Barcodes in Pharma: From DSCSA to FMD in Practice

How DSCSA and EU FMD barcodes work in practice: 2D Data Matrix, serialisation, scan workflows, and the data hygiene that keeps verification reliable.

Barcodes in Pharma: From DSCSA to FMD in Practice
Written by TechnoLynx Published on 25 Sep 2025

Why barcodes still matter in modern pharma

A 2D Data Matrix on a medicine pack is not a label decoration. It is the physical anchor of a regulated chain of custody that links the manufacturer’s release record to the dose handed to a patient. In the European Union, the Falsified Medicines Directive (FMD) makes pack-level verification mandatory at supply. In the United States, the Drug Supply Chain Security Act (DSCSA) requires interoperable, unit-level traceability across trading partners (European Commission, n.d.; FDA, 2021). Both regimes treat the barcode as the load-bearing element — everything downstream, from recall reach to falsification alerts, depends on what got encoded and uploaded before the pack left the line.

Reading these requirements as “just print a code” is the failure mode we see most often. The barcode is the visible artefact. The compliance work sits in the data behind it: the product master, the serial repository, the scan-event log, and the controlled link between print files and uploads. Get that wrong and the code still scans, but the regulatory record underneath it doesn’t hold up to an inspector’s questions.

The World Health Organization frames this in patient-safety terms. Its Medication Without Harm challenge sets a target to cut severe avoidable medication harm by half, and clearer identification is one of the levers (WHO, 2017). The regulatory regimes are the operational expression of that goal.

What does DSCSA actually require on a US package?

DSCSA mandates a 2D Data Matrix on the smallest saleable unit, carrying four fields:

  • GTIN (Global Trade Item Number) — the product identifier.
  • Serial number — unique to the pack.
  • Lot number — the manufacturing batch.
  • Expiry date — ISO 8601 format.

FDA guidance clarifies that the linear barcode required by 21 CFR 201.25 still applies to the National Drug Code in many contexts, so packs typically carry both the Data Matrix (for DSCSA) and a linear code (for legacy label rules) until the linear requirement is phased (FDA, 2021). The two are not interchangeable, and removing the linear code prematurely creates a labelling deviation that QA has to manage.

DSCSA is interoperability-first. There is no single central repository the way the EU has. Wholesalers, dispensers, and manufacturers exchange transaction information through their own systems, and the package-level identifier is what makes traceback possible when a suspect product is flagged. That design means data quality at the source — the manufacturer’s print and upload — propagates everywhere a pack goes.

How does the EU’s FMD verification differ?

The EU’s safety-features regime under FMD pairs two physical elements: a unique identifier in a Data Matrix, and an anti-tampering device on the pack. Before release, the manufacturer uploads each serial to the European Medicines Verification System (EMVS), which routes data to national repositories. At dispense, the pharmacy scans the code, checks the seal, and decommissions the serial — meaning that serial cannot be dispensed again (European Commission, n.d.; MHRA, 2019).

The architectural difference matters. EU verification is end-of-chain at supply: the check happens when the pack is handed to the patient (or to a hospital ward), and the repository is the source of truth. DSCSA verification is distributed across the chain: every trading partner is expected to know what they received, from whom, and what they shipped to whom, with the package identifier tying it together.

Both regimes converge on the same outcome — a falsified pack should not reach the patient, and a recall should reach every affected unit fast — but they get there through different control points.

DSCSA vs FMD at a glance

Dimension US DSCSA EU FMD safety features
Required symbology 2D Data Matrix (plus legacy linear in many cases) 2D Data Matrix
Data fields GTIN, serial, lot, expiry Product code, serial, batch, expiry (national code may substitute for GTIN)
Verification model Distributed; trading partners exchange transaction data Centralised repository (EMVS + national systems)
Decommissioning Implicit, via transaction record Explicit, at supply to patient
Anti-tamper device Not mandated federally Mandated alongside the unique identifier
Primary failure surface Data exchange integrity between partners Repository upload accuracy and seal check

The table is a planning aid, not a substitute for the underlying regulations. Teams operating in both markets need separate verification SOPs even when the printed pack looks similar.

Which barcode symbology fits which surface?

