Joining forces for more savety in the pharmaceutical market

An overview of the provisions of the Delegated Re-gulation (EU) 2016/161 and the German system for authentication and verifi cation of pharmaceuticals

About securPharm e.V.

securPharm e.V. is an initiative to protect patients from falsified pharmaceu-ticals in Germany’s legal supply chain. It is sponsored by a consortium of the following pharmaceutical companies‘, wholesalers‘ and pharmacists‘ associa-tions: BAH, BPI, vfa, PHAGRO, and ABDA.

Since 2011, securPharm e. V. has been developing a protective system from falsified medicines in compliance with the requirements of the EU Falsified Medicines Directive 2011/62/EU. This system has been tested in practice since 2013. The findings derived from testing are directly used in further system de-velopment. This unique collaboration of all stakeholders in the pharmaceutical supply chain makes it possible to optimally tailor the system to the business processes of all parties involved from the outset. One important element of securPharm is the use of separate databases for manufacturers and pharma-cists in order to maintain the greatest possible data privacy for patients. Today, securPharm is the leading system in Europe for the implementation of future legal requirements regarding the authenticity verification of pharmaceuticals. It is the objective of securPharm to provide a system that can be used by all market participants when the Falsified Medicines Directive becomes effective.

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

3

Inhaltsverzeichnis

1. Introduction: The Falsified Medicines Directive and the Delegated Regulation

2. The Delegated Regulation confirms the core principles of securPharm

3. Content and interpretation of the Delegated Regulation

3.1. Provisions for marketing authorisation holders

3.2. Pharmaceutical wholesalers securing the supply chain

3.3. Authentication at the pharmacy

4. Closing remarks: Quick clarification of open questions

4

4

7

9

12

13

14

4

The publication of the Delegated Regulati-on (EU) 2016/161 on 9 February 2016, which stipulates the technical and organisational requirements for implementation of the Fal-sified Medicines Directive 2011/62/EU, marks the preliminary conclusion of a legislative pro-cess that has occupied the stakeholders of the pharmaceutical supply chain in Germany since 2011. Pharmaceutical companies, wholesalers and pharmacists now have clarity regarding the technical and organisational details they will face with the implementation of the direc-tive as well as the mandatory time horizon for implementation. From 9 February 2019, only prescription drugs bearing the new safety fea-tures can be circulated in Germany.

The objective of the directive and the associa-ted Delegated Regulation is to protect patients from falsified medicines in the legal supply chain. With this legislation, the EU Commission reacts to the cases of falsification that were dis-covered time and again over the past few years despite the existing regulations and controls. In the future, these protective measures will be complemented by mandatory technical solu-tions, the unique identifier and anti-tampering devices.

From the outset, the associations in the German pharmaceutical market have accompanied the EU Commission on this path and established the organisation securPharm e.V. as early as

2011. The stakeholders of the pharmaceutical chain consider patient protection as a valuab-le commodity that must be defended. Germa-ny will continue to be one of the most secure markets for pharmaceuticals worldwide. The associations and market participants are alrea-dy investing considerably in the set-up of se-curPharm and incur high capital spending for the realisation of technical solutions and the conversion of internal corporate processes. At this point, the introduction of securPharm and the new safety features are considered the lar-gest infrastructure project in Germany’s phar-maceutical supply chain.

The German stakeholders have prepared for the implementation of the Falsified Medicines Directive early on. As early as 2011, the associ-ations of the pharmaceutical companies, who-lesalers and pharmacists joined forces in secur-Pharm e. V. in order to develop technical and organisational solutions for implementing the Falsified Medicines Directive in Germany. Since 2013, securPharm has been tested in practice and is used by more and more market partici-pants. From the very beginning, the close par-ticipation by a representative group of market participants from all levels of the supply chain was an essential part of development in order to ensure the practicability of the solutions. Overall, the Delegated Regulation confirms the cornerstones of the securPharm system.

1. Introduction: The Falsified Medicines Directive and the Delegated Regulation

2. The Delegated Regulation confirmsthe core principles of securPharm

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

5Now the system can be further expanded in accordance with the available technical and organisational requirements.

