Regulators and retailers are converging on the same requirement from different directions: every unit of product should carry its own machine-readable identity. India's Schedule H2 rule already mandates QR codes on the top-300 drug brands; GS1's Sunrise 2027 programme is moving retail point-of-sale worldwide to 2D barcodes. Underneath both sits the same discipline — serialization — and the operational layer built on it, track and trace. This guide explains both in practical terms.

Serialization vs batch coding

Batch coding — what most manufacturers already print — identifies a group: every unit in lot 2024-A17 carries the same code. Serialization goes one level deeper: every unit gets a unique identity, typically a GTIN (the product-level GS1 identifier) plus a serial number unique within it. In GS1 terms that combination is an SGTIN.

The difference sounds small and changes everything. With batch codes you can say "this lot had a problem"; with serials you can say which units of that lot were sold, where each was scanned, which are still in a warehouse and which were already dispensed. Clone detection, unit-level recalls and diversion analytics are all impossible at batch granularity.

The aggregation hierarchy

Nobody scans ten thousand units onto a truck one by one. Serialization scales through aggregation — a parent-child hierarchy recorded at packing time:

  • Unit → serialized QR on each saleable pack
  • Carton → its own identity, linked to the units inside
  • Case / pallet → linked to the cartons inside

Scan one pallet code at dispatch and the system infers the location of every unit inside it. Aggregation also has to survive real operations — cartons get split, units get reworked into new lots, cases get repacked — so the hierarchy must be editable with history, not a one-time snapshot. This parent-child genealogy is what later answers "where did this exact unit travel?"

What a track and trace system records

Serialization gives things names; track and trace records what happens to them. The core event types:

  • Commissioning — an identity is created and bound to a physical unit on the line.
  • Aggregation — units packed into cartons, cartons onto pallets.
  • Shipping / receiving — custody changes between plant, depot, distributor.
  • Decommissioning — the identity is retired: dispensed to a patient, sold, destroyed, returned.

The exchange format that has won is GS1 EPCIS 2.0 — JSON-LD event documents that regulatory verifiers and partner systems ingest natively. If a vendor records events in a proprietary format with no EPCIS export, integration debt is guaranteed. Our supply chain traceability post walks through the consumer-facing side of the same data.

What Indian regulation requires today

Two tracks matter, run by different bodies. Domestically, Schedule H2 of the Drugs Rules (CDSCO) has required QR codes on the top-300 drug brands since August 2023, carrying identifiers like the unique product code, batch, and manufacturing/expiry details — and the mandate expands to vaccines, anti-cancer and narcotic drugs from July 2027 and antimicrobials from July 2028, with GS1 GTINs required. For export-bound pharma, the DGFT's DAVA framework mandates serialization and data upload at primary, secondary and tertiary packaging levels. Outside pharma, no Indian mandate forces serialization yet — but Sunrise 2027 means retail scanners will read 2D codes anyway, which is why FMCG brands are adopting GS1 Digital Link on their own schedule.

Serialization pays beyond compliance

  • Recalls in hours, not weeks — affected units identified by state (on shelf, in transit, dispensed) and flagged in one operation, with the public scan page showing "do not use" immediately.
  • Diversion detection — scan geography compared against distribution assignments exposes grey-market flows.
  • Counterfeit intelligence — every failed or anomalous verification is a data point on where fakes enter your channel.
  • Warranty and engagement — the same unit identity powers paperless warranty registration and a direct consumer touchpoint.

How Qrynto implements it

For readers evaluating platforms, this is Qrynto's implementation of everything above: every unit gets a QR carrying an HMAC-SHA256 signature (copied codes fail verification; new codes cannot be minted); SGTIN-96 EPC URNs are issued when products have GTINs, so the same identities drive RFID; aggregation and lot genealogy track splits, rework and shipments; recalls cascade to every active QR in one transaction; and events export as GS1 EPCIS 2.0 JSON-LD. It's API-first, so ERP and line systems provision identities programmatically. Details on the features page.

Getting started: a short checklist

  1. Inventory SKUs and decide which need GTINs (retail) vs native identities (non-retail).
  2. Pick the print path — inline printing on the line, pre-printed labels, or pre-generated codes delivered to your printer.
  3. Define aggregation points in your actual packing flow (who scans what, where).
  4. Pilot one SKU, one batch, through to a distributor and a recall drill.
  5. Only then scale — with the event data proving the process works.

Frequently asked questions

Is serialization only for pharma?

No — pharma got there first because regulation forced it, but the same mechanics run anti-counterfeiting and recalls in FMCG, automotive parts, electronics, liquor and building materials.

Do we need new printing hardware?

Often not. Existing thermal-transfer and inkjet coders print QR codes; what changes is the data feed — codes now come serialized from the platform instead of being a static artwork element.

We already print batch codes — is that wasted?

No. Batch remains part of the identity; serialization adds the unit-level serial alongside it. Your batch-driven processes (QC, expiry management) keep working unchanged.