CDSCO Track & Trace 2026 — What Pharma Manufacturers Need to Know Before Their Next Audit

India's Central Drugs Standard Control Organisation (CDSCO) has mandated unit-level track & trace for Schedule H prescription medicines. The mandate covers every step of the supply chain — from production line to patient — and requires manufacturers to capture, sign, and submit serialization events in EPCIS format.

Despite this being a multi-year mandate, a significant percentage of Indian pharmaceutical manufacturers are still non-compliant at audit time. The reasons are predictable: over-reliance on consultants who deliver generic configurations, systems that generate events but don't validate against CDSCO requirements, and a fundamental misunderstanding of what "CDSCO compliant" actually means at the data level.

What CDSCO actually requires

The CDSCO track & trace mandate requires manufacturers to:

• Assign a unique SGTIN-96 (Serialized Global Trade Item Number) to every unit of Schedule H medicine
• Aggregate SGTINs into SSCCs (Serial Shipping Container Codes) at case and pallet level
• Capture and submit commissioning events when units are produced and packaged
• Capture and submit shipping events when products leave the manufacturing site
• Maintain a queryable event ledger that CDSCO inspectors can access during audits
• Enable downstream authentication — distributors and pharmacies must be able to verify units

The most common compliance failures at audit

Ratifye's regulatory team has reviewed CDSCO audit findings from dozens of manufacturers. The same failures appear repeatedly:

1. Incorrect application identifier formatting

GS1 application identifiers must be formatted exactly. (17) Expiry date must be YYMMDD — not MMDDYY, not DDMMYY. (01) GTIN must be 14 digits including the leading check digit. Manufacturers whose barcode generation software encodes these incorrectly pass visual inspection but fail digital validation.

2. Commissioning events submitted without aggregation

CDSCO requires that unit-level SGTINs be aggregated to case-level SSCCs at the packaging line. Many manufacturers commission at unit level but fail to submit the aggregation event that links units to cases. Without this, the downstream chain of custody is broken and CDSCO inspectors cannot trace a unit back to its production batch.

3. Event timestamps outside acceptable windows

CDSCO requires commissioning and shipping events to be submitted within defined time windows of the actual production or dispatch event. Systems that batch events daily — or submit retroactively — fail this requirement. Real-time event capture at the line is not optional.

How Ratifye handles CDSCO compliance

Ratifye's CDSCO configuration is pre-mapped — meaning every required application identifier, event schema, and submission format is built into the platform. Manufacturers don't configure CDSCO compliance; they validate against it. Our regulatory team reviews every configuration before a customer switches to production.

The specific things Ratifye handles automatically:

• GS1 application identifier validation at barcode generation — malformed AIs are rejected before print
• Aggregation event capture — case and pallet SSCCs linked to constituent SGTINs in real time
• Real-time EPCIS event submission — no batching, no retroactive filing
• CDSCO-formatted export for audit submission — directly from the dashboard
• Downstream authentication — distributors and pharmacies verify via Ratifye SDK or consumer QR