Implementation by a stakeholder system

The most important confirmation for secur-Pharm is that the European legislature dele-gates the set-up of national systems for the verification and authentication of pharmaceu-ticals to the stakeholders (Article 35) of the EU member states in question and has not deci-ded upon the development of a government system.

End-to-end verification

Based on the content of the Delegated Regu-lation, there are also other core principles in terms of which securPharm finds itself vali-dated. Following an impact assessment and a weighing of costs (Recital 3), the Commission decided on authentication based on an end-to-end verification system, since the objectives of authentication can be achieved in equally high quality compared to the significantly more expensive and elaborate track-and-trace system. This approach was also pursued by se-curPharm.

In an end-to-end system, the marketing autho-risation holder generates the unique identifier during the production of the pharmaceutical (Article 4). At the end of the supply chain, it is verified for authenticity and decommissioned by the pharmacist when dispensed to the patient (Article 25). The end-to-end system is complemented by the wholesalers based on risk-based verifications. Risk-based verification

means that wholesalers test in cases where they receive a pharmaceutical not from a phar-maceutical company or on its behalf, e.g. from another wholesaler or a return from a pharma-cy (Article 20).

Data Matrix Code as data carrier

Composition, format and carrier of the unique identifier are completely harmonised on an EU-wide scale. The unique identifier is affixed in the Data Matrix Code and contains the product code, serial number, batch number and the ex-piry date. Used as the product code, the PPN or NTIN contains the PZN, which remains the relevant product number for the retail sector and is used for reimbursement. An additional national reimbursement number is not requi-red for Germany.

Data privacy and data ownership

For the verification of pharmaceuticals, the Fal-sified Medicines Directive (Article 54a para. 3 of Directive 2001/83/EC) and the Delegated Regu-lation (Article 38 and Recital 37) demand the pro-tection of person-related information and data ownership, which are provided for by the laws of the European Union. securPharm is based on a concept in which the players remain master of their data based on the technical approach of the system. The marketing authorisation holders (MAHs) upload their package-related data to the database system of the pharmaceu-tical industry (ACS-MAH-System). Verification queries by the pharmacies are bundled by the pharmacy server and addressed to the ACS- MAH-System in anonymised form. This system separation and the anonymisation of verifica-

6 tion queries completely ensures mutual data confidentiality and leaves the processes in the hands of the parties in charge. No personal pa-tient information is ever collected.

Specification of the legal text in a dialogue with the institutions

The requirements of the Delegated Regulation leave manoeuvring room in their application in all 28 EU states and their pharmaceutical supply chain, which is frequently marked by specific na-tional characteristics. On the one hand, this me-ans leeway in interpretation. On the other hand, this occurs at the expense of unambiguity. This unambiguity is created by the consultations of the EU Commission with the national authori-ties or the national stakeholders. This process requires that the parties involved scrutinise the document from the various perspectives of the individual associations. In doing so, the authentication processes with their impacts on all trade levels, all the way to the patients, must be anticipated. As much clarity as possible and accordance in interpretation of the individual articles is to be achieved in a dialogue with the market participants and a Q&A with the natio-nal and international authorities. We may ex-pect that this process requires several rounds of further specification with the individual in-stitutions. As a result, an information paper on the Delegated Regulation will only provide the current status of the discussion at that point.

Task and structure of securPharm e.V.

securPharm is a non-profit organisation. It builds the authentication system for prescrip-tion drugs in Germany, describes the rules, organises the procedure and seeks solutions for conflicts that arise. The latter part includes securPharm operating a conflict management system in accordance with the requirements of the national authorities in charge (which are yet to be defined). This system will register any type of unexpected events in pharmaceutical verification and makes a contribution to their resolution.

To ensure data privacy and an effective process organisation, securPharm works with separate systems for pharmaceutical companies on the one hand and wholesalers and pharmacies on the other. The pharmaceutical companies upload their data to the database of the phar-maceutical companies. This database is opera-ted by ACS PharmaProtect GmbH, which was established by the associations of BAH, BPI and vfa and is currently still being financed by them. The pharmacy server through which whole-salers also submit their verification queries is operated by Werbe- und Vertriebsgesellschaft Deutscher Apotheker mbH and is currently still being financed by them.