Two symbology families dominate pharma packaging.

Linear (1D) barcodes — EAN-13, UPC, Code 128 (GS1-128) — carry short identifiers and scan fast on legacy point-of-sale and warehouse systems. They remain on outer packs and pallet labels (typically as SSCC on a GS1-128) and on retail cartons where tills still expect 1D (GS1 US, n.d.).

2D Data Matrix and QR with GS1 Digital Link — carry serialised data in a small footprint that fits the side of a vial or syringe. GS1 Digital Link extends a QR code so a consumer scan can resolve to current product information through a web URL while still carrying GS1 application identifiers underneath (GS1, 2025).

A practical pairing for most pharma packaging briefs:

  • Data Matrix at the unit-of-use, carrying GTIN + serial + lot + expiry per DSCSA or FMD.
  • GS1-128 or EAN/UPC on outer cartons, pallets, and retail-facing surfaces where 1D scanners still dominate.
  • GS1 Digital Link QR when consumer-facing product information is part of the design intent — typically OTC and patient self-administered products.

The choice is constrained by surface size, contrast, and the scanners deployed downstream. Tiny primary containers (a 2 ml vial, a pre-filled syringe) force a compact Data Matrix with a small module size, and the print process has to hold tolerance across glare, curved glass, and high-speed rotation (GS1, 2025). Test on real surfaces, not flat proofs.

How does pharmacy scanning work in practice?

A European pharmacy dispense flow follows a tight loop. Staff scan the Data Matrix. The system queries the national repository through EMVS. The repository confirms the serial is active and not already decommissioned. The system prompts a tamper-seal check. If both pass, the serial state changes to “dispensed” and the pack leaves the pharmacy (European Commission, n.d.; MHRA, 2019). If the scan returns an alert — duplicate serial, already-decommissioned, suspicious pattern — the pack is quarantined under the pharmacy’s deviation procedure.

A US wholesaler scans on receipt to confirm the incoming transaction information matches the physical packs, and again on ship to record outbound movement. A dispenser scans at hand-off. The chain is verifiable backwards by serial when a suspect product notice arrives, with the goal that traceback completes in hours rather than days (FDA, 2021).

What breaks these flows in practice is rarely the scanner. It is one of four things: a stale product master that doesn’t match the printed GTIN, a serial upload that lagged the physical release, a duplicate serial from a numbering mistake, or a print-quality issue that drops scan rates below a workable threshold. Each is a data-discipline problem masquerading as a hardware problem.

What does the data inside the code need to look like?

For both DSCSA and FMD, the minimum payload is the same set:

  • Product identifier (GTIN, or a national code mapped to a GTIN).
  • Unique serial number.
  • Expiry date (ISO 8601).
  • Batch or lot number.

GS1 application identifiers (AIs) define how each element is encoded so a scanner anywhere can parse the string without ambiguity (GS1, 2025). The AI prefix — (01) for GTIN, (21) for serial, (17) for expiry, (10) for lot — is what makes the same payload readable in Boston, Berlin, and Bangalore.

Where projects go wrong is the integration layer between the product master, the print files, and the repository upload. The pattern that holds up to audit:

  1. One product master, with a named owner in regulatory affairs.
  2. Print artwork files generated from that master, not maintained separately.
  3. Repository uploads tied to the same master, with a reconciliation report before each batch release.
  4. Pre-flight scan verification on every production run before the line moves to packing.

When packs cross borders, expect small differences — local pharmacode formats, additional national strings, or local regulatory codes. Keep those outside the Data Matrix unless local rules force inclusion. The Data Matrix payload should stay globally consistent; local fields belong in human-readable text or separate codes (GS1, 2025).

Where does AI fit, and where does it not?

This is where the GxP boundary matters. A computer-vision system that reads Data Matrix codes on a high-speed line and rejects packs with poor print quality is part of the manufacturing control system — it sits inside GxP scope and needs validation appropriate to its impact on product quality. We cover the validation pathway in GxP regulations explained for AI software in pharma.

