The regulatory landscape for Indian pharmaceutical companies has undergone a titanic shift over the past two years after the public notice from the Directorate General of Foreign Trade (DGFT) was issued. The new DGFT mandate imposes stringent requirements for combating the counterfeit menace that has plagued the Indian pharmaceutical industry. The DGFT mandate was the result of the presence of counterfeit drugs in foreign markets that were allegedly made by reputable Indian companies. The hard-earned image of the Indian pharmaceutical industry as an excellent source of high-quality medicines thus came under direct attack, for which the Indian government took  immediate measures to protect the national image.

The DGFT ruling is now well known to industry and hence will not be described here. But one thing is clear — the mandate to Indian pharma is to undertake an immediate and robust program of product serialization that must in turn serve to create a Track & Trace program. These twin requirements are inseparable because serialization alone is not an effective tool,and Track & Trace cannot be undertaken without product serialization. Consequently, I advocate at the outset that Indian pharma companies must seek solution providers who are able to undertake high-volume serialization and data management, and that the same vendor must of necessity also provide a full Track & Trace solution.

The challenge faced by industry then is how to go about choosing that right vendor. There has been a wave of new companies that have come forth with low-cost solutions, but which falsely advertise Track & Trace capability. In fact, many of these vendors merely generate a random number, place it in a barcode, and yet offer no Track & Trace solutions or services that are a core requirement of the DGFT and many other emerging global mandates. The result has been to create considerable confusion in the marketplace on how to go about obtaining an enduring solution to the regulatory demands of serialization, barcoding, product authentication, Track & Trace, and ePedigree.

With this in mind, I have created this guide based on my own experience in industry, combined with the considerable information I have gathered from talking to experts, regulators, and fellow colleagues. Rather than simply write an “article”, I have opted to create a questionnaire that is focused on some critical issues that must be met, and in doing so the parameters that need to be considered when selecting a vendor.

This guide represents an updated and revised version of the one published in several journals in 2011. It is divided into three sections that cover important issues that need to be assessed — A) Serialization, B) Track & Trace, and C) Program implementation. I will provide some thoughts on how the answers should be interpreted by way of a Score Card. Finally, I conclude with a table that compares the major solution providers on each of my questions, based on information available in the public domain.

A) Unique number serialization Are the security codes guaranteed to be unique for eternity?

o        o        Yes         No

Here is a potential scenario. The security code on one of your products just happens to be the same as that on another product of yours, or perhaps even that belonging to another company. Your product no longer has a unique identity now, and therefore fails the core regulatory requirement of “uniqueness”. And once that happens, all bets are off on the robustness of the serialization system being used by your company, which in turn will lead to an audit failure. This is a very real scenario, given the millions of products being produced by most Indian pharma companies each year, and the billions of products manufactured throughout the entirety of India. Code uniqueness is a core requirement of the DGFT and all other mandates.

Some vendors use a centralized serialization system that ensures codes are never replicated. Other vendors provide security code generation directly at the plant level by way of a local server. This can be problematic because the same system deployed at another plant may also generate an identical code by random chance. In such systems, the only way to guarantee uniqueness is if there is crosschecking between all of the installations at other locations. This is a difficult task, and therefore solution providers with centralized systems provide the best assurance of code uniqueness. The bottom line is this — the vendor must be in a position to provide a guarantee that the same codes will not be generated anywhere again for eternity.

2. Does the solution provider use a closed system for delivering the security codes?

o     o        Yes     No

Security codes can be delivered to the client in many ways. The most common is to send a file (csv, spreadsheet, text etc). This is a risky proposition for two reasons. First, there is no guarantee that the same file may not be mistakenly duplicated and sent elsewhere, thereby destroying the core requirement of uniqueness. The second concern is that a file containing visible codes in text form can be theoretically copied, emailed, printed, or exported by a variety of means. Regulators do not like such "open" systems for this very reason.

The best solution to this problem is to ensure that the security codes remain invisible until they are actually printed on a product. In this regime, the codes are stored in an encrypted manner so that there is nothing to duplicate, copy, export, or steal. A few vendors offer such a “closed” system, which should be the preferred choice of brand owners because ultimately the objective is to combat counterfeit drugs. The solution will only prevail if the technology itself is immune to corruption, and therefore the current state-of-the-art should be adopted.