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

7Object

The Delegated Regulation (Article 1) includes the following stipulations:

Characeterictics and technical specifica-tions of the unique identifier;

Modalities for the verification of the safety features;

Establishment, management and ac-cessibility to the national repositories systems;

A list of exceptions for prescription and non-prescription drugs;

Procedures for modifying the lists of exceptions in the member states.

Scope of the safety features

The new requirements apply to all prescription drugs for human use (Article 2), with the excep-tion of the pharmaceuticals listed on the so-called White List (Annex I to the Delegated Regu-lation). This list contains 14 product categories, including homeopathic medicinal products, allergen extracts, contrast media and solutions for parenteral nutrition.Non-prescription drugs shall not bear the safe-ty features. Exceptions are the medicinal pro-ducts listed in the Black List (Annex II to the De-legated Regulation). So far, this list only includes omeprazole in two different strengths.

3. Content and interpretation of the Delegated Regulation

The Falsified Medicines Directive 2011/62/EU

Directive 2011/62/EU of 8 June 2011, the so-called Falsified Medicines Directi-ve, amends Directive 2001/83/EC on the Community code relating to medicinal products for human use, as regards the prevention of the entry into the legal sup-ply chain of falsified medicinal products. In this respect, the verification and authen-tication of pharmaceuticals based on the corresponding safety features is the one essential measure out of several. In Ger-many, securPharm develops the system for verifying pharmaceuticals based on a unique identifier for each package.

What is a Delegated Regulation?

A delegated regulation is a legal act the EU Commission can pass since the 2009 Treaty of Lisbon pursuant to Article 290 of the Treaty on the working method of the European Union. The EU Commission was authorised to supplement and specify in greater detail directives and regulations. The Commission sets generally applicable rules in the form of delegated acts. As exe-cutive legislation, delegated acts are very similar to German ordinances. Typically, the European Parliament and the Coun-cil have two or four months to object to a delegated act. However, the Council and Parliament cannot object to parts of a de-legated act but must accept or reject it as a whole. The Commission has passed the delegated act for the Falsified Medicines Directive as a delegated regulation, which automatically applies to the entire EU as supranational European Union law wit-hout national implementation.

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

8 Amendments to these lists of exceptions are not made by the national stakeholder associ-ations but by the member states, which must submit the corresponding applications to the EU Commission (Article 46).

The safety features

The Directive refers to two safety features (Article 3):

The “unique identifier”, which allows the authentication and identification of an individual pack of a medicinal product.The work of securPharm focuses on de-veloping a system for authentication and identification of pharmaceuticals based on this safety feature.

The “anti-tampering device”, which can be used to check whether the outer packaging of a pharmaceutical was mani-pulated.

The anti-tampering device is not a focus of securPharm. It must be implemented by each marketing authorisation holder. In order to create a joint, reliable basis for the protection of medicinal products for the pharmaceutical industry, the German Institute for Standardisation (DIN) and the European Committee for Standardisation (CEN) have developed a European stan-dard, which described appropriate sealing options in accordance with the require-ments of the Falsified Medicines Directive.

Requirements for the unique identifier

Data elements

The unique identifier must contain four or five data elements: product code, serial number, batch number and expiry date (Article 4). Since the Pharmazentralnummer (PZN) included in the product code simultaneously serves as the national reimbursement number, the latter need not be included in the unique identifier as a separate fifth data element.

Requirements for the serial number

The unique identifier consists of a randomly generated sequence of no more than 20 nu-merical or alphanumerical characters. The pro-bability that the serial number can be guessed must be less than one in 10,000. Article 4 does not stipulate anything else in terms of numbers, letters or uppercase or lowercase characters. Additional details on the coding requirements are included in the securPharm Coding Rules at www.securPharm.de/en/mah/coding.html.

Product code

The product code must include the name of the product, dosage form, concentration, pa-ckage size and packaging type. In Germany, these data are kept with the master data of the IFA (Institut für Arzneispezialitäten) and are clearly linked with the PZN, which, in turn, forms part of the product code.

