It's time to get honest about VRS (in its current form)

 

The recent events-   a large volume of verification requests were sent out originating from a GLN that doesn’t resolve to a known entity (Per GS1’s ‘Verified by GS1’) nor provided any other identifiable means to determine who the requestor was- not even a company name was provided.  

The compliance gap centers on the DSCSA requirement that entities are to only respond to verification requests from ‘authorized’ partners.   Here are the relevant clauses

For companies who DON’T have VRS they may have received these verification requests via email or other means- which allowed them to (hopefully) act per SOPs and NOT respond as there was no feasible way to ensure the requestor’s ‘authorized’ status as required by DSCSA.

For companies who DO have VRS, most (if not all) automatically responded to the requests- Putting them directly out of compliance with DSCSA for the reasons noted above.

Again you read that correctly-  companies who received these requests and DIDN’T have VRS had more control to ensure their compliance with DSCSA compared to companies who DID have VRS.

What the recent experiences highlight is the lack of control within the VRS framework and within VRS vendor solutions to guarantee that responses are returned to ‘authorized’ requestors .   In this situation an organization simply had access to a VRS interface and was able to enter serial numbers which triggered the requests. Even worse is the current understanding is that this organization didn’t even have physical possession of the items.    Thank goodness it doesn’t appear this was a ‘rogue’ organization or bad actor- but what’s stopping that from happening in the future?   

Having access to a ‘system’ that can tell me what serial numbers are legitimate and which are not is a counterfeiters utopia and undermines the entire concept of VRS and DSCSA

“…But Scott credentialing solves all of this”   Eh not so fast-   Credentialing ‘could’ solve all of this … but only if credentialing becomes a requirement across the whole industry- which is a pipedream unless congress wants to amend that into DSCSA.

I’ve covered this topic before- we can’t even get every entity to pay $30 for a GLN, there is no chance that every entity goes out and gets credentials unless they are forced to.   Until then- credentialing has limited benefit.     If I’m a manufacturer and could flip a switch in my VRS solution that says only respond to credentialed requests- I’d be blocking nearly every verification request that comes in.  Which brings us back full circle to my original statement-  Why even have VRS enabled at this point?

Make no mistake- I’m the technology guy.  I’m the one harping that the only way serialization/traceability works in pharma is if we build and implement better technology compared to what we have today.  I’m not saying automated verification requests should go away-  we just have to find a way that actually benefits the industry and not just solution provider’s checkbooks.

Put VRS in its current form out to pasture, go back to the drawing board and realize that automated verifications is just another use case that requires true collaboration networks to be implemented in this space.