Navigating DSCSA Implementation: Key Requirements & 4 New FDA Guidances

By Madeleine Giaquinto, Manager of Regulatory Affairs, Greenleaf Health, Inc.

In its seventh year of implementation, trading partners involved in manufacturing, distributing, and dispensing prescription drugs in the U.S. (Industry) continue to grapple with requirements of the Drug Supply Chain Security Act (DSCSA), working to set up a fully interoperable electronic system for securing and tracing products across Industry sectors by November 2023. The goal of the DSCSA is to produce a system that enhances national pharmaceutical supply chain security; achieving this goal has required two phases of implementation. In the first phase, traceability requirements at the lot level were implemented beginning in 2015. In the second phase, interoperability requirements allowing for product tracing at the package level are scheduled to become effective in November 2023.

Interoperability requirements involve the exchange of transaction data by authorized trading partners, the ability of trading partners to verify products at the package level, and the maintenance of product tracing processes such that transaction data going back to the manufacturer can be provided upon request.[1] These requirements, as opposed to the traceability requirements, are not clearly defined by the DSCSA and yet are particularly complex due to their electronic interconnectedness across the various Industry sectors.[2] This lack of clarity around the requirements has created concern regarding how Industry can even begin to prepare to meet the requirements in time to meet the 2023 deadline.[3]

On June 3, 2021, the Food and Drug Administration (FDA or Agency) released four key guidance documents aimed at helping Industry sectors understand certain requirements and assist trading partners in becoming DSCSA compliant; these included:[4]

• A final guidance on product identifiers;
• A final guidance on identification and notification of suspect products;
• A revised draft guidance on verification obligations for suspect and illegitimate products; and
• A new draft guidance on the distribution security system attributes necessary for enabling secure product tracing at the package level.

This article first provides an overview of the four key implementation components of the DSCSA and the corresponding FDA guidance to assist trading partners in becoming compliant. The article next takes a deeper look at the four new FDA guidances released on June 3, 2021, as well as the significance of new information provided in each. Lastly, the article discusses Industry challenges and what more is needed before full DSCSA implementation can be achieved.

Key DSCSA Requirements And Corresponding FDA Guidance  

DSCSA has four key requirements: (1) trading partner authorization; (2) product tracing; (3) verification; and (4) product identification (including serialization).[5] Under Section 582 of the Federal Food, Drug, and Cosmetic Act (FD&C Act), these requirements apply to pharmaceutical manufacturers, repackagers, wholesale distributors, third-party logistic providers (3PLs), and dispensers (i.e., pharmacies). Each requirement is briefly reviewed below.[6] 

Trading Partner Authorization

Any trading partner involved in the transfer of prescription drugs “where a change of ownership occurs” must be authorized such that they are appropriately registered or licensed to receive or transfer products.[7] For manufacturers and repackagers, entities must be validly registered with the FDA; this can be confirmed through FDA’s drug establishment current registration site (DECRS) database.

For wholesale distributors and 3PLs, entities must have a valid state or federal licensure; at the state level, this can be confirmed by checking state databases or FDA’s wholesale distributor and 3PL database for self-reported information and respective state licensure.[8] Under the DSCSA, the FDA is required to issue new federal wholesale distributor and 3PL licensure standards in order to eliminate the current patchwork of state standards and enhance supply chain-wide uniformity. While the FDA has acknowledged the importance of these standards in supporting implementation and enhancing supply chain security, it has also acknowledged that it is still working on developing this policy.[9]

An August 2017 FDA guidance lays out the various entity requirements related to trading partner authorization and is intended to help Industry and state governments understand what activities require licensure and annual reporting and provide specific clarifications as to requirements for each trading partner.[10]

Product Tracing

Product tracing requirements involve receiving and providing product tracing data, including transaction history (TH), transaction information (TI), and the transaction statement (TS).[11] Product tracing data must be provided with each transaction (i.e., at the sale of prescription drugs) and only prescription drugs accompanied by the required product tracing data should be accepted or received by trading partners. In the event of a product recall or request to investigate a suspect or illegitimate product, trading partners must respond with product tracing data and, thus, are required to store this information for at least six years. Additionally, products can only be returned to the trading partners from which they were initially received.[12]