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

9Data carrier

In order to be unambiguous in an interna-tional context, the PZN is embedded in an envelope. In Germany, there are two options: Either the PZN is embedded in the form of a Pharmacy Product Number (PPN) or a Natio-nal Trade Item Number (NTIN). It is up to the marketing authorisation holder which versi-on he will use. Pharmacies and wholesalers can process both versions and extract the PZN from it. From the outset, securPharm has designed its system in such a manner that marketing authorisation holders can choose between PPN and NTIN.

The data carrier for the unique identifier is the two-dimensional Data Matrix Code, which is specified in globally applicable standards. International standards have also been sti-pulated in the Delegated Regulation for the representation of elements of the unique identifier in the Data Matrix Code (Article 5 para. 6). This way, the use of PPN or NTIN are possible, since both are based on these stan-

dards.

Based on the regulatory requirements for pro-tecting patients from falsified medicines and the associated implementation of the safety features, the pharmaceutical companies will face significant changes. This requires a com-prehensive implementation strategy across all functions.

Even for companies that have just started con-verting to the new safety features, an early link-up would be meaningful. This way, they will benefit from an exchange of experience with other market participants in setting up their system and can start practicing authentication processes under real-life conditions early on in order to identify and exclude possible error sources prior to the 2019 start date. In Germa-ny, pharmaceutical companies benefit from securPharm in that the system infrastructure and the corresponding implementation expe-rience are already in place. Therefore, they can adjust their processes to serialisation before the 2019 effective date in order to practice processes along the entire supply chain. In the case of non-compliance with the requirements of the Delegated Regulation, the affected phar-maceuticals can no longer be circulated from 2019 onward. Patient protection requires high investments on the part of the pharmaceutical companies in order to implement the measu-res demanded by the EU.

3. 1. Provisions for marketing authorisation holders

10 Coding of a pack with the unique identifier

For the initiators of securPharm, viability in the market and in practice has been an important aspect during the development of the verifica-tion system. As a result, pharmaceutical com-panies can choose between the two versions of the PPN and NTIN. securPharm is revising its coding rules in accordance with the requi-rements of the Delegated Regulation. They are published on the securPharm website at www.securPharm.de/en/mah/coding.html.

Human readable information

Serial number and product code must be prin-ted on the pharmaceutical pack in human rea-dable form (Article 7). The Delegated Regulation made an exception for very small packs (Article 7 para. 2), which should represent a satisfacto-ry arrangement for the manufacturers of oph-thalmic medicines. The Commission has made no provisions for listing the batch number and expiry date, because this is already covered in the currently effective labelling regulations.

Data upload

The Delegated Regulation confirmed the free-dom of choice for pharmaceutical companies between the data upload via a national repo-sitory or via the European Hub (Article 33 Abs. 3). Depending on their business orientation, companies can choose which of the options for the data upload to the data repositories system is more advantageous to them. If the pharmaceutical company decides to use the European hub, it will route the data to the ap-propriate national system. Especially for inter-nationally operating companies, this version

is beneficial, since this enables them to feed the serial number into the respective national databases via a single data entry point. When uploading data via the national repository, it will route the information to the EU Hub. This version is of interest to nationally operating companies. Germany decided on the model of separate databases for the pharmaceutical companies and the pharmacies. Berlin-based ACS PharmaProtect GmbH operates the data-base system of the pharmaceutical industry within the securPharm project.

Responsibility for the data upload within the company

From securPharm’s perspective, no clear stipu-lations have been made as to who is responsib-le for the data upload within the company. This question will be settled with the Federal Minis-try of Health. However, it has been established that it is always the marketing authorisation holder who is responsible for uploading the data of his products to the data repositories system (Article 33 para. 1) prior to circulation of the pharmaceuticals, thereby making them available for authentication in a timely manner.