Does the vendor provide a domestic anti-counterfeiting program with consumer empowerment through point-of-sale verification?

o        o        Yes         No
Flexibility is important. Although the major objective right now for many Indian pharma companies is to comply with the DGFT export regulations, there exists a very real possibility that the Ministry of Health in India as well as regulators in other countries will demand a domestic program for consumer authentication to reduce the menace of counterfeit drugs in the marketplace.

Therefore, it is wise to ensure that any investment being made now in a security system has the flexibility to adapt to such a requirement when it is imposed. The solution provider should already have in place a system for consumer authentication via mobile means (SMS, GPRS/3G/4G) using the very same security code technology. Beware of vendors who promise to develop such a system at a later date. The vendor should also have a well-established surveillance program to track incidents and report them to the brand owner.

Does the solution provider use a non-database system for security code storage and management?

o        o        Yes         No

Many vendors create security codes using a random number generator and then store those codes in a database. There are two major concerns with this process. The first is security. Databases are vulnerable to attack from external (or even internal) sources. There have been several examples of entire databases either destroyed or data stolen. The important consideration here again is security, given that the entire purpose of this exercise is to secure the brand owner’s products in a global marketplace. The very real concerns with database security impose risks that must be dealt with.

Some vendors have developed security solutions by which the codes are not stored in a database, but instead maintained in an encrypted form at the code level that entirely bypasses the need for database storage. This technology is known as Digital Mass Encryption or DME. A 2008 CII technology report and more recently a 2011 White Paper from the prestigious Frost & Sullivan firm proclaimed DME to be the best security technology for data storage.

The second reason for avoiding database storage is that beyond a certain code volume, databases become notoriously slow in terms of response time. There are many reports of database crashes when certain volumes are exceeded. The best example of the database-volume crunch is the now well-known Turkey fiasco. The nation of Turkey started a national pharma serialization program, which crashed on the very first day due to volume overload. Turkey has had to take great pains to resurrect their serialization program since then.

The bottom line is this — ask the vendor if they are using encryption technology (such as DME) or a database. It is best to avoid the latter, for the sake of security and performance.

B) Track & Trace (ePedigree)
Does the vendor have its own Track & Trace system?

o        o        Yes         No

It is believed by some people that the mere act of serializing pharma products should be sufficient to beat the counterfeiters. This is incorrect. Anyone, including the counterfeiter, can put a number on a product. Serialization serves as the core foundation for two larger objectives — product authentication and Track & Trace. In fact, the DGFT ruling makes clear that the objective of this exercise is to develop a Track & Trace system, which is widely accepted among experts to be the most effective anti-counterfeiting solution.

So, what is Track & Trace (or T&T)? The concept is elegantly simple — T&T is the means by which a company or government agency can keep track of who has handled a pharma shipment, when, and for how long. The chain of custody of a shipment must be made available in digital form and is known as the electronic pedigree (ePedigree). In order to have an ePedigree, a complete T&T system must be set up, which necessarily means a global-level record. The unique serial numbers serve as the digital identity of the shipped drug, whether as a blister/strip/bottle (primary level), the carton in which it is contained (secondary level), or the shipper in which these items are sent abroad (tertiary level).

The DGFT ruling requires serialization at all three levels so that a platform is established for creating a global T&T program. It is absolutely essential that the vendor providing the serialization platform also have the means to provide a complete T&T system. Otherwise, the investment being made now will be inadequate because the pharma company will then have to find another vendor who can provide the T&T services, which will likely not be compatible with someone else’s security codes. There are many vendors currently in the Indian marketplace that only have the ability to serialize, and do not have the expertise, experience, or track record for taking this project to the next level involving T&T. The short-term gain of adopting a low-cost “serialization only” solution now will be very painful in the coming year for those companies that have not thought ahead with the larger requirements in mind.

There are several vendors in India that can undertake both the serialization and T&T operations. Although the concept behind T&T is simple, the task of handling large volumes of tracking data at multiple levels and many locations and in real time is no walk in the park. Avoid being the target of a vendor’s experiment with Version 1 of their T&T system!

