must be dealt with. “Database security” is not a theoretical problem; a mere Google search of these two terms will produce endless pages of actual examples where database breaches have occurred, in India and elsewhere.
Some vendors have developed security solutions by which the codes are not stored in a database, but instead maintained in an encrypted form at the code level that entirely bypasses the need for database storage. This technology is known as Digital Mass Encryption or DME. A 2008 CII technology report and more recently a 2011 White Paper from the prestigious Frost & Sullivan firm proclaimed DME to be the best security technology for data storage.
The second reason for avoiding database storage is that beyond a certain code volume, databases become notoriously slow in terms of response time. There are many reports of database crashes when a threshold volume of around 100 million codes is exceeded. In considering Indian pharma volumes, this can be easily reached within a short period of time, especially if a vendor is serving several companies. The best example of the database-volume crunch is the now well-known Turkey fiasco. Turkey had started a national pharma serialization program, which crashed on the very first day due to volume overload. Turkey has had to take great pains to resurrect their serialization programme since then.
The bottom line is this — ask the vendor if they are using DME technology or a database. It is best to avoid the latter, for the sake of security and performance.
B) Track & Trace (e Pedigree)
5. Does the vendor have its own Track & Trace system?
Yes No
Issues to consider:
It is sometimes believed that the mere act of serializing pharma products should be sufficient to beat the counterfeiters. This is incorrect. Anyone, including the counterfeiter, can put a number on a product. Serialization serves as the core foundation for two larger objectives — product (or shipment) authentication and Track & Trace. In fact, both the DGFT and MOHFW rulings make clear that the objective of this exercise is to develop a Track & Trace system, which is widely accepted among experts to be the most effective anti-counterfeiting solution.
So, what is Track & Trace (or T&T)? The concept is elegantly simple — T&T is the means by which a company or government agency can keep track of who has handled a pharma shipment, when, and for how long. The chain of custody of a shipment must be made available in electronic form and is referred to as its electronic pedigree (e Pedigree). In order to have an e Pedigree, a complete T&T system must be set up, which for Indian exports must necessarily mean a global-level record. The unique serial numbers serve as the digital identity of the shipped drug, whether as a blister/strip/bottle (primary level), the carton in which it is contained (secondary level), or the shipper in which these items are sent abroad (tertiary level). The DGFT ruling requires serialization at all three levels so that a platform is established for creating a global T&T program. The Indian government has not yet specified the exact details by which the chain of custody record is to be maintained or communicated, other than the statement in the last DGFT ruling that “Government will set up a Central portal for tracing and tracking exported pharmaceutical products”. It is widely expected that details will be forthcoming, but it is unquestionably clear that serialization is not the end stage of this exercise, but the first stage of creating a global traceability program.
With this in mind, it is absolutely essential that the vendor that is providing the serialization platform also have the means to provide a complete T&T system. Otherwise, the investment being made now will be inadequate because the pharma company will then have to find another vendor who can provide the T&T services, which will likely not be compatible with someone else’s security codes. There are many vendors currently in the Indian marketplace that only have the ability to serialize, and do not have the expertise, experience, or track record for taking this project to the next phase involving T&T. The short-term gain of immediately adopting a low-cost “serialization only” solution will be very painful in the coming year for those companies that have not thought ahead with the larger picture in mind.
There are several vendors currently in India that can undertake both the serialization and T&T operations, and have tested their systems thoroughly. Although the concept behind T&T is simple, the task of handling large volumes of tracking data at multiple levels and many locations and in real time is no walk in the park. Avoid being the target of a vendor’s experiment with Version 1 of their T&T system!
The next three questions probe further important considerations to be addressed in preparing for an eventual T&T program, and which should be clearly addressed at the outset when choosing the vendor.
6. Does the vendor have its own software for creating hierarchical trees (parent-child relationships) at the plant level?
Yes No
Issues to consider:
Consider the following situation — a cargo shipment of medicines is lost or stolen, something that is occurring with worrying frequency nowadays, according to reports in the public domain. In such cases, it is important to not just know the unique serial number on the shipper but the actual serial numbers of its contents. Since pharma products have to be serialized at all levels, this shouldn’t be a problem, except for one fact — we need to know exactly what products were packed into what shipper. In other words, we don’t want to just know the names of the products, but their actual digital identities.
Only in this way can the pharma company notify the regulatory body of the products that have been stolen with exactness. The vendor therefore should have the capability to provide two important services — creating an organizational packaging tree and the ability to invalidate all of the stolen codes in the event of a mishap. The first issue is taken up next; the second is taken up under Question #7.
A fundamental requirement in creating a digital packaging hierarchy is to know exactly what secondary cartons have been placed into an outer carton, exactly what outer cartons into a shipper, and exactly what shippers onto a palet (if applicable). And “exactly” means just that — what are the individual identities of those products as specified by their unique serial number. The process of creating such an organizational tree (which is also referred to as a parent-child relationship) must obviously be done at the plant, and it is not an easy task.