Affixing a Data Matrix Code to non-prescripti-on drugs

Pharmaceuticals that are neither prescription drugs nor included in the Black List shall not bear the unique identifier (Art. 54a para. 1 of Di-rective 2001/83/EC, Recital 40). Accordingly, the-se pharmaceuticals must not participate in the securPharm system.Upon an inquiry from securPharm, clarifica-tion was provided regarding the important

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

11question whether it is permissible to affix a Data Matrix Code to non-prescription drugs that only contains the three elements of batch number, expiry date, and PZN/product code in machine-readable format. According to the EU Commission, affixing a Data Matrix Code to pharmaceutical packages that need not bear the safety features is allowed, if the Data Mat-rix Code neither contains the unique identifier nor serves the purpose of identification of the medicinal product and as long as the require-ments of EU Directive 2001/83/EC Title V are met. As a result, a Data Matrix Code without serial number is permissible based on the opi-nion of the EU Commission.

Legitimacy test

From Article 37 (b) of the Delegated Regulation results the consequence of a legitimacy check before pharmaceutical companies can connect to the national repository. Based on this article, the operators of the national repositories are obligated to check each user for his identity, role and legitimacy before connecting him to the national database. Therefore, it is particu-larly important for pharmaceutical companies to check with IFA that their data are up to date and to contact ACS PharmaProtect GmbH in order to obtain information on the necessary evidence for the legitimacy test.

Master data

With the upload of the unique identifier, the De-legated Regulation requires the upload of mas-ter data (Article 33, para. 2). From securPharm’s point of view, this also includes data which are not required for the verification of authentici-

ty. In addition, the upload of these data would cause unnecessary redundancies with every serial number. Based on securPharm’s inquiry, the EU Commission has confirmed that the one-time data upload is sufficient as long as they are being kept up to date.

Deadlines

On 9 February 2016, the Delegated Regulati-on (EU) 2016/161 was published in the Official Journal of the European Union. This also marked the start of the three-year implementation pe-riod. All pharmaceutical packages subject to mandatory verification that are produced after 9 February 2019 must bear the mentioned sa-fety features (Article 50). Even without the safety features, packages released for sale or distribu-tion prior to this date (Article 48) are not limited in their eligibility for circulation until their expiry date.

12Pharmaceutical wholesalers are an important component in the pharmaceutical supply chain. They ensure the nationwide, need-orien-ted and timely supply of all community phar-macies in Germany with any medicinal pro-ducts demanded by the patients. Accordingly, they serve an important function in securing the supply chain. In the future, wholesalers will verify pharmaceuticals in terms of risk-based testing.

Again, it is essential to develop, implement and test the verification processes and the required reporting duties in order to be in agreement with the requirements of the Delegated Regu-lation in 2019.

Risk-based approach in authentication

According to the Delegated Regulation, whole-salers are to verify all pharmaceutical packages they do not receive directly from pharmaceu-tical companies or indirectly on their behalf from another wholesaler. In addition, all returns from pharmacies or other wholesalers must be checked for their authenticity (Article 20).

Extraordinary decommission

In addition, it is possible that wholesalers verify and decommission pharmaceuticals delivered to veterinarians, dentists or emergency physici-ans (Article 23). However, this is within the legal

manoeuvring room of the individual member states and has not yet been clarified for Germa-ny.

Machine-readable coding of batch number and expiry date

The fact that there is now clarity regarding the issue of the machine-readable coding of the batch number and the expiry date (Article 4) is a positive development. This coding is of essenti-al significance for pharmaceutical wholesalers in terms of batch-related documentation and the routing of batch information when sup-plying community pharmacies, which is legally required as soon as the Delegated Regulation becomes effective.

Possibility of multiple verification processes

Wholesalers authenticate pharmaceuticals they do not receive directly from pharmaceuti-cal companies or on their behalf. This does not affect the fact that they are also allowed to ve-rify all pharmaceutical for their authenticity at goods in process. This has the advantage that wholesalers can refuse acceptance of a falsified medicinal product, which will then never even reach the warehouse (Recitals 20, Article 36a).

Wholesalers use the pharmacy server for verification

securPharm works with separate IT systems for pharmaceutical companies on the one hand and wholesalers and pharmacies on the other. Both databases are separate and exchange

3.2. Pharmaceutical wholesalers securing the supply chain

Overview of the provisions of the Delegated Regulation no. 2016/161 as of March 2016

13data for the testing processes only in anony-mised format. The server used for verification by the wholesalers is operated by Werbe- & Ver-triebsgesellschaft Deutscher Apotheker.

