Play it Safe with Secure Packaging

Dec. 30, 2004
Inspired package design requires considering the “worst case” for any technologies selected.
RFID is here, whether we like it
or not. FDA guidelines mandate
deployment of RFID at the pallet
level this year. Photo courtesy of
Symbol Technologies.
By Angelo De Palma, Ph.D., Contributing EditorImplementing product security at the package level is a lot like ordering food at a restaurant with a nine-page menu. There are so many choices that, as soon as you order, you wonder whether what the folks at the next table are having isn’t better.In fact, packaging security technologies should be sampled buffet-style, since no single entrée, even radio frequency identification, is enough to satisfy. Despite RFID’s near-mythic status as an all-purpose security measure for everything from people to pills, technical and business uncertainties abound. And there are plenty of tried-and-true technologies that won’t raise adrenaline levels but get the job done all the same. Counterfeiters are crafty and adapt quickly, and thus a good packaging security program requires a shifting mix of high and low technologies, and a clear view of what can go wrong with each one.RFID not yet robustWhen asked what could go wrong with RFID, Amar Singh, VP of Global RFID at SAP (Newtown Square, Pa.), jokes, “There are never any problems with RFID.”All jest aside, those who aspire to RFID’s promise find themselves stuck between an irresistible trend and the intransigent laws of physics. Tag reading distances vary widely, from a few feet to a few meters, and there are multiple forms of interference. “Radio frequencies are affected by humidity, nearby metals – including packaging and foils – the direction of the receiving antenna, and the presence of liquids,” adds Singh. “What you read in a magazine or technical specification is not necessarily what you get in the field.”Even geometry plays a role in RFID’s practicality, as a tag on the wrong side of a pallet might not be properly read. Singh cites one SAP customer who implanted tag readers on two shipping doors. One worked perfectly while the other stopped transmitting because a water pipe installed near the second door damped the signal. Another SAP client implanted RFID tags on detergent bottles but shrink-wrapped the pallet with a metallic wrapper, foiling not just its product but attempts to read the tags inside.“Clearly, RFID is not yet robust enough for every environment,” Singh concludes. “Since RFID physics change with the environment, testers must simulate actual conditions, including different locations. There is no substitute for real-world testing.”RFID’s economics have also come under fire. Companies must understand and model business processes and supply chains to identify points where RFID is most appropriate. Unless a major purchaser (e.g., Wal-Mart) forces a packager’s hand by demanding radio tags, an incremental approach is best. “Start at a higher level such as pallet and case to realize the technology’s potential and understand its challenges before moving to cases and bottles,” advises Singh.A third constraint on getting the most out of RFID is what Singh calls “limitations on the exploitation of data.” That is, unless all back-end RFID information is available in real-time, it may as well not exist – and may actually get in the way. There are also situations where RFID’s rich data capabilities are simply overkill. A pharmaceutical manufacturer need not know every product’s movement in real-time when daily sales numbers are adequate. The objective should be utility, practicality, and usability – not technology per se.“In many cases RFID doesn’t do much more than barcodes, but what it almost always does is reinvigorate and facilitate capabilities that were theoretically available with bar codes but may not have been practically feasible,” observes Singh. “The advantage might not be seen at the point of sale, but where RFID is used it can lower data collection costs and allow handling of much more accurate information than printed codes.”Security myth and mysticismFDA guidelines mandate phased-in, industry-wide RFID deployment by 2007. By 2005, companies should have implemented the technology at the pallet level, and by 2006, for cases. From there, the agency will likely consider individual product security needs for smaller units.But is this timetable realistic? Hurdles are not restricted to technology and data.“RFID is going through the same growing pains as grocery-store scanning did 15 years ago,” says Don McMillan, VP of marketing at West Pharmaceutical Services (Lionville, Pa.).Pharmaceutical manufacturers and packagers eager to implement new security measures face an uphill battle, not just from regulators but from within. High-speed packaging lines are designed to carry out specific operations. “Adding a bar-coded label or incorporating an RFID tag takes time and additional validation,” says McMillan. “And despite volumes and volumes of validation protocols things still can go wrong.” Significant RFID defect rates spell double trouble, since if a chip fails the vial and its high-value contents are trashed along with the tag.There are three types of RFID implementation, according to Kevin Prouty, senior director of the Manufacturing Industry Solutions Group at Symbol Technologies (Holtsville, N.Y.): “Those that work, those that work with development, and those that will never work.”Harsh words, but true in an industry where 99% accuracy is not enough. “Non-regulated manufacturing can perhaps live with 80% read accuracy,” Prouty says, “but in pharm’s validation climate you have to think in terms of 99.999% accuracy. RFID has shown such a lack of reliability that manufacturers are falling back on 2-D bar codes.”The infrastructure for applying track-and-trace, even bar coding, doesn’t exist today, says Renard Jackson, executive VP at Cardinal Health Packaging Services (Philadelphia). Technology, costs and validation and processing of huge volumes of information are not yet worked out. “Plus, too much effort goes into ensuring the tags are operable,” Jackson laments.Security measures must reconcile the immense gulf between unit doses and truckloads of product, and the unique security requirements of every point in the supply chain. “Risk assessment is still in its infancy in terms of addressing marketplace requirements, even for the 30 or so products which FDA has identified as having a high counterfeiting risk,” says Jackson of Cardinal Health.Much has been said about the high cost of RFID, when in fact deployment at the case or pallet level adds little to the cost-per-pill (ignoring, for the time being, non-tag costs). Still, return-on-investment calculations remain fuzzy. Given the devastating impact of security breeches, pharmaceutical manufacturers are forced to view these investments as insurance, which is never appreciated until it’s needed.
Thermochromic (above) and pen-reactive (below) inks are two security options for pharmaceutical packaging. Courtesy of Gans Security Inks.