Does the vendor have its own software for creating hierarchical trees (parent-child relationships) at the plant level?

o        o        Yes         No

Consider the following situation — a cargo shipment of medicines is lost or stolen, something that is occurring with worrying frequency nowadays, according to reports in the public domain. In such cases, it is important to not just know the unique serial number on the shipper but the actual serial numbers of its contents. Since pharma products have to be serialized at all levels, this shouldn’t be a problem, except for one fact — we need to know exactly what products were packed into what shipper. In other words, we don’t want to just know the names of the products, but their actual digital identities. Only in this way can the pharma company notify the regulatory body of the products that have been stolen with exactness. The vendor therefore must have the capability to provide two important services — creating an organizational packaging tree and the ability to invalidate all of the stolen codes in the event of a mishap. The first issue is taken up next; the second is taken up under Question #7.

A fundamental requirement in creating a digital packaging hierarchy is to know exactly what secondary cartons have been placed into an outer carton, exactly what outer cartons into a shipper, and exactly what shippers onto a palet (if applicable). And “exactly” means just that — what are the individual identities of those products as specified by their unique serial numbers. The process of creating such an organizational tree (which is also referred to as a parent-child relationship) must obviously be done at the plant, and it is not an easy task.

There are several vendors that have a well-developed software and protocol for undertaking this fundamental requirement. Unfortunately, it is also true that there are many serialization vendors that do not have this ability. It is therefore important to distinguish between these two classes of vendors right at the outset. Since parent-child relationships are the very foundation of a traceability operation, a vendor that cannot put this in place will not prepare the pharma company for any future T&T operation.

Is there a program in place for package authentication from any global location that produces a chain of custody record (ePedigree)?

o        o        Yes         No

The next crucial element in T&T is to track the shipment from node to node. Thus, a program must be in place for capturing the location, date and time of arrival/departure, and the identity of the shipment through the unique serial code. Simply put, the vendor must have the software, protocol, and experience to undertake this task. If not, the pharma company will have to have its products serialized by one vendor, and the T&T operations by another. There are several vendors that seamlessly integrate these two operations and therefore those solution providers should be closely evaluated at the outset.

The capability to capture and upload tracking data is also not an easy task and here too, the vendor should offer flexible options. Although the Internet serves as an excellent portal for communicating tracking data, there are many places (especially in remote locations) where other means such as cellular networks (SMS/GPRS/3G) must be relied upon. The vendor therefore should have a well-developed mobile program, including either local or global service providers, for uploading data from any worldwide location where Indian exports are destined.

The tracking data that is fed into the vendor’s system is then used to create the chain of custody record or ePedigree for the shipment. For non-regulated markets, the likely end point of this chain will be the consignee of the shipment in that country. For regulated markets, the process may come down to the actual saleable item level. Whether the Indian exporter is shipping to a regulated or a non-regulated market, it will be necessary to create a chain of custody record up to some level and make this information available on demand to a government agency — such as the DGFT in India or a local authority abroad.

And finally, getting back to story of the stolen shipment. It should now be clear why a T&T program would help to contain the fallout from shipment loss, theft, or diversion. It is only when the tracking data is uploaded in real time that the pharma company or government agency can monitor such mishaps and take corrective action, including placing a flag on those shipments that have gone astray.

The ability to authenticate, track, and record pharma shipments globally via Internet or cellular networks is therefore a core requirement that the vendor must be able to meet.
                
Does the technology provider have a global surveillance and support system in place?

o     o        Yes      No

It is important to assume at the outset that at some point, something will go wrong. This could be a technology issue, a regulatory compliance issue, a tracking mishap, or any one of many unpredictable events. Pharmaceutical companies work in a very sensitive and highly regulated environment, and therefore cannot undertake the experiment to see how reactive the vendor will be under such sudden circumstances. One indicator of a vendor's ability in this regard is how much it has thought through these issues in advance, and to what extent it has created support and surveillance systems. An experienced vendor will have had to deal with such issues in the past, especially if they are a global player, and therefore be well prepared to help Indian pharma companies meet future challenges.
            
C) Program implementation
Does the solution provider offer a total hardware implementation package?
o        o        Yes         No

The DGFT ruling has created significant challenges for compliance due to the immediate requirement to find both a credible security solution (barcoding, serialization, global Track & Trace) as well as hardware implementation (printer, scanner, etc.). It would therefore be important to find a hardware integrator that has tied up with a reputable and well-established global security company to provide a total solution.

It must be kept in mind that the two components — hardware and software — are separate, complex, and demanding each in its own right.

Hardware integrators that provide the software solution themselves (or have developed it themselves) should have the experience, expertise, and track record for this important requirement. Similarly, software providers that make their own hardware may not have the experience and expertise in designing and integrating hardware components.

