The recent events- a
large volume of verification requests were sent out originating from a GLN that
doesn’t resolve to a known entity (Per GS1’s ‘Verified by GS1’) nor provided
any other identifiable means to determine who the requestor was- not even a
company name was provided.
The compliance gap centers on the DSCSA requirement that
entities are to only respond to verification requests from ‘authorized’ partners. Here are the relevant clauses
For companies who DON’T have VRS they may have received
these verification requests via email or other means- which allowed them to
(hopefully) act per SOPs and NOT respond as there
was no feasible way to ensure the requestor’s ‘authorized’ status as required
by DSCSA.
For companies who DO have VRS, most (if not all)
automatically responded to the requests- Putting them directly out of
compliance with DSCSA for the reasons noted above.
Again you read that correctly- companies who received these requests and DIDN’T
have VRS had more control to ensure their compliance with DSCSA compared to
companies who DID have VRS.
What the recent experiences highlight is the lack of control
within the VRS framework and within VRS vendor solutions to guarantee that responses
are returned to ‘authorized’ requestors .
In this situation an organization simply had access to a VRS interface
and was able to enter serial numbers which triggered the requests. Even worse
is the current understanding is that this organization didn’t even have
physical possession of the items. Thank goodness it doesn’t appear this was a
‘rogue’ organization or bad actor- but what’s stopping that from happening in
the future?
Having access to a ‘system’ that can tell me what serial
numbers are legitimate and which are not is a counterfeiters utopia and
undermines the entire concept of VRS and DSCSA
“…But Scott credentialing solves all of this” Eh not so fast- Credentialing ‘could’ solve all of this …
but only if credentialing becomes a requirement across the whole industry-
which is a pipedream unless congress wants to amend that into DSCSA.
I’ve covered this topic before- we can’t even get every
entity to pay $30 for a GLN, there is no chance that every entity goes out and
gets credentials unless they are forced to.
Until then- credentialing has limited benefit. If I’m a manufacturer and could flip a
switch in my VRS solution that says only respond to credentialed requests- I’d
be blocking nearly every verification request that comes in. Which brings us back full circle to my
original statement- Why even have VRS
enabled at this point?
Make no mistake- I’m the technology guy. I’m the one harping that the only way
serialization/traceability works in pharma is if we build and implement better
technology compared to what we have today.
I’m not saying automated verification requests should go away- we just have to find a way that actually
benefits the industry and not just solution provider’s checkbooks.
Put VRS in its current form out to pasture, go back to the
drawing board and realize that automated verifications is just another use case
that requires true collaboration networks to be implemented in this space.