Cutting Through the DSCSA Confusion

How to read the regs to be sure you’re in compliance come December 2018, and how to know which rules will apply to you in different circumstances.

Companies' acting roles under the DSCSA regulations
Companies' acting roles under the DSCSA regulations

The FDA’s June issuance of a draft guidance on product identifier requirements for the Drug Supply Chain Security Act (DSCSA) [available here] has drug manufacturers scratching their heads on how and when to comply.

At a Global Track & Trace event held recently in New Jersey, Gordon Glass, Vice President Consulting, Excellis Health Solutions, updated attendees with key insights and important lenses through which to view and interpret the likely-to-be-postponed regulations.

DSCSA non-enforcement draft guidance

The full compliance policy still hasn’t been published, as it’s going through review as a draft to accept challenges, recommendations and a critique. The primary reason for seeking further guidance dealt with enforcement of DSCSA, specifically with regards to manufacturers applying serialization to products. The deadline for compliance here remains Nov. 27 of 2017, but in the draft the FDA states they will not enforce the manufacturers’ product identifier requirements under the DSCSA for another full year. While this buys some manufacturers, wholesalers, and repackagers some more time, there are different ways to interpret the text as it currently exists.

Consider lines 37-41 of the draft guidance:

“In brief, FDA does not intend to take action against manufacturers who do not affix or imprint a product identifier to each package and homogeneous case of products intended to be introduced in a transaction into commerce before Nov. 26, 2018. This represents a one year delay in enforcement of the requirement for manufacturers to affix or imprint product identifiers.”

What does this mean? Is the date of introduction of the product into commerce the guiding deadline here? The language remains up to interpretation. A less conservative approach might assume that as long as the batch is released before Nov. 27, 2018, then there is no requirement for compliance, even if shipping that product after the deadline. The more conservative approach is to consider each and every product individually. Which begs the question—what does ‘product’ mean… batch, unit of product, or unit of sale? It is written into federal regulations, but there is still room for interpretation. Importantly the draft guidance for DSCSA distinguishes between compliance policy for manufactures from compliance policy for repackagers, wholesale distributors, and dispensers. So as product travels through the supply chain and is repackaged in altered units, it needs to be re-serialized.

“So, for any product that a manufacturer is going to introduce into commerce – if anything happens to it after Nov. 26 2018, such as repackaging, wholesaling, or dispensing on a different unit level, it should be serialized,” Glass said. “Therefore, the more careful and conservative approach is to consider the individual unit of sale as the product.”

DSCSA roles

The roles used throughout DSCSA— Manufactures, wholesalers, repackagers, and dispensaries—aren’t necessarily mutually exclusive. Many companies may be acting in multiple roles at a given time, so it’s key to understand what your role is when and where you perform a certain function.

Consider the following: In some circumstances, a company may manufacturer a product and sell that downstream, making it a manufacturer. But other times, that same company may purchase product from another manufacturer and repackage it in such a way to make it more convenient for downstream partners, making the company a repackager in that circumstance. But perhaps that company only repackaged half that product, and due to lack of demand, decides to avoid keeping inventory of the product or letting it go to waste by selling it straight through to downstream entities. In that case, the company becomes a wholesale distributor. It’s important to understand what a company’s role might be in each one of those circumstances to know which regulation applies to it.

Consider this key repackager requirement with regards to product identifiers from the DSCSA

‘(2) PRODUCT IDENTIFIER.— ‘‘(A) IN GENERAL.—Beginning not later than 5 years after the date of enactment of the Drug Supply Chain Security Act, a repackager described in section 581(16)(A)—‘‘(iv) shall maintain records for not less than 6 years to allow the repackager to associate the product identifier the repackager affixes or imprints with the product identifier assigned by the original manufacturer of the product.

The bolded portion above indicates that if a company acts as a repackager, it will naturally have been purchasing product. That product, if it’s a finished drug product, will be coming in serialized, with a product identifier and serial number on it. If the company then repackages that product, the regulations state that the company must capture the original product identifier on those packages, maintain the information, and associate it with the product identifiers it is putting on its repackaged product.

“This entails capturing the original product identifier on the package, perhaps a Global Trade Item Number (GTIN) or serialized (s)GTIN to initially identify the product as the SNI, capturing that for the product that the company will be consuming (or breaking down for repackaging – once the package is broken, the SNI is broken),” Glass said. “It will then become a new product with new packaging, requiring a new sGTIN.”

How does a company accomplish this? This would require an EPCIS data repository-type model to store the data of the product. In this model, the repackager would create an EPCIS standard “Transformation Event” that captures the “Product Identifiers” (SNI/sGTINs, expiration date and lot) from the consumed drug, “Product Identifiers” from the newly repackaged drug, marry them together and store them for at least 6 years. This data relationship could be accessed by querying the EPCIS repository through a search of any product identifier involved in the transformation; thus, satisfying the DSCSA requirement for records associating repackaged product. The concept of “Transformation Event” was first introduced in EPCIS version 1.1.

Verification component

Verification is key to various aspects of the DSCSA and is seen throughout the regulations regardless of the supply chain role as manufacturer, repackager, wholesaler, or dispenser.

Below is language considering verification of suspect products, returns requirements, and general requests for verification. This bolded area is similar to language you will see throughout the DSCSA. For wholesalers and wholesale distributors, there’s even simpler language.

Consider the Manufacturer Verification Requirements

``(C) Requests for verification.--Beginning 4 years after the date of enactment of the Drug Supply Chain Security Act, upon receiving a request for verification from an authorized repackager, wholesale distributor, or dispenser that is in possession or control of a product such person believes to be manufactured by such manufacturer, a manufacturer shall, not later than 24 hours after receiving the request for verification or in other such reasonable time as determined by the Secretary, based on the circumstances of the request, notify the person making the request whether the product identifier, including the standardized numerical identifier, that is the subject of the request corresponds to the product identifier affixed or imprinted by the manufacturer.

Consider the Wholesaler Verification Requirements

`(II) promptly conduct an investigation in coordination with trading partners, as applicable, to determine whether the product is an illegitimate product, which shall include validating any applicable transaction history and transaction information in the possession of the wholesale distributor and otherwise investigating to determine whether the product is an illegitimate product, and, beginning 6 years after the date of enactment of the Drug Supply Chain Security Act (except as provided pursuant to subsection (a)(5)), verifying the product at the package level, including the standardized numerical identifier.

Consider the Wholesale Distributor Verification Requirements

‘‘(2) PRODUCT IDENTIFIER.—Beginning 6 years after the date of enactment of the Drug Supply Chain Security Act, a wholesale distributor may engage in transactions involving a product only if such product is encoded with a product identifier (except as provided pursuant to subsection (a)(5)).


“Throughout DSCSA, we find similar language linked to product identifiers and standardized numerical identifiers,” Glass said. “The essential point here is that in the case of requiring verification, the verification will always be linked to the product identifier, specifically the serial number, and the Global Trade Item Number (GTIN) and lot and expiry, to make sure what you’re being asked to verify agrees with your records.”

Consider these definitions in DSCSA to better understand relationships between recurring language

‘‘(28) VERIFICATION OR VERIFY.—The term ‘verification’ or ‘verify’ means determining whether the product identifier affixed to, or imprinted upon, a package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager, as applicable in accordance with section 582.

‘‘(14) PRODUCT IDENTIFIER.—The term ‘product identifier’ means a standardized graphic that includes, in both human readable form and on a machinereadable data carrier that conforms to the standards developed by a widely recognized international

standards development organization, the standardized numerical identifier, lot

number, and expiration date of the product.

‘‘(20) STANDARDIZED NUMERICAL IDENTIFIER.—The term ‘standardized numerical identifier’ means a set of numbers or characters used to uniquely identify each package or homogenous case that is composed of the National Drug Code that corresponds to the specific product (including the particular package configuration) combined with a unique alphanumeric serial number of up to 20 characters.