[Editor's note: This contains fact-based opinions by the author.]
The Drug Supply Chain Security Act (DSCSA) is a series of escalating deadlines intended to raise the level of security of the U.S. pharma supply chain through transparency. It started with the passage of the law by Congress and the President’s signature on Nov. 27, 2013. For the next 10 years—through 2023—the day of “November 27” serves in most years that a new requirement goes into effect. On that day in 2017 perhaps the biggest requirement went into effect: that was the date mandated for drug manufacturers serving the U.S. market to begin applying the new DSCSA unique identifier to all drug packages and homogeneous cases. The FDA delayed enforcement of that requirement for one year until 2018.
And there were earlier requirements that had previously gone into effect, so as of the fall of 2019, here is where we stand. All non-exempt, non-grandfathered drug packages flowing through the supply chain are now serialized, encoded into a 2D Datamatrix barcode, between the manufacturer and the dispenser. Homogeneous cases of those same drugs are also serialized, encoded into either a set of linear barcodes or a 2D Datamatrix barcode on their label. That includes drugs that pass through a repackaging operation along their way. Manufacturers and repackagers now have systems in place that allow them to respond to requests for verification of the Standardized Numerical Identifiers (SNI’s)—the combination of the National Drug Code (NDC) and the serial number—on each package and each homogeneous case.
All trading partners in the supply chain are licensed by either a State Board of Pharmacy or the FDA and each member of the supply chain may buy and/or sell pharmaceuticals only to others whose licenses are current, which means that everyone is checking the current status of the licenses of their suppliers and their supply chain customers regularly.
Along with each shipment of pharmaceuticals in the supply chain the seller is providing their customers with standardized transaction documents specified by the DSCSA. These include:
A document that describes the current transaction (“Transaction Information”, or “TI”)
Another document that contains all of the TIs for the drugs in the shipment all the way back to the one supplied by the original manufacturer or repackager (“Transaction History”, or “TH”)
A document that contains a set of legal assertions made by the seller about the product, the prior transactions and the documentation that they created and/or received (“Transaction Statement”, or “TS”)
All of this documentation is currently lot-based (that is, no serial numbers need to be included in the documents even though the products leaving manufacturers and repackagers now have serial numbers on them), and must be passed from seller to buyer electronically, at least between manufacturers and wholesalers. Everyone in the supply chain must keep these documents and be able to retrieve them when asked, for six years.
Wholesale distributors are verifying all saleable returns at the lot-level before redistributing them.
Any drug or homogeneous case that falls under someone’s suspicion are being investigated to determine whether or not it is illegitimate. These investigations are being conducted in a timely fashion and records of how they were conducted, and their conclusion, are being recorded carefully, with the records kept for six years. When drugs or homogeneous cases are found to be illegitimate, the FDA is being notified within 24 hours.
Let me reiterate. All of the DSCSA requirements mentioned above are in effect right now, for non-exempt, non-grandfathered drug products in the U.S. supply chain. And thanks to the FDA’s one year of enforcement discretion for the manufacturer’s serialization mandate, things have gone fairly smoothly. I have heard no reports of enforcement action by the FDA against manufacturers or repackagers for missing the serialization deadline, nor have I heard reports of large-scale missing of that deadline. So far, so good.
But now let’s take a look at what is coming up next. On Nov. 27, 2019 the next deadline is scheduled to go into effect. This approaching deadline is mainly aimed at wholesale distributors but it will also impact drug manufacturers and repackagers. The deadline is for wholesale distributors to:
Verify all saleable returns at the SNI-level (that is, using the serial numbers) prior to redistributing them;
Accept returned product from a dispenser or repackager only if they can associate the returned product with the TI and TS associated with that product;
Only engage in transactions that include drug packages and homogeneous cases that have the DSCSA unique identifier (the 2D barcode) on them (unless exempted or grandfathered).
Wholesale distributors have been preparing for this deadline for about four years. They started out doing a number of pilots to test about nine different ways to meet the SNI-based saleable returns verification requirement. Only two were found to be potentially viable. These were:
Manufacturers provide the wholesalers with a list of the package and homogeneous case SNIs for each drug in each shipment, starting nine months before the 2019 deadline, or;
Manufacturers connect to a new cloud-based SNI verification service proposed by the Healthcare Distribution Alliance (HDA), called the Verification Router Service, or VRS, starting on or before the 2019 deadline.
It appears that many manufacturers—though not all—are choosing the VRS approach. Those that are choosing to send the list of SNIs with each shipment should have begun doing so back in the first quarter of 2019. It remains to be seen whether either approach—as implemented—will satisfy the FDA as fulfilling the requirements of the DSCSA. There are skeptics of the current implementations of both approaches.
There also remain some manufacturers who claim that they do not intend to verify any drug package when requested, whether the request conforms to the DSCSA requirements or not. They cite security reasons, despite their obligation under the DSCSA to provide an affirmative response when appropriate. Not surprisingly, the FDA has so far declined to give their opinion on this part of the DSCSA. In the past, the FDA has “spoken” their opinion about DSCSA interpretations, at least once, through a 483 notice of “inspectional observations” when they disagreed with an approach that was known as an approach taken by the whole industry. The result is, one company pays the price, but everyone else gets to read their detailed formal opinion and should quickly change their approach to avoid a 483 of their own. There are multiple issues with saleable returns verification that are ripe for one or more FDA 483 actions over the next year.
What is coming after this year?
The next big deadline is for dispensers on Nov. 27, 2020. On that day, dispensers must begin engaging only in transactions that include drug packages and homogeneous cases that have the DSCSA unique identifier (the 2D barcode) on them (unless exempted or grandfathered). It’s a bit of a ghost requirement because between this November and next November, no manufacturer or wholesale distributor is allowed to sell dispensers non-exempt, non-grandfathered drug packages or homogeneous cases without the DSCSA unique identifier on them, so there is almost no way they can buy them during that time (only transfers from other dispensers).
After that, the next big deadline will be the last one. Nov. 27, 2023 is the big date when the entire supply chain must transform into, what the DSCSA calls, the Enhanced Drug Distribution Security (EDDS) phase. On that date, the following requirements take effect:
The TH document is no longer required with each shipment;
Everyone must be able to promptly respond with the TI and TS for drugs when requested by the FDA other appropriate Federal or State agency;
Everyone must be able to promptly facilitate gathering the information necessary to produce the TI for each transaction for a given drug package going back to the manufacturer, whether the request comes from the FDA, an appropriate Federal or State agency, or an authorized trading partner;
How will these requirements be met in an way that is interoperable throughout the supply chain? No one knows yet. In fact, it is unknowable yet. The DSCSA requires the FDA to establish one or more pilot projects and work with the industry to figure out how this will be accomplished. Until then, companies cannot implement anything without fear of wasting their investments.
In fact, the FDA initiated a program to collect the results of industry pilots earlier this year. The final reports of these pilots are due sometime in the next few months. Because of the way the program is designed, there will be no conclusive decisions that come from the pilots themselves, and there is no consensus for how those necessary decisions will be made between now and 2023.
Fortunately, the Pharmaceutical Distribution Security Alliance (PDSA) has recognized this problem and has kickstarted a new, independent, non-profit organization whose charter will be to help facilitate the industry, working with the FDA to make those decisions. That new organization will begin operating in the next few months. Watch for updates on its progress.
Companies in the U.S. pharmaceutical supply chain are in the middle of a 10-year long process of meeting the escalating requirements of the DSCSA. Some difficult and costly requirements are behind us, but the most complex requirements are coming in the near future. Stay tuned as we track the progress of the industry through to the final milestone in 2023.