Currently, these requirements apply at the lot level, and TI, TS, and TH can be provided in either paper or electronic formats. However, by November 2023, product tracing requirements must apply at the package level and be provided only in electronic format.[13]

There are two FDA guidances related to product tracing standards. A November 2014 guidance establishes standards for interoperable information exchange and provides examples of data exchange methods.[14] A March 2018 guidance also provides information on standardizing TI, TS, and TH, as well as various documentation practices regarding when various product tracing information should be provided.[15]

Verification

Verification requirements under the DSCSA set forth practices for properly handling suspect and illegitimate products.[16] DSCSA requirements with respect to suspect products include investigation and quarantine to determine if they are illegitimate. Investigations of suspect products should include validating relevant transaction information and verifying the lot number and product identifier once a product has been serialized. Once determined to be illegitimate, trading partners must notify the FDA and relevant trading partners (the DSCSA requires notification occur within 24 hours) to ensure products do not reach patients. Additionally, information pertaining to investigations and dispositions of suspect and/or illegitimate products must be kept on record for at least six years.[17]

As will be discussed further below, the FDA recently updated two guidances focused on the identification of suspect products, steps for executing notification, and clarifying suspect and illegitimate product definitions for purposes of establishing trading partners’ verification obligations.[18]

Additionally, an October 2018 guidance provides further information for developing a robust verification system and addresses verification of saleable returns to the package level for product identifiers.[19] 

Product Identifier

Product identifier information includes a National Drug Code (NDC), unique serial number, lot number, and expiration date and must be made available in both human- and machine-readable formats.[20] Manufacturers have been required to encode the smallest saleable units of their products with this information since November 2018. Some drugs are excluded from these requirements or are grandfathered out of the requirements due to preexisting presence in the supply chain. Moreover, waivers, exceptions, or exemptions may also be granted by the Agency, depending on the individual product.[21]

Final FDA guidance on product identifier requirements was also among recently released DSCSA guidances and is discussed more fully below.[22]

Key Updates From Newly Released DSCSA Guidances

The four recently released DSCSA guidances provide further clarity and information in response to public comment and calls from Industry. A description of what’s new to each guidance, along with a brief overview of each, is provided below.

New Draft Guidance: Enhanced Drug Distribution Security at the Package Level Under the DSCSA

Most notably, this new draft guidance sets out the Agency’s decision as to whether data security system architectures should be centralized or distributed, weighing expressed Industry preferences and practices in its support of distributed and semi-distributed models so that trading partners can maintain control over data validation and management. [23]

Overall, the guidance provides information regarding enhanced drug distribution system attributes, product tracing, and verification needed for enabling secure product tracing at the package level. Missing from this guidance, however, are standards for secure, interoperable data exchanges, which the document notes will be addressed in forthcoming guidance.

Final Guidance: Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification

New to this final guidance is the Agency’s interpretation of “immediate trading partner” under Section 582, which requires trading partners to notify FDA and certain immediate trading partners that a product in their possession was determined to be illegitimate.[24] While unspecified in its previous iteration, the final guidance explains that immediate trading partners, in this context, are those that the notifier has “reason to believe may have received the illegitimate product.” The guidance also replaces “suspicious” with “questionable” when describing scenarios that could increase the risk of a suspect product entering the supply chain, ensuring that trading partners understand the full context under which suspect products may be found. 

Additionally, the new version of the guidance clarifies that, when investigating a suspect product, trading partners should confer with manufacturers and consider whether the product has been subject to a public alert for quality issues. Lastly, the guidance points out that while notification of a suspect product is not generally required, it is required when a high-risk factor is present.[25] Each of these meant to increase the likelihood that suspect products are identified along distribution supply chains and are investigated for their legitimacy.

Overall, this final guidance provides several examples of heightened risk for suspect products entering the supply chain for the purpose of enhancing identification. The guidance also notes the process for notifying FDA about a product determined to be illegitimate using Form FDA 3911.

