August 2014 “Tranquility Base here. The Delegated Act has landed” Former AstraZeneca serialisation expert and member of the EFPIA-­‐led European Stakeholder Model (ESM) technical experts working group, Christoph Krähenbühl, examines the latest update on the ‘Safety Features’ Delegated Act, currently being examined by Member States’ expert teams and gives his personal view on how some of the proposed provisions could have a significant impact on all stakeholders, in particular pharmaceutical manufacturers supplying products to the European Market. The Eagle is landing “Tranquility Base here -­‐ the Delegated Act has landed” will be the message resounding across the European Pharma industry and beyond when the long-­‐expected ‘Safety Features’ Delegated Act is finally published later this autumn. It remains to be seen, however, whether the prevailing mood in the industry will be one of tranquillity – or rather the opposite: The realisation even amongst the most recalcitrant manufacturers that they need to embark on their journey towards readiness, a journey not across the Sea of Tranquillity but possibly into a perfect storm of challenging requirements, short timescales, and system vendors whose order books are rapidly filling up already. The publication of the DA will put paid to the argument that it is not possible to take preparatory action because there is still too much uncertainty about the EU-­‐FMD requirements. Not that the ‘wait and see’ attitude stands up to scrutiny even today because the provisions of the DA will not appear out of the blue; on the contrary, they will have been arrived at through extensive consultation and years of engagement with all stakeholders. The trajectory of the DA – like that of an Lunar Lander – has been clear for all to see and, in fact, been set right at the start of the EU-­‐FMD process; what we are now observing are simply the final course corrections that will ensure that the DA and its provisions land in the right place and do not hit a rock-­‐strewn crater. Where the Act should land is, of course, circumscribed clearly in the Directive that became EU law in 2011. The legislation sets out: the primacy of patient safety objectives, EU-­‐wide verification systems architecture and a process based on a machine-­‐readable Unique Identifier used in combination with anti-­‐tampering devices. The European Commission has been clear about the ambition to achieve a solution that is cost-­‐effective and acceptable to all stakeholders and has to that effect been holding regular consultations over the course of the last three years, which would have enabled all interested stakeholders to form a good understanding of the likely provisions of the Delegated Act. It is against this context that this latest update on the Delegated Act should be assessed whose details are beginning to leak out into the public domain. This latest draft text, currently circulated amongst Member States’ experts and not officially available to stakeholders or the public, presents the best view of what is to be expected once the Delegated Act is published later this year (bearing in mind, of course, that this is still a draft and subject to further changes and refinements). It largely confirms the key elements of the EU-­‐FMD provisions that have been consulted on before and should provide few major surprises. However, drilling into the details reveals a few points that have the potential to affect stakeholders significantly and also challenge some of the assumptions that underlie, for example, the European Stakeholder Model which is currently being rolled out to early adopters. August 2014 In line with previous consultations, the document covers the following areas: The (1) technical specifications of the unique identifier (UI), (2) how manufacturers are to apply the Safety Features, consisting of UI and anti-­‐tampering features and (3) how wholesalers and ‘pharmacies and persons authorised or entitled to supply medicinal products to the public’ (subsequently referred to in brief as ‘pharmacies’) would be expected to verify the safety features. The document then (4) sets out how the “repository system” mentioned in the Directive should be established and managed and (5) includes – what will be the most eye-­‐catching area -­‐ proposals that sketch out two-­‐year transitional arrangements. Each of these areas will be examined in more detail below in turn, focusing on points that have the potential to affect stakeholders significantly and also areas that seem to challenge some of the assumptions that underlie, for example, the European Stakeholder Model. Unique Identifier The proposed technical Specifications of the Unique Identifier offer no surprises, confirming the use of a machine-­‐readable 4-­‐ (or 5-­‐) element code expressed as an ISO-­‐standard 2D DataMatrix barcode. Similarly the confirmation of the data elements that are by now familiar from other coding requirements and also the coding schema used in EFPIA’s Sweden Pharmacy pilot in 2009/2010: The DataMatrix will contain 1) the product identification code (usually the GTIN/NTIN), 2) expiry date, 3) batch / lot number and 4) the unique and randomised serial number. What is not exactly novel is the recognition that there may be a need to include a national product code, for example for reimbursement purposes (where that code is not part of the product code such as the NTIN); this would then be included as a 5th element in the barcode. This approach has been discussed extensively and is also sanctioned in the GS1 General