The ideal solution therefore is to find a reputable hardware integrator working in tandem with a reputable security company to provide a bundled “total solution”. In such cases, it is important to understand the nature of their partnership and whether they are dedicated to working together for the long-term. A successful software-hardware installation will require very close cooperation between the two parties and therefore it is important to verify that they are committed to their relationship.

And finally, it is important to ensure that small and medium enterprises (SMEs) are served and protected. Some companies have developed specialized programs aimed at this sector. It is important to carefully evaluate these companies and ensure that there are no compromises or short cuts made in terms of the technology offering, program delivery, and future commitment to Track & Trace. I feel very strongly that a vendor that is caring for the SME segment as much as it does for large pharma companies has the best overall intentions and capability for protecting all of Indian pharma under the DGFT mandate. Equally important is the capability of such vendors to ensure that the same set of global T&T services is provided to the SME sector and that those products shall enjoy the same regulatory protection in the future.
    
Does the vendor provide data analytics solutions as value-add services?

o        o        Yes         No

A full Track & Trace system empowers the pharma company in many ways that may not be readily appreciated. For example, there is real-time knowledge of the full movement of all products down to the most basic level. As an example, pharma companies spend enormous sums to obtain key data on secondary sales. A T&T system provides total information in this regard because the exact movement of every item is electronically recorded. Furthermore, there is substantial data on manufacturing efficiency on a line by line basis, production statistics at CM sites, inventory management, stockkeeping data, lag times at distribution points, transit delays, shipment diversions, cold chain status at every point, and so much more.

All of these facets of data aggregation and analysis create an entirely new value-add proposition for pharma companies that deploy a full T&T solution. However, in order to harness the power of this data, the solution provider must either have significant data analytics capabilities through an in-house program or by way of collaboration with a dedicated partner. Either way, the massive amount of data in the vendor's repository provides golden opportunities for the pharma company to obtain significant value-add services that will help the company migrate into the world of 21st century electronic data management and analytics.

It is therefore important to seek solution providers who are capable of offering these services, and more importantly, who have thought through the requirements and have developed a pipeline of solutions.

Score card
If the above questionnaire is used as part of a due diligence program to choose a serialization and Track & Trace vendor, then the question now comes down to how the report card should be evaluated. The following guideline is proposed.

Score:    8 - 10 “YES” responses
It is clear that the company provides a total solution that meets the standards for both high-volume serialization and Track & Trace at a global level.
    
Score:    5 - 7 “YES” responses
The vendor will likely not be in a position to provide the full set of services that will be needed both now and in the future. Some vendors may offer low-cost “serialization-only” solutions which will be short-lived and therefor a risky investment because the Track & Trace needs will not be met.
    
Score:    Less than 5 “YES” responses
Such companies are clearly not prepared to meet the challenges imposed by the regulatory landscape, including those unfolding in India and in overseas markets, nor are they likely to be in a position to provide the full range and scope of services that will ensure long-term success.

Concluding thoughts
I have maintained focus in this guide on the technology and service issues that are going to be critical to program success. It is apparent that I have not addressed the matter of cost. To be clear, the whole serialization and Track & Trace operation is not going to be an easy ride for Indian industry. Although there are low-cost serialization solutions in the marketplace, they are not going to provide the needed benefit in the long run and therefore represent a shortsighted investment. One encouraging point is that a few companies are making a concerted effort to provide robust Track & Trace solutions to the SME sector at reasonable cost. A notable example in this regard is the newly introduced Kezzler IPES Program .

In all cases, the critical parameter to keep in mind is not cost but value. And value in turn is defined as the combination of cost and benefit. It is the second parameter that often gets neglected, and that is what I wished to focus on in this guide. For those vendors that have scored well on my questionnaire, cost should naturally then come into play in deciding who to choose among them. Otherwise, a pricing comparison between a top-tier company versus a bottom-tier one will create a false and illusory comparison. Such a cost-only based approach can lead to dangerous outcomes for the pharma company. Ultimately, it is the value-proposition that should be the driver in choosing the right vendor.

To conclude, it is critically important to distinguish the companies that have the right offering versus those who just make empty claims. Each pharma company should do its own assessment and due diligence of the Track & Trace solution providers. I have, however, provided a table below of my own evaluation of various vendors in India, based on information that is publicly available. I hope that the contents of this guide will help Indian pharma companies make the right choice.