The ability to apply, print, or add sophisticated security features into packaging at current production speeds is probably not possible. Simpler solutions involving pre-printed cartons or labels hardly impede production at all, while each RFID tag must be verified on-line. The more sophisticated the measure, the more the line slows down.Making Gutenberg proudGadgetry’s appeal can be seductive, to the point of overlooking tried-and-true, if low-tech (but not always low-cost) printed security measures. Color-shifting inks, which appear to change hue depending on the viewing angle, may cost as much as $250,000 to implement, plus the inks themselves cost $5,000 per pound (versus a couple of bucks for plain black ink). Much of the implementation costs go into developing an ink formula since each ink is unique. In return, manufacturers receive an incremental security boost.But even the most sophisticated printed security measures are easily duplicated. “There’s nothing a counterfeiter couldn’t reproduce if he spends enough money,” says Bill Mitchell, president of Cardinal Health Packaging Services, who believes today’s printed-security marketplace is “merely filling a gap” before industry-wide adoption of RFID.To get the most from print-based security means, pharma companies should use multiple technologies, and change them often to keep one step ahead of counterfeiters.Robert Allsopp, VP at Gans Security Inks (Fairfax, Va.), says smart packagers think about security and design early on, by having design and loss-prevention groups work together. It’s easier, and typically more effective and less costly, to build security into operations before layout and design have been determined.It’s just as important to think through a print-based security project as it is to plan for RFID, says Allsopp. “Always consider the nature of your application, the geography and extent of its distribution,” he says. For example, thermochromic inks, which change color at elevated temperatures, are less useful in hot climates unless they are customized. Similarly, a covert printing technology is inappropriate where gatekeepers lack access to readers or devices needed to authenticate a product. This limitation holds for inks that are IR readable, fluorescent, pen-reactive, or exhibit dual-polarization or other protective properties. Printed security features must be worked out during package design, with print professionals involved. Otherwise a printer with, say, a six-unit printing press will be unable to produce a six-color package that also employs stand-alone security inks. Apprised early on of security and aesthetic requirements, printers may recommend inks that incorporate both color and security features. “It is possible to incorporate up to four security features into a single ink,” says Allsopp. “Not only does this provide the opportunity for multiple layers of protection using a single print unit, but it also represents an economy of scale, compared to using four security inks, each containing a single security feature.”According to Don Huttlin, president of Green Printing & Packaging (Lexington, N.C.), companies need to have printers on staff with package security expertise who also understand product requirements and brand objectives. Manufacturers with complex blends of creative and security needs might consider an integrated outsourced printing service because in-house marketing and creative groups are not always aware of a printer’s capabilities (and vice versa).

Secure Suggestions

As one of the world’s largest pharmaceutical packagers, West Pharmaceutical Services (Lionville, Pa.) has worked with both low- and high-tech security measures, from covert technologies to overt print-based security/authentication, bar codes and RFID. Don McMillan of West offers the following advice for would-be secure packagers:

  • Avoid security measures for their own sake; plan a secure packaging strategy.

  • Decide which points in the supply chain need security technologies, then determine if handlers at those points are capable of reading the code or electronic device.

  • Don’t give too much information and authentication capability to end-users. Counterfeiters or unscrupulous handlers may intercept and duplicate your strategy. At the very least, incorporate some read-only security features that cannot be changed once the package leaves the plant.

  • Assign ownership to data, including its protection, storage, and validation.
And with respect to RFID roll-outs, Amar Singh of SAP cautions on the importance of an empirical, integrated approach:

  • Don’t rely on experimental results, vendor specifications, or competitors’ data. Test everything in real-world environments.

  • Think long-term with all RFID decisions. One distributor’s demands should not dictate a strategy.

  • Develop a plan with a few core applications – perhaps for one customer – that can be easily scaled up and expanded as it becomes practical.

  • Justify the major benefit of RFID, real-time information, through return on investment.

  • Adopt a plan for dealing with information overload: exploit additional data without getting bogged down in it.
And finally, Kevin Prouty of Symbol Technologies lists the most serious mistakes made with high-end security methods:

  • Not having an extensive pilot program. “You can’t test RFID in a single setting and expect that same solution to cover the entire world."

  • Failing to test or calibrate readers.

  • Using home-brewed or do-it-yourself implementations: "Those days are gone, even for bar codes."

  • Cutting corners: “If a vendor tells you that four readers are needed and you only install three, you’ll have a system that doesn’t work and will eventually put in the fourth reader.”

  • Not paying attention to printers (for bar codes). “A lot of people cheap out on the printer, but that’s the bottleneck every time. The printer is as important as the reader.”

  • Failing to build in error-proofing. “Adding it later on is much more expensive, especially for methods that rely heavily on data entry. The more times humans handle data, the more mistakes are made.”
SECURE PACKAGING AS AN ASSET?

One way to avoid packaging mistakes is to manage packaging information like any other asset. The 3M (Eden Prairie, Minn.) Integrated Packaging Tool (IPT) is a central, web-based packaging environment that manages art work, global packaging specifications and cost while enforcing critical safety, regulatory, customer and brand-usage business rules.

IPT integrates package graphic, text, and structure information management with security rules that limit the number of individuals within a company or supply chain who can change critical package information. The suite consists of three components: a front-end security model that limits access to design components, a business-rule enforcement engine, and an archive for design components, layouts, templates and all packaging-related activity data.

“Once the creative groups are done with the original layout, graphics and content, we break the image apart, feed it into a template and assign locations for the logo, bar codes, promotions, text security features and other package-level information,” says business manager Mike Haldane. “By breaking the image apart into granular pieces we can ensure that a regulatory statement always appears on a given package. Since all components’ locations are mapped to the template when they come into our system, putting everything back together for production is an automated function.”

The 3M approach to secure packaging avoids the kinds of surprises consumers sometimes get when they open a box of X and get Y instead. “The problem is that most companies have multiple locations and processes for managing packaging information and their systems do not automate business-rule enforcement or verify contents of a given package in real-time,” says Haldane. “The same mishap occurring with pharmaceuticals can severely impact a company’s reputation and, most importantly, their customers’ safety.”