Specifications, but it must be pointed out that there is little practical experience with 5-­‐element codes in pharma where a 4-­‐element DataMatrix is the current maximum requirement. So far so good, though two further provisions relating to the UI are worth highlighting: The draft DA extends the established requirement to provide the UI information in human-­‐readable format to the Serial Number element. Without wanting to into the details of the arguments for and against the inclusion of a 20-­‐digit serial number in human readable format – a discussion that could easily fill several pages – it is worth pointing out the impact this will have on one set of early adopters, pharma companies currently participating in SecurPharm in Germany: The German SecurPharm requirement is explicit in specifying that the Serial Number should NOT be printed in Human Readable Form (“Serial number: Serial numbers are not to be printed as clear text…”, IFA Coding System, PPN-­‐Code Specification for Retail Packaging, Version: 2.01 Date of issue: 2013-­‐06-­‐
26). This discrepancy will need to be addressed, most likely by adapting the specification for Germany which, in turn, would necessitate all manufacturers currently participating in SecurPharm to adapt how they print and code their packs today. For many manufacturers, who have opted for an adaptable, flexible coding solution, this may turn out to be simply a minor adjustment but to others this may present a bigger challenge as additional lines of variable data will need to be printed and verified. Regardless of whether a manufacturer’s established pack coding capability can handle this, manufacturers will need to establish whether there is actually enough space on the pack artwork to accommodate this additional information. This could be a particular problem in Germany where some manufacturers may opt for the 5th-­‐element approach to handling the product code and could therefore run out of available artwork real estate. August 2014 The second UI-­‐related provision that is bound to raise eyebrows across the industry is the stipulation that the UI barcode will take the place of all other visible barcodes on the packs: What this means is that the vast majority of pharmaceutical packs supplied to the European Market will need to undergo an artwork change. After all, today’s packs typically carry the product code in the form of a linear bar code as part of the pre-­‐printed pack artwork. On the face of it, this provision seems sensible and may indeed have been informed by one of the learning points from EFPIA’s Sweden PODA Pilot where the presence of several barcodes was identified as one of the main sources of errors. However, the industry has so far taken the view that applying the 2D DM to a side of the carton where no other barcode was present (often the folding flap where variable data are currently placed) would be the way forward, thereby eliminating the need to change the artwork in many cases. If the requirement to remove existing barcodes is upheld, however, the pharma industry will need to embark on an artwork change programme affecting the vast majority of pharmaceutical packs supplied to the European Market in the next three years – the compliance burden on manufacturers that was already big has now become significantly bigger! Applying the Safety Features The draft DA document also offers clarification regarding the roles and responsibilities when applying the Safety Features but at the same time lifts the lid on a potential can of worms. The proposal makes it clear that it is the manufacturing authorisation holder (“manufacturer”) who is responsible for applying the safety features and who “shall ensure the uploading” the UIs to the repository system. The latter stipulation sits at odds with the approach taken by the ESM who aimed to channel the responsibility to upload the Unique Identifiers to the Brand Owners / Marketing Authorisation Holders, motivated by real concerns about controlling and managing the entities that would be authorised to upload pack serial numbers to the European Hub: There are justified concerns not just about the number of entities to be managed but also about how to control the link between ‘owner’ of the product code and the entity that is authorised the numbers to be uploaded. After all, one of key considerations for the repository systems – maximum security – relies on ensuring that only authorised participants can upload genuine numbers. One way of controlling this is by validating the relationship between the product codes (national registration codes or GTINs) and the brand owners who have registered these codes; note that the brand owner may or may actually not be the manufacturing authorisation holders as in the CMO case. Effectively managing and controlling the many-­‐to-­‐many relationships between brand owners and CMOs in practice may prove to be a considerable challenge for the organisation that oversees the day-­‐to-­‐day operation of the Europe-­‐wide repository infrastructure such as the ESM (European Stakeholder Model). How this pans out is not clear at the moment, though what is clear that there will need to be intense discussions about how this responsibility will be managed jointly between brand owners/Marketing Authorisation Holders and any contract manufacturers (CMOs) they employ. These discussions will also need to cover such niceties as who actually pays for the cost of the repository system. According to the Directive -­‐ Article 54 (a), paragraph 3 (e) – this cost “shall be borne by the