Revised Draft Guidance: Definitions of Suspect Product and Illegitimate Product for Verification Obligations Under the DSCSA

New to this revised draft guidance is the FDA’s understanding of what a “stolen” product is, which it says is “any product in its entirety (i.e., the prescription drug and its packaging) that has been taken or removed without permission of the owners of the product.”[26] The revised draft guidance also revises the definition of a product that is “unfit for distribution,” aligning it with language set out in the DSCSA such that it is now interpreted to mean a product that is “reasonably likely to result in serious adverse health consequences or death” based on “a reason to believe or credible evidence.”[27]

Additionally, the new version of the guidance notes scenarios that are unlikely to result in “diverted” products, carving out from the previously stated definition cases in which a product is obtained through a surveillance activity or by a patient outside the U.S. pharmaceutical distribution supply chain, through an FDA regulatory action to address a drug shortage, or where an emergency use authorization is in place. Lastly, the guidance expands the definition of the term “fraudulent transaction” such that it now includes situations where information has been “knowingly” falsified.[28]

Overall, this revised draft guidance defines key terms for determining suspect and illegitimate products for the purpose of assisting trading partners in complying with their verification obligations under the DSCSA.

Final Guidance: Product Identifiers Under the DSCSA Questions and Answers  

New to the final guidance on product identifiers are updates for Industry’s awareness in terms of technical data. [29] Key changes include an explanation of the importance of the NDC to patient safety and a clarification on how to adequately affix multiple bar codes on the label to avoid scanning errors. The new version of the guidance also recommends changes to the expiration data format, such as use of a hyphen or forward slash between day, month, and year, as opposed to a space.[30]

Overall, this guidance provides recommendations for standardizing human- and machine-readable formats of product identifiers and examples of when the product identifier and other information should be included on product packaging.

Industry Implementation Concerns

Industry stakeholders have reported slow uptake in rolling out new data systems that align with the 2023 requirements.[31] As mentioned above, product tracing data (i.e., TI, TS, and TH) exchanged between trading partners and tracked along pharmaceutical supply chains are aimed at achieving the DSCSA’s fully interoperable and electronic traceability function. Manufacturer testing of such data systems is an important step in overcoming technical challenges and ensuring compliant traceability systems will be fully interoperable by November 2023. Notably, a recent Healthcare Distribution Alliance (HDA) panel expressed concern that proactive testing of data systems by some manufacturers is not occurring at needed rates.[32] HDA panelists described this lack of testing as a potential major hurdle to achieving full implementation of applicable requirements on time, explaining that smaller manufacturers are at a higher risk of falling behind on necessary testing.

A November 2020 HDA survey on serialization readiness additionally found that collaboration with trading partners, system governance, variation in DSCSA legal interpretation, and standards are all additional challenges burdening implementation of an interoperable system.[33] The survey explained that understanding of DSCSA requirements across Industry is generally inconsistent and, thus, establishing stronger alignment and understanding across the various sectors will be important to enhancing overall readiness.

That being said, the newly released draft guidance Enhanced Drug Distribution Security at the Package Level Under the DSCSA covers some of the Agency’s expectations for enhanced (interoperable) drug distribution security systems needed for enabling secure product tracing at the package level. However, as discussed above, the FDA still leaves standards for secure, interoperable data exchanges for forthcoming guidance, so Industry will have to wait even longer for the clarification it needs in order to timely implement all of DSCSA’s requirements.[34]

Conclusion

The FDA has stressed that a system for enhancing drug distribution security will need to be robust, yet flexible, and that FDA will leverage a range of coordinated mechanisms, such as standardized data and data exchange, analyses, interoperability, investigations of suspect and illegitimate products, and other compliance guidance documents and enforcement tools.[35] The complexity involved in achieving full implementation of the DSCSA is certain and has been exacerbated in the past year by the COVID-19 pandemic. However, greater understanding around requirements across Industry sectors through additional guidance and communication from FDA will be an important part of breaking down remaining implementation hurdles moving forward.