DSCSA: Why FDA Will Not Mandate Blockchain, EPCIS Or Any Other Specific Technology

There are a lot of discussions going on in the industry right now, over which approach and which technologies the US pharma supply chain should select to meet the 2023 requirements of the Drug Supply Chain Security Act (DSCSA).  People are understandably confused over these discussions.  Why should we guess what the FDA will accept in 2023?  Blockchain?  EPCIS?  Aren’t these debates and discussions just a waste of our time?  Why doesn’t the FDA just tell us which technology they will accept for the DSCSA in 2023?  In fact, these questions have become so common lately that I