US DSCSA Insights: Post-Stabilization, Exception Management, Waivers, Exceptions, Exemptions, and Expanded NDC

Allan Bowyer: I've known Christoph, I think since I joined TraceLink back in 2017, because you were quite involved in FMD. Now you've gone around the globe. DSCSA is a big focus of yours now. Maybe tell the audience what your background is and what you're going to talk about today.

Christoph Krahenbuhl: Yes. My name is Christoph Krahenbuhl. I'm Swiss, based in the UK. A long, long time ago, I was the serialization lead at AstraZeneca, and that was before there were actually any global regulations, even before Turkey.

AstraZeneca decided to serialize, and then it so happened that with regulations coming along, emerging, AstraZeneca, because we did have a lot of knowledge at the time, practical experience on how to do things, but even more of how not to do things, we ended up playing quite a role in helping to shape the European approach.

I've been involved for many years in the European Medicines Verification System. One of the guilty parties you can blame for how the thing is working or not working. Anyway, moving on swiftly. I'm Swiss, used to be British, then our company became part of Exelixis, an American company. Now I'm Dane because we got acquired by NNIT, a Danish company, a life sciences company.

At the heart of it, Exelixis, we are a leading serialization traceability life science consultancy. We do a lot of work around serialization. It's not the end of the story, but of course, it's grown, it's affected other areas. There's always monitoring things. One of the question earlier or just before was, how to keep on top of all of this.

A little plug in, we have a regulatory radar service you can subscribe to, so you get updates on all serializations out there emerging, and not just what it is, but also what does it mean, how to prepare. One the challenges is, Lars mentioned having the regulatory team, but of course, they tend to wait until the regulation is signed into law, and in many countries, that's far too late to get ready. You need to act on rumors, you need to take an intelligent interpretation.

Allan: Do you have an example of a country that's like that?
[laughter]

Christoph: Where do I start? Russia used to be wonderful because we went on Christmas holiday. Russia, Christmas holiday happens later so President Putin was busy signing off decrees, and he'd wake up, it's Boxing Day, sneaking out and not looking at the email, but...Oh, shit, anyway, never mind. The other thing is also alerts.

Actually, what I'm going to do is, we'll talk about the US, and so we start in Europe, of course.

Allan: In fact, I have a question for you. You said you collaborated quite closely with ENVO. What happened on February 10, 2019 as people started scanning? Was there panic in the house when they saw alerts coming in?

Christoph: No. I went around all the pharmacists in my little local town, there were four pharmacists. I scared the pharmacists because I asked them, so how did you scan this morning? They were like, what? In one of the big chains, somebody said, "Oh, I think we're going to get trained," or, "I've heard about this." Of course, this was the UK. Never mind, that's another story.

European system, just really quick, I don't want to explain it in any detail, if you look at the legislation, the whole reason why the European system was established was to create alerts. That's the whole point of it because it's all about identifying potential counterfeit medicines in the supply chain.

You've got it written into the law that the system needs to be able to create an alert when basically there's a mismatch between the data and the physical pack being presented in the pharmacy as the law also says. You've got the law and then you've got additional interpretations, questions, and answers from the commissions that clarify what is actually meant in reality.

There's something about you need to immediately investigate, there's an urgency to this. That goes back to the manufacturer often. Now what's happened? It all was very quiet in 2019, and then it started ramping up because not all the stakeholders were connected and it took a long time. By today, you've got 1,400 companies, in European terms, OVPs, onboarding partners connected, to the system.

It's about 350,000 products, 350,000 GTINs for which serial data is uploaded in real time constantly. At the end of the dispensing points, you've got about 115,000 pharmacies, about 7,000 hospitals, and other organizations right across the continent linked up. It's about 97 percent of packs or whatever now get scanned. There's still some markets that are lagging behind.

We're going to see a very interesting spike with Italy and Greece next February 19th, but that's it. Again, let's not go there. What you see then is. you see a lot of alerts being generated, and the alert rates, they were scary. It was up to .3 percent. Target was then set. What's acceptable? .05 percent, 1 in 2,000, that's what is deemed to be an acceptable rate.

As you can see, we're getting there, but unfortunately, the trend has been buckling. What you see seem to be stabilizing at a rate of still .08 percent, closer to .1 percent. You're talking about 1 in 1,000 packs is still generating alert, and that is five and a half years after the system got stood up. The processes are really well established by now, but it still is a challenge.