Fortunately, there are several vendors that have a well-developed software and protocol for undertaking this fundamental requirement. Unfortunately, it is also true that there are many serialization vendors that do not have this ability. It is therefore important to distinguish between these two classes of vendors right at the outset. Since parent-child relationships are the very foundation of a traceability operation, a vendor that cannot put this in place will not prepare the client for any future T&T operation.
7. Is there a programme in place for package authentication from any global location that produces a chain of custody record (e Pedigree)?
Yes No
Issues to consider:
The next crucial element in T&T is to track the shipment from node to node. Thus, a programme must be in place for capturing the location, date and time of arrival/departure, and the identity of the shipment through the unique serial code. Simply put, the vendor must have the software, protocol and experience to undertake this task. If not, the pharma company will have to have its products serialized by one vendor, and T&T operations by another. There are several vendors that seamlessly integrate these two operations and therefore those solution providers should be closely evaluated at the outset.
The capability to capture and upload tracking data is also not an easy task and here too, the vendor should offer flexible options. Although the internet serves as an excellent portal for communicating tracking data, there are many places (especially in remote locations) where other means such as cellular networks (SMS/GPRS/3G) must be relied upon. The vendor therefore should have a well-developed mobile program, including either local or global service providers, for uploading data from any worldwide location where Indian exports are destined.
The tracking data that is fed into the vendor’s system is then used to create the chain of custody record or e Pedigree for the shipment. For non-regulated markets, the likely end point of this chain will be the consignee of the shipment in that country. For regulated markets, the process may come down to the actual saleable item level. This is a much more complex undertaking because supply chain participants within that country must then feed the tracking data into the vendor’s portal. The objective of this exercise is to be able to take any saleable pack at any dispensary in a regulated market and use the unique serial number on that product to reveal its e Pedigree.
Whether the Indian exporter is shipping to a regulated or a non-regulated market, it will be necessary to create a chain of custody record up to some level and make this information available to a regulator on demand (such as the DGFT in India or a local authority abroad). And finally, getting back to story of the stolen shipment. It should now be clear why a T&T program would help to contain the fallout from shipment loss, theft, or diversion. It is only when the tracking data is uploaded in real time that the pharma company or Government agency can monitor such mishaps and take corrective action, including placing a flag on those shipments that go astray.
The ability to authenticate, track, and record pharma shipments globally via internet or cellular networks is therefore a core requirement that the vendor must be able to meet.
8. Does the technology provider have a global surveillance and support system in place?
Yes No
Issues to consider:
It is important to assume at the outset that at some point, something will go wrong. This could be a technology issue, a regulatory compliance issue, a tracking mishap, or any one of myriad unpredictable events. It is at times like these that the professional character of a vendor comes through. Pharmaceutical companies work in a very sensitive and highly regulated environment, and therefore cannot undertake the experiment to see how reactive the vendor will be under such sudden circumstances. However, one indicator of future performance can be gauged by how much the vendor has thought through these issues in advance, and to what extent it has created support and surveillance systems. The latter is important because it can help to mitigate problems from arising in the first place. An experienced vendor will have had to deal with such issues in the past, especially if they are a global player, and therefore be well prepared to help Indian pharma companies meet future challenges.
An especially salient indicator of a vendor’s commitment to this requirement is the support structure it has put in place. For example, are technical specialists available or on call to help with emergency situations? Is the support network easily accessible to the client? If the vendor is an MNC, does it have a support program (such as a call centre) set up in India? Does it have its own employees or is it working through an agent? The latter situation can be problematic because commercial tie-ups are often not enduring and therefore future support is not guaranteed unless the vendor has direct presence in India.
Hardware implementation at plant
9. Does the solution provider offer a total hardware implementation package?
Yes No
Issues to consider:
The DGFT and MOHFW requirements have created significant challenges for compliance due to the immediate requirement to find both a credible security solution (barcoding, serialization, global Track & Trace) as well as hardware implementation (printer, camera, rejecter, conveyor). It would therefore be important to find a hardware integrator that has tied up with a reputable and well-established global security company to provide a total solution.
It must be kept in mind that the two components — hardware and software — are separate, complex, and demanding each in its own right. Hardware integrators that provide the software solution themselves (or have developed it themselves) should have the experience, expertise, and track-record for this important requirement. Similarly, software providers that make their own hardware may not have the experience and expertise in designing and integrating hardware components.
The ideal solution therefore is to find a reputable hardware integrator working in conjunction with a reputable security company to provide a combined “total solution”. In such cases, it is important to understand the nature of their partnership and whether they are dedicated to working together for the long-term, or whether it is a marriage of convenience such that each party will work with anyone else who comes along. A successful software-hardware installation will require very close cooperation between the two parties and therefore it is important to verify that they are committed to their relationship.
With regard to the hardware integrator, the advice is simple and the same as for the software provider — it is critically important to ensure that all the components are made to a standard that will ensure the needed requirements and have excellent durability. Cutting corners at this important juncture can have devastating consequences since line stoppage will halt production, and with it timely completion of orders and meeting deadlines. There are many hardware integrators in India, and a few have built the reputation for excellence in both technology and service. Therefore, the integrator you choose must have the needed expertise and capacity to deliver on the specifications required and that the entire system will pass audit review. Ask the hard questions and perform the due diligence — it will be worth the effort to ensure continued and long lasting manufacturing success.