manufacturing authorisation holders of medicinal products bearing the safety features”. One can’t but help wonder how the Contract Manufacturers feel about this… August 2014 Turning back to the question of what the stipulations of the proposed draft mean for the ESM concept, one comes across another provision that may turn out to be a bit of a headache. This is the proposition that parallel importers can continue to use the original UI if the pack remains unchanged and the tamper evident device is not affected. Similar to the point raised just before, there may be a conflict about which organisation is the ‘owner’ of the product code / UI – in this scenario the parallel distributor – and the ‘uploader’ of the UI who would be the original manufacturer. In fairness, this may be more of a theoretical problem in practice as parallel-­‐traded packs will normally be coded with a new national product code in the receiving market (which would therefore trigger a replacement of the UI), but in the case of multi-­‐country packs or markets where the original non-­‐country specific product code (typically GTIN/EAN) suffices, the problem may turn out to be a headache for the ESM concept, its underlying data model and ‘code ownership’ approach to data validation. Data Retention The proposed data retention requirements for the UI on the other hand are hardly controversial, including the requirement to make the information available to the authorities when requested. The timeframe is set, as widely expected, for the duration of expiry date plus one year. Note that this requirement applies to all three main stakeholder groups, not just manufacturers (including repackagers / parallel importers) but also wholesalers and ‘pharmacies’ who will therefore have a vested interest in having a stake in participating in a repository-­‐based verification system that will allow them to discharge this obligation. In the case of manufacturers, the data retention requirement also includes retaining a record of the anti-­‐tampering device used; depending on the level of detail required, this could possibly present a bit of a challenge for those companies who employ a variety of means of achieving tamper evidence. Checking the code A fairly uncontroversial area of the draft document describes the modalities of verification of the safety features in the case of wholesalers and ‘pharmacies’. Member States are charged with defining the appropriate measures and how this will have to be done, though the draft DA is careful to set out in a fair amount of detail what is expected to be adhered to across the common market, thereby setting clear limits to potential national variations. As in other areas, the provisions set out here are as expected and in line with what has been described before: mandatory point-­‐of-­‐dispense check in ‘pharmacies’ as opposed to a risk-­‐based check undertaken by wholesalers (estimated to be necessary in about 3% of cases as has been set out in previous communications). The expected treatment for a number of special cases are set out, such as part-­‐dispense, how to deal with medicines made in the pharmacy (no need for verification) and the possibility to carry out the verification at an earlier point in time than the medication is dispensed, but subject to strict conditions. The document also clearly sets out an obligation on wholesalers to check out (i.e. mark as decommissioned) those UIs that are exported from the EU. This provision addresses one of the concerns about potential loopholes, the ‘zombie numbers’ (i.e. UIs in the repository that are not matched to a pack in the market), though how this will be achieved in practical terms remains to be seen, given that the European approach operates exclusively at pack-­‐level, with no plans to managed aggregated packaging hierarchies and the parent-­‐child relationships that would (and will, in traceability systems being rolled out in other parts of the world) facilitate dealing with such August 2014 business cases. It certainly raises a significant challenge for wholesalers and distributors engaged in such export activities and may well, in practice, lead to a curtailment of current practices where – for example – French packs are exported to French-­‐speaking markets in North Africa, requiring instead the establishment of additional pack variants. Repositories The section in the document that describes the establishment and management of the repositories system confirms the unequivocal support of the stakeholder model that had been communicated previously – good news for the EFPIA-­‐led European Stakeholder Model coalition. As expected, ‘competent authorities’ in the Member States are expected to ‘supervise and contribute to the management operations of those repositories that are used to verify the authenticity … of medicinal products’: This could be interpreted to mean -­‐ in terms of the European Stakeholder Model – that the role of Member States would be primarily in contributing to the management of the ‘National Systems’, leaving the Europe-­‐wide European Hub to be managed solely by the stakeholders, without Member States representation. It remains to be seen, of course, whether this is indeed the interpretation that everyone agrees on… The draft DA then sets out performance criteria – response time of max 300 ms for at least 95% of queries and system availability; system performance to allow wholesalers and ‘pharmacies’ to work without ‘significant delay’ – which present largely as expected and are well within the limits specified by the