You've got some markets which have been very disciplined, and I'll get to that when we come to the US afterwards, where the alert rates are a lot lower now. Right across the continent, they're still high. If you say you've got an alert rate, so 1 in 1,000 packs is generating an alert.

If you just do a really rough calculation, number of pharmacies, number of scans, there's multiple alerts generated in every pharmacy every week still. In some markets, if you go to Denmark, Sweden, or Finland, they'll be far lower, but in other markets, they will be higher. That is still not quite where we should be five and a half years after go-live, and it's after a lot of work.

What is that? What is causing these alerts? These are just some of these many alert categories and some of the root causes, those are the main ones. You've got end users, so that's pharmacist, hospitals, and then you've got also the OVPs, the manufacturers. What causes these? Then the last column I've just added, which are the main ones these days.

You can see, and it is always a mismatch between the data in the system and the data on the physical pack that's being scanned. Then you can see things, some of the easy ones, very European typical. You've got some scanner software misconfiguration where data gets translated, QWERTY keyboards, English keyboards, and then different keyboard layouts.

There's a mistranslation of letters that are scanned so that you can address that in different ways. If your batch is not uploaded for whatever reason, of course, the pack is scanned in the pharmacy and you think, well, it's not in the system.

There's some obvious ones, but there's a lot of, you can see, especially that second row, the bulk of it is things happening in pharmacies at the end user where a scanning process is not really carried out properly or there's a misconfiguration and so on. It can also be systems, the pharmacy systems that are then scanning, if there's some issue there.

We've seen even in countries that have got a really good history like Denmark, for example, they had a really nice low rate because issues had been ironed out, and then there was a new version in a whole lot of hospitals. They got a new version of their software, and some old bugs had crept in again, suddenly, the rates spiked again, and things like that.

Now, the interesting thing is, and again, this is just Europe so it doesn't translate into US directly, but there's some things about systems. In general terms, again, it is relevant. You've got the environment, the manufacturer at the top, and then you've got the external, that's the downstream partners in the supply chain, you've got the classic, you've got the environment, the process, the equipment.

If you look at that, all of these things can cause some failure in the process. That means the scan fails. If you look at them, the big ones where we've got these explosions on there, the callouts, and you can see they are on the end user side generally. That's interesting because that's actually outside of the control of the manufacturers

Yet, it's the manufacturers who legally have to deal with that because the system is set up, a scan in the pharmacy fails because the pharmacist has done something wrong, that alert bounces up via the system to the manufacturer. Depending on the market, they've got to deal with that within 24 hours, investigate, find out root cause, and then get back and confirm yes or no.

When the system is really fully up and running, the 24 hours is too long, because there's a pharmacist standing there and cannot dispense a pack, theoretically. Today, you still got some sort of guidance in many markets where your pharmacist can use their professional judgment.

Even if the system says no, they can look at the pack, where did we get it from, does it look OK, and dispense it anyway. We're not there yet in Europe with enforcement either. That's one of the takeaways. It's taken a long time to get here, and it's the manufacturer who actually has to carry the weight of this even if it's outside their control.

What does that mean? It's, if you're looking at your extended supply chain these days and where we're getting to, also, things like Mint and so on, the communication in the supply chain, the information flows, it's all of these points where scans happen, and all of these are potential causes of alerts and exceptions. Moving on to the US then.

Allan: Many of you are familiar with EU alerts. They probably keep you awake at night. It seems that saying, we had this experience in Europe. Five and a half years in, we're still not out of the woods. Let's translate to what might or might not happen on November 27, 2024.

Can you explain just a couple key differences between EU FMD and the DSCSA in terms of systems and philosophy?

Christoph: The key difference is, it's a different architecture, different approach. One of them is in the US, the transactions follow the money. In Europe, it's the physical pack. That's one important thing. The other difference is that in Europe, many, many different architectures were looked at, including some models like in the US. In the end, Europe went for a centralized approach.

You've got the national systems, but you've got the central hub where all the data goes up and then it's distributed to national centers and so on. Of course, in the US, that's completely different. You've not got such a central system, it's of point.

What that means is, for manufacturers and for end users in Europe, you only connect to one system, to one node. In the US, you've really got to build the connections to all your trading partners. The integration challenge there is on a different level altogether.