Pharmacies play a key role in detecting falsified pharmaceuticals, because they verify the actu-al authenticity of the medicinal product at the end of the supply chain. Before the pharmaceu-tical is dispensed to the patient, the pharmacist scans its Data Matrix Code instead of the pre-viously customary barcode. Ultimately, this is a scan like before, except that another system is working in the background. Upon successful authentication, the package is decommissi-oned in the system and marked as dispensed (Article 25).

Machine-readable batch number and expiry date

Now that the Delegated Regulation has been published, there is clarity that the batch num-ber and the expiry date must also be included in the Data Matrix Code (Article 4). This allows pharmacists to make their merchandise ma-nagement more efficient, since batch number and expiry date no longer have to be entered manually but can be scanned together with the PZN.

Recommission of deactivated serial numbers

In the day-to-day business of a pharmacy, a pharmacist may scan and deactivate a packa-ge without dispensing it. The Delegated Re-gulation has now clarified that a pharmaceu-tical may be recommissioned for up to 10 days after decomissioning, as long as it is in the “physical possession” of the pharmacist. From securPharm’s point of view, this also includes the delivery service, since the pharmaceutical remains in the possession of the pharmacist. With this provision, the Delegated Regulation addresses an important demand of the phar-macists (Article 13).

Possibility of multiple verification processes

The pharmacist verifies the authenticity of a pharmaceutical before it is dispensed to the patient and decommissiones it in the databa-se. In addition, he is allowed to authenticate medicinal products at goods in process (Reci-tal 20, Article 36a). This has various advantages for him, e.g. verification for intactness of the package, the regular entry of batch number and expiry date into the merchandise manage-ment system, and the clear assignment to the supplier in question of pharmaceuticals which were detected as non-dispensable.

International movement of goods

For international movement of goods (Article 34 para. 2), the Delegated Regulation initially provides for a connection via the national re-positories system. This system reconciles the information with the EU Hub which, in turn,

3.3. Authentication at the pharmacy

14 routes the data to the country in which au-thentication takes place. In consequence, this provision means that each pharmacy in Euro-pe must be able to read and process the PPN in the future.

Speedy performance of the repositories system

The Delegated Regulation stipulates require-ments for the speed of the repositories system (Article 35 (f)) with which a query for authenti-cation of a pharmaceutical must be processed. This performance must enable wholesalers and pharmacists to “operate without signi-ficant delay”. As a result, a key demand of the pharmacists has been met.

Pharmacists use their own server for verification

securPharm works with separate IT systems for pharmaceutical companies and pharmacies. Both databases are separate from each other and exchange data for verification processes only in anonymised form. The pharmacy server is operated by Werbe- & Vertriebsgesellschaft Deutscher Apotheker in Eschborn.

Apart from the clarification of open questions regarding the articles of the Delegated Regula-tion, one particular concern of securPharm and its member associations is a timely response to the question of which will be the national au-thorities in charge. What hinges on this is not just the issue of reporting channels for cases of suspected falsification but also the clarification of numerous technical details with the autho-rities in charge. Without clarification of these essential items, the securPharm system will not be able to proceed at the intended and re-quired speed. In view of the tight time horizon of three years for implementation, this could represent a serious risk, because this much is clear: In light of the requirements of the Dele-gated Regulation, the implementation period of three years is an extremely challenging ob-jective and requires maximum performance from all parties involved in order to achieve a functioning verification for authenticity by 2019.

4. Closing remarks: Quick clarification of open questions

Note: All statements made in this publication repre-sent the opinion of securPharm. For any legal assess-ment, only the content of Delegated Regulation (EU) 2016/161 will be relevant.

www.abda.de

www.bah-bonn.de

www.bpi.de

www.ifaffm.de

www.phagro.de

www.vfa.de

www.wuv-gmbh.de

www.pharmaprotect.de

www.securpharm.de

securPharm e.V. | Hamburger Allee 26-28 | 60486 Frankfurt am Main | Registernummer VR 14900 Vereinsregister des Amtsgerichts Frankfurt am Main | Tel. 069 / 979 919 14 | info@securpharm.de