European Stakeholder Model (ESM). Similarly the expectations regarding data ownership and the protection of personal and commercially confidential data present no surprise nor the list of operations that the system needs to support: multiple verification of the same UI possible but only one dispense / check out operation; ability to mark UIs as withdrawn / recalled / destroyed; ‘un-­‐dispense’ transaction only possible subject to strict conditions etc. One provision stipulates that the system should allow the verification of a barcode post dispense without triggering an alert; it could be argued that this leaves the door open for future verification by patients even though this is currently not intended to be possible or supported by the system, as has been made clear in previous stakeholder updates. Interestingly, the system should also support the verification / check out of a pack/UI in a different market to the intended market. One can understand the intention behind this requirement but this use case also raises a number of concerns and introduces additional levels of complexity that a solution has to deal with. For these – good – reasons this use case has been excluded from the functionality of the original ESM concept; if this provision of the DA stands, then this could have quite an impact on the technical solution that has been implemented today. Transitional Arrangements The most eye-­‐catching part of the draft under discussion will be the proposal for a two-­‐year transitional arrangement as the draft DA seems to offer a 2-­‐year period of grace beyond the original deadline, when medicinal products that do not carry the FMD safety features can continue to be sold. This appears to be a remarkable change to the intentions stated by the EC as late as the end of April 2014 and observers imagine they can already hear the sigh of relief across the pharmaceutical industry at the prospect of having two more years until the compliance capabilities have to be put in place. A closer look reveals that this interpretation is misguided, if not irresponsible. August 2014 For a start, a closer look at the draft document makes it clear that the proposed two years’ transition applies only to products put in the market or manufactured before the compliance deadline in early 2018. Any pharmaceutical pack produced after the provisions of the Delegated Act come into force have to be in full compliance with the requirements. The means that to manufacture after the deadline, pharma manufacturers will need to have their coding capability and data repository ready because no pack can be produced after the applicable deadline without applying Tamper-­‐Evidence features, printing the Unique Identifier and capturing / managing the UI data. The clear aim of this transition period is, after all, not to ease the path to compliance for manufacturers; it is designed primarily to deal with issues during the cutover to the Point-­‐of-­‐
Dispense Verification process because of residual, maybe slow moving stock in the supply chain. Looking to this transition period as a means of easing the obligation on manufacturers to get their serialisation house in order is therefore completely misguided. Whilst manufactures might be able to execute some kind of a stock build before cut over, it is only really sensible to think of this as a tactical step to provide some risk mitigation in case there are unexpected technical issues or unanticipated delays to the serialisation project. Not that this ever happens, of course…? What is made clear by the draft DA, is that after the end of the two-­‐year transitional period all packs have to comply with the safety features requirements or withdrawn from the market. In practice, therefore, manufacturers are well advised to aim for early compliance and not assume that a proposed two-­‐year transition period means that the EU-­‐FMD ‘Safety Features’ provisions have been delayed by to years. Conclusion In summary, the document currently under discussion in the Member States is a consistent build on the work that has gone before to define provisions for the Safety Features Delegated Act that will ensure that the patient safety objectives of the EU-­‐Falsified Medicines Directive are achieved in a practical and cost-­‐effective way. The further clarification that this document offers should not come as a surprise to anyone, though there are some details that will, no doubt, lead to lively discussions. Whatever the outcome of these discussions, however, they will amount to minor revisions around the edges but all affected stakeholders – and manufacturers in particular -­‐ need to take note that the requirement to achieve a state of readiness has not gone away but if anything has become more urgent and that a successful implementation of their readiness programme will be of crucial importance regarding their future participation in the European Market beyond the 2018 EU-­‐FMD ‘Safety Features’ compliance date. Christoph Krähenbühl is a respected serialisation expert and thought leader in coding and serialisation for the pharmaceutical industry. Along with partner Ian Haynes, he runs 3C Integrity, a specialist consulting firm which also offers a unique two-­‐day training programme to fully prepare pharma companies of all sizes for the implementation of their serialisation/traceability readiness programme. The next training will take place at the Vitra Campus in Basel, Switzerland, on 23rd and 24th September 2014. For more information visit http://www.3cintegrity.com/serialisation-­‐training/