Allan: In FMD, you will receive an alert, something scanned, data mismatch. There's not going to be an alert as such in the US. Maybe could you define alert versus exception? Maybe that's the...
[crosstalk]

Christoph: In the end, it's the same thing. It's a mismatch between the physical product and the information. If there's a mismatch, then in the digitalized, serialized supply chain, the process has to stop. You've got to sort it out before you can move on again to the next step.

Now, the US approach has a number of benefits in a way because in Europe, the way you've got, in theory, no check until the pharmacy, the point of dispense in the end means that could be the first time you notice it.

In reality, of course, part of the learning has been, if you ship, your 3PL should really scan on receipt just to make sure that they can confirm the upload looks OK from their side as well, and the distribution to their system has happened. In the US, you've got earlier points when you could actually begin to notice something's gone wrong and address the challenges. There's benefit in that.

Also, operating at an aggregation level, you can see some of the benefits there in keeping the data volumes potentially reduced, or the integration with your local systems enhanced.

Allan: Christoph, you've worked with companies on both sides of the Atlantic. What are you hearing as some concerns? From TraceLink, we hear, unlike FMD, the shipments need to be scanned every step of the way from manufacturer all the way down to dispensation.

As you said, aggregation helps, so I don't have to scan each of the 1,000 packs. I can just scan one number. What are some of the operational challenges that that presents or maybe operational opportunities?

Christoph: It's systems and implementations. The big concerns that we have here working right across this plight with many partners, manufacturers, but also wholesalers, and we've got some big implementation projects with dispensers, it's really that none of them are ready.

On the manufacturer side, we'd say, if we want to be generous, about of 80 percent are probably really ready by now. Meaning ready is just being consistently able to send physical product and information nicely, in parallel, routinely without anything going wrong. That is challenging, and that's not been mastered.

Allan: Christoph, you were talking about, in the EU, you get an alert. Right now, there's stabilization periods which don't have a single definition, but basically, use your best judgment, and you can dispense if things seem all right. You said 24 hours, some countries more. What is the rule in the US?

Christoph: Ah, now that's where it gets interesting. In the US, for a start, you've already had this enforcement holiday because we're in 2024, we were supposed to have reached the final point last November, but FDA has given another year. There has been a great reluctance, of course, because giving more time, there's always a risk that people take the foot off the pedal.

Anecdotal evidence is that, of course, that's what happened in a way. In one of the slides, I showed where you had the green markets, the markets where they're really out of the stabilization period and now in full modus operandi, that's actually what's happened there. Those markets have been quite strict on enforcing compliance, on following up, also providing support and help.

They have managed to drive down their alert rates in those markets, but it's taken the focus, it's taken the attention, and it's also taken this clear statement, the safety net, whatever you want to call it, stabilization period or whatever, that's going to go away now.

You're going to have a hard landing if you're not doing it properly. That provides wonderful encouragement, I think. That is, to some extent, lacking in the US.

Allan: In fact, I was going to ask you, we have an NMVS, which clearly says, there were 100,000 alerts yesterday. What do we have in the US to report, for example, to the FDA?

Christoph: I think because you've got this distributed system, so it's actually quite hard as well to get insights into where are you really, talk about KPIs and so on. You couldn't produce these amber reports in the US. Apart from all discussions about the architectures and so on, that is something that would be useful to have that. You think that other, you've got this exemption for the small dispensers.

Allan: In fact, there's an exemption there. You almost don't know whether your trading partner has an exemption or not.

Christoph: Small dispensers, yes. Those are pharmacists...

Allan: That's the end of the line, right?

Christoph: End of the line, yes, a maximum of 25 pharmacists. In European terms, they're not small. Depending on which market you go to, they're wow. You've got them, but I think those are at the end of the line in a way. You've then got these waivers, exemptions and exceptions that stakeholders need to apply for.

Then they may get granted an exemption so they can continue supplying their T threes rather than the T twos and so on. You then get into the point where you're saying, which trading partner has an exemption? Where are they? Then you get into a situation, which it reminds me of, in Europe, we have something called the designated wholesaler, you pass.

Again, sorry for going to Europe, but it's irrelevant. It's very relevant actually of a challenge that applies exactly in the same way because, of course, the law in Europe also says if you receive your product from the manufacturer or the manufacturer's designated wholesaler, which is a 3PL, then you do not need to carry out inbound checks because you're receiving it from a trusted party.

If it's from somebody who is not within that gilted circle, you do need to carry out inbound scans and checks. How do you downstream, as a wholesaler in the supply chain, know, is the party I'm receiving the physical shipment from, is that a designated wholesaler for this product, for this manufacturer in this country or not?