10. Does the printer and camera meet quality standards for exports?
Yes No
Issues to consider for printers:
There are two general printer technologies that need to be considered. The first is the so-called continuous ink jet (CIJ) printers. These are dot-matrix printers and therefore offer low-resolution print quality. There are several vendors in India with an established track record of sales and service. The important point to note is that such printers should only be considered for primary level coding (blister or strip) and not for cartons. The print quality (resolution) is often too low to pass QA for export products, especially at high line speeds. Print resolution on secondary packs must be 300 dpi or more, which cannot be achieved by CIJ printers.
The second category of on-line printer technology is known as thermal ink jet (TIJ) printers. These are robust systems based on the HP technology and have been adapted to industrial printing demands. TIJ printers generally provide a minimum of 300 dpi resolution. Therefore all secondary pack printing should be undertaken with TIJ printers to ensure proper quality to meet export standards.
Issues to consider for cameras:
Most pharma companies require an on-line camera system to check the quality of the 2D barcode as well as the human-readable text (GTIN, Batch #, Expiry, Unique Serial Number, and any other information).
In fact, this is a core requirement in GMP and therefore the QA department in most pharma companies will insist on an on-line check of the print to verify that it is correct.
There are two important issues to consider with regard to camera systems. The first is image resolution. The camera must have a minimum 2-megapixel resolution, and in some cases, a 5-megapixel camera may be required. The reason is that for most secondary packs, the space available is usually quite limited and therefore the 2D barcode may have to be in the range of 6x6 to 10x10 mm, in addition to the associated text (as per GS1 guidelines). A low-resolution camera simply will not be able to read such data accurately, especially at moderate to high line speeds. Consequently, many packs will get rejected which in turn will cause loss of material and production delays. If a low-resolution camera (less than 2-mega pixell) must be used, then much larger barcodes and text will be required, which in many cases will require the pharma company to revise the artwork on the pack. Although most regulatory bodies such as the US FDA, UK MHRA, and others will permit inclusion of barcode and unique serial number as an add-on without additional approval requirements, the same agencies (and many overseas clients) will insist on review and approval of any changes to the actual artwork on a package, which then becomes cumbersome, expensive, and imposes further delays in project start-up.
The second important point is to use cameras that do not rely on a separate PC for image processing. “Smart Cameras” are available in which all of the verification (2D barcode grading, OCR, OCV) is actually done by the hardware within the camera itself. This property ensures that the entire verification process is very fast so that even the highest line speeds can be accommodated. A PC-based camera system, on the other hand, adds an additional component (the PC) on the line and in fact slows down the verification process. PC-based camera systems also provide a lot of additional image processing tools that are not required, thereby adding unnecessarily to the cost. The purpose of the camera system at this stage in the secondary pack line is to ensure print quality and content of the barcode and text — nothing else.
Score card
If the above questionnaire is used as part of a due diligence program to choose a serialization and Track & Trace vendor, then the question now comes down to how the report card should be evaluated. The following guide is proposed.
Score: 9-10 “YES” responses
It is clear that the company provides a total solution that meets the standards for both high-volume serialization and Track & Trace at a global level.
Score: 6-8 “YES” responses
The vendor will likely not be in a position to provide the full palette of services that will be needed both now and in the future. Some vendors may offer low-cost “serialization-only” solutions which will be short-lived and therefore a risky investment because the Track & Trace needs will not be met. However, for some companies that export only niche products to unregulated markets, such vendors may be suitable for the time being.
Score: < 6 “YES” responses
Such companies are clearly not prepared to meet the challenges imposed by the regulatory landscape that is emerging in overseas markets, nor are they likely to be in a position to provide the scope of services that will ensure long-term success.
Conclusion
In this guide, I have maintained focus on the technology and services issues that are going to be so critical to programme success. It should be clear that I have not addressed the matter of cost. To be clear, this whole serialization and Track & Trace thing is not going to be an easy ride for Indian industry. Although there are low-cost serialization solutions in the marketplace, they are not going to provide the needed benefit in the long run and therefore represent a short-sighted investment.
The critical parameter to evaluate is not cost but value. And value in turn is defined as the combination of cost and benefit. It is the latter parameter that sometimes gets neglected, and that is what I wished to focus on in this guide. If a subset of vendors falls in the top tier based on my questionnaire, then naturally cost should become a parameter that comes into play in the decision-making process. Otherwise, a pricing comparison offered by a top-tier company versus a bottom-tier one will create a false and illusory comparison, which can lead to a dangerous outcome for the pharma company. Ultimately, it is the value-proposition that should be the driver in choosing the right vendor.
The author is an advisor to several top firms and serves on the boards of companies in India. He is the former Managing Director
of Wyeth Ltd and the Past President of the Organization of Pharmaceutical Producers of India (OPPI).