An analytics dashboard that aggregates scan-success rates across sites for engineering optimisation is typically not GxP-critical, provided it does not feed back into release decisions. Treating it as if it were GxP-validated over-scopes the compliance effort and slows iteration. The boundary is decision-driven, not technology-driven: what regulated decision does the system’s output influence, and what is the harm if it is wrong?

The same logic applies to model-based detection of falsification patterns. A model that flags suspicious scan sequences for human review is decision-support and lives outside the release path. A model that automatically blocks dispensing without human confirmation crosses into territory where GxP validation, change control, and post-deployment monitoring are non-negotiable. Validation-ready AI for GxP operations in pharma walks through the structural choices.

Practical guidance for getting scan performance right

A few patterns that we see consistently separate barcode programmes that hold up from ones that drift:

  • Maintain quiet zones and contrast within GS1 tolerances, and tune ink-substrate combinations for small-module Data Matrix on tough surfaces (GS1, 2025).
  • Test scanning in motion with the actual production cameras, optics, and conveyor speeds. Static bench checks hide motion-blur failures.
  • Measure scan rates as a KPI, not just stock accuracy. A pharmacy with 99.7% scan-success has a different operational reality than one at 92%, even if both eventually dispense correctly.
  • Diagnose false alerts at the root cause — duplicate serials from a numbering error, mis-reads from print quality, wrong GTIN mappings from a master-data drift. Treating false alerts as a workflow nuisance rather than a data-integrity signal is how serial repositories slowly lose trust (MHRA, 2019; FDA, 2021).
  • Clean legacy data on ingest. Feeds that bundle site type and country into a single field (the classic pharmacyunited states string in old imports) need to be split before they touch the repository or the analytics layer.

Where the standards are heading

GS1’s direction is consolidation around 2D and around GS1 Digital Link as the bridge between a regulated identifier and consumer-facing information (GS1, 2025). A retail “sunrise” for 2D — where general retail scanners read 2D as routinely as they read 1D today — is on the medium-term horizon. Healthcare moves more slowly because patient risk is higher and validated systems are harder to swap, but the direction is the same: compact 2D codes, richer encoded data, under one global standard.

Large North American payers and providers are also pushing for tighter scan-to-record flows, with fewer transcription steps between the dose and the patient record (CDC, 2023). That ask aligns with the WHO medication-safety direction and the broader pressure on health systems to reduce avoidable harm.

FAQ

How TechnoLynx can help

We equip pharma, wholesale, and hospital teams with machine-readable workflows that align with both EU FMD safety features and US DSCSA. We deploy vision and barcode pipelines on-premise, tune codes for tough surfaces (small vials, curved glass, high-speed lines), and integrate scan events with the QMS and ERP layers that downstream teams actually use. Our explainable dashboards surface serial status, scan-quality trends, and recall reach in minutes rather than days. The validation artefacts and change-control documentation come packaged with the system, structured the way QA expects to see them on first pass.

Our approach to the GxP boundary is conservative on the regulated path and proportional everywhere else — we don’t over-scope compliance into systems that don’t influence regulated decisions, and we don’t under-scope the ones that do.

AI in Life Sciences

References

GxP Regulations Explained: What They Mean for AI and Software in Pharma

GxP Regulations Explained: What They Mean for AI and Software in Pharma

5/05/2026

GxP is a family of regulations — GMP, GLP, GCP, GDP — each applying different validation requirements to AI systems depending on lifecycle role.
Validation-Ready AI for GxP Operations in Pharma

Validation-Ready AI for GxP Operations in Pharma

19/09/2025

Validation-ready AI under GAMP 5: classification for ML, continuous validation lifecycle, V-model evidence, and controls for AI-specific risks.
Pharma's EU AI Act Playbook: GxP-Ready Steps

Pharma's EU AI Act Playbook: GxP-Ready Steps

24/09/2025

How the EU AI Act maps onto GxP work in pharma: risk tiers, GPAI duties, codes of practice, and audit-ready execution without a parallel quality system.
Pharmaceutical Inspections and Compliance Essentials

Pharmaceutical Inspections and Compliance Essentials

27/11/2025

Pharmaceutical inspections test the GxP boundary. Where AI software sits inside that boundary decides which validation evidence regulators expect.
Back See Blogs
arrow icon