The European system actually has got in, as part of the master data this designated wholesaler flag. That gets propagated, that gets updated by the manufacturer. They need to look at their contracts, say, in this country, this is a 3PL, I've got the contract with them for distribution of my product, therefore, they are a designated wholesaler for me in that market for those products.

Then that information gets propagated through the system. In the national systems, you can look that up. A wholesaler can just carry out the check and say, for these inbound shipments, I do need to scan, for those I don't because I've received them from a designated wholesaler. Now there's no such system in the US.

Allan: There's no master list, is there?

Christoph: No. Again, it's a communication between trading partners.

Allan: I see my colleague, Joel.

Joel: I think in the US, it's even more complicated because it's not just a trade partner that exempt, it's per GTIN, per partner for a designated time frame. You have to track that. Then you ask yourself, how does anybody know what's exempt? How are you going to track that through the industry when you're exchanging the data? It's a little bit more complicated.

Christoph: Absolutely. The interoperability goal really begins to fall apart if you haven't got that clarity. With the best will in the world, granting such exemptions, in a way, you can see why it might make sense, but on the other hand, it injects a lot of uncertainty and challenges into the system.

Allan: The FDA will grant these time-bound, they're called WEEs, W-E-E waivers, exemptions and exceptions. What does the FDA advise if they're not publishing a list? Nobody's publishing a list. What are trading partners supposed to do? Attach a little Post-It Note to... [crosstalk]

Christoph: Talk to each other.

Allan: How can they talk to each other, Christoph?

Christoph: You're pushing me towards my concluding statements because actually, that's one of the things. This integrated interoperable supply chain, getting your trading partners connected closely, that's becoming so important. Without that, things are just going to fall apart.

I've been thinking the last couple of days, that's why this Opus Mint development is exciting because you actually do see a conduit for some of those information flows. That's one thing. I guess the other thing is that it always also depends on your data. If your data is not right, it's always garbage in, garbage out, and things fall down.

Allan: I know you don't have a crystal ball, but we have seen what happened in Europe in 2019. Do we think the same Armageddon is going to happen in the US? Sorry to be so drastic about that. We don't have a central system that can say, there's an alert, we have, I got product without data, I got data without product, there's a mismatch here.

There's so many different things that can happen in the US. Is November 28th, the day after, going to be a very unhappy Thanksgiving for Americans?

Christoph: It's such a shame I left my crystal ball, Allan. Sorry.

Allan: I know. I asked you to bring it.

Christoph: It went all cloudy. There's a stormy seas ahead, let's put it that way, I think. Having lived through this undertaking, and even with, I have to emphasize, the European approach and the European system, it's really simple actually. It really is. The American approach is, for good reasons, the two supply chains are structured differently. The market operates in a different way.

I'm not saying we should have put in a US MO, bot at all, but you can see there are differences, but there are also similarities. The similarities are all about the correct data in the correct place, sent at the correct time, received well, processed, and so on. If trading partners are not ready to do that consistently, then there's going to be pain.

Allan: I think the message has been, a ounce of prevention is worth a pound of cure, if I translate into grams and kilograms. The idea would be, get your data in order. Let's say the unthinkable or unwantable happens, Christoph, would you advise the folks here to, I don't know, maybe already contact trading partners just to do a fire drill?

What would you advise people who might say, we know this tidal wave is coming, but thank you? What should we do about it to...?

Christoph: Let's not call it a fire drill, but let's call it more of a good sound preparation work. In the end, this is project work, you always hope for the best, plan for the worst. Part of that is also testing, testing, testing. The other thing is what companies would be well-advised to do is look at their supply chain, look at their trading partners, and have quite a hard close look at their capabilities.

What you will need to do is, you need to identify which are the third parties you use, how important, how integral are they to your supply chain. Then you look at their capabilities. Can they fulfill their obligations that are legally on them? Also, they will need to fulfill duties that are your legal obligation, but they need to discharge those on your behalf.

You need to have a hard look at them, and then what you will come out of. We do that exercise for companies. We call it the supply chain health check. What comes out of that is a very clear grid. You've got some of the partners that are absolutely strategic and are capable, good.

You've got some that are strategic, but you've got some shortcomings, that's absolutely where you need to start focusing your attention. Then you've got others that are strategic and not capable in that corner, and that is, how quickly can you get out, and what is your exit strategy?

[music]