DSCSA Verification and Suspect Product

Last week I wrote about the debate over the number of possible responses to verification requests in any potential solution the industry might adopt to meet the Drug Supply Chain Security Act (DSCSA) (see “DSCSA Red Light Green Light: Verification Responses”).  Today I want to take a closer look at a related issue:  the relationship between verification and suspect product.  Most specifically, does a failed verification automatically force a product into the suspect product category?  The answer might surprise you.

Recall that the DSCSA defines “verification” as determining that the product identifier on a given drug package or homogeneous case corresponds with one that the manufacturer or repackagers affixed to the product (see “Drug Verification: EU Vs US”).  Today, downstream trading partners are required to verify drugs using the lot number and expiration date when they investigate suspect product, and before redistributing saleable returns (see “DSCSA: Saleable Returns Verification”).  Starting on November 27, 2017, when the drug package has a standardized numerical identifier (SNI) on its package—that is, when it is serialized—that SNI must be used for verification.  Even the recent delay in enforcement didn’t change that (see “DSCSA Cascading Delays”).

Suspect product is defined as “…a product for which there is reason to believe it

(A) is potentially counterfeit, diverted, or stolen;

(B) is potentially intentionally adulterated such that the product would result in serious adverse health consequences or death to humans;

(C) is potentially the subject of a fraudulent transaction; or

(D) appears otherwise unfit for distribution such that the product would result in serious adverse health consequences or death to humans.”  From FDA guidance document on Identification of Suspect Product and Notification (see “FDA Finalizes Guidance On Suspect Product”).

The question is, what elevates suspicion of a given drug package to the level of a “reason to believe…”?  That’s one of the main purposes of the FDA’s guidance quoted above.  In fact, there is a section in that document titled “Recommendations on How Trading Partners Might Identify Suspect Product and Determine Whether the Product Is a Suspect Product as Soon as Practicable”.  That section provides non-binding advice on what might elevate a drug to the level of a “reason to believe…” the drug is one of (A) through (D) in the list above. 

Would you be surprised to find that the FDA guidance does NOT list “failed verification” as one of the “reasons to believe…”?  I was.  I would have thought that finding out that the manufacturer (or repackager) of the product did not make a drug that corresponds with the NDC and lot number, or the SNI number on a package would have made a downstream owner of the drug very suspicious that it might be counterfeit.  But in fact, the guidance on suspect product does not mention a failed verification as being a reason to believe that drug is suspect.  What about the DSCSA itself?

To find out, let’s search the DSCSA for the letters “verif” so we find all instances of “verification” and “verify”.  We’ll find the definition of “verify”, and it’s use within the Transaction Statement (TS).  And we also find that when a manufacturer performs a verification upon receiving a request, and verification fails, the manufacturer must treat that product as suspect product [see DSCSA Section 582(b)(4)(C)].  Now we’re getting somewhere. 


The manufacturer or repackager is required to promptly conduct an investigation into every product that fails verification to determine if it is illegitimate.  If they must respond with a “red light” (to use a term from last week’s essay) to the verification request, then they must conduct an investigation to determine if the product is illegitimate.  That’s because, for the manufacturer or a repackager, a failed verification causes the product to cross the threshold into “suspect product”. 

And as we found out in last week’s RxTrace essay, the manufacturer (or repackager) must include the results of that investigation in its response to the original verification request.  The problem is, in those instances, the manufacturer/repackager will not possess the drug that it is required to investigate.  The downstream company who submitted the verification request would possess it.  And, because it does not possess that product, the manufacturer/repackager cannot quarantine it.  They would need to notify the requester to quarantine that product until their investigation is concluded.


What will happen at the downstream company who submitted the verification request?  Downstream trading partners are required to submit a verification request under several scenarios:

  1. When instructed to do so by the FDA;
  2. Before redistributing saleable returns;
  3. As part of an investigation conducted after the company determines a product is “suspect product”.

The vast majority of verification requests submitted to drug manufacturers and repackagers will come from wholesale distributors who are planning to redistribute saleable returns.  Remember, wholesale distributors get a surprisingly large percentage of drugs back from their customers and before they can resell them, the DSCSA requires the wholesaler to “verify” them (see “DSCSA: Saleable Returns Verification”).

What is most surprising, is that the DSCSA does not discuss what the wholesale distributor must do when a verification request fails.  That is, when the manufacturer or repackager replies with a “red light”.  There are no mentions of the wholesale distributor elevating the drug to “suspect product”, or conducting an investigation.  No mention of quarantining the product.  That means that the wholesale distributor could simply toss that drug into the “non-saleable” bin and move on.  Drugs in the “non-saleable” bin are mixed with other drugs and will be sent for destruction, either directly or through the manufacturer or repackager.

Of course, they should cooperate with the investigations that manufacturers and repackagers initiate in response to the failed verifications that they submitted.  So maybe it will be a good idea for them to voluntarily quarantine drugs that fail verification. 


In last week’s essay we explored two different approaches to communicating the results of a verification request.  We looked at an approach with two possible responses, and one with three.  The three responses would be something like “Yes” (verified), “No” (NOT verified), and “It’s complicated”.  In a series of comments I received about that essay, people discussed how few responses are likely to be “No” or “It’s complicated”.  One commenter thought it would be in the order of 0.005% “No” and 0.005% “It’s complicated”. 

In my view, the “No” responses—that is, those that truly fail verification and ought to be treated as “suspect product”—will be significantly lower than 0.005%.  The vast majority of responses that are not “Yes” will be “It’s complicated”.  Remember, “It’s complicated” are things like, recalls, stolen, potential duplicate and “systems are currently down”.  A few of these should also be considered “suspect product”, even though they do not fail the DSCSA verification test.  But odds are, those will be in the minority, within “It’s complicated”.  So, in my view, most non-“Yes” responses will be for drugs that are in recall or “systems are currently down”.  Neither of these are “suspect product” or require an immediate investigation.

In that case, why would anyone want just two responses to verification requests:  “Yes”, “No”?  With only two possible responses, everything I listed above for “It’s complicated” would have to return either “Yes”, or “No”.  As I pointed out last week, the statutory definition of “verify” is very narrow.  With only two possible responses, lots of dangerous conditions would require a “Yes” response, which would cause those products to be re-distributed and be dispensed to patients.

Why not respond “No” for these “It’s complicated” conditions, despite passing the DSCSA verification test?  By responding, and logging, “No” as the response, the manufacturer or repackager would be saying that it failed the DSCSA verification test.  As we saw above, this would require the manufacturer/repackager to elevate the product to “suspect product”, and conduct an investigation.  Records of these investigations must be kept for six years.  Conducting investigations and keeping records of failed verifications and their subsequent investigations for six years for product that was simply in recall or when systems are down is foolish.  Especially when there is an obvious alternative:  just add one or more potential responses to the verification request.  Problem solved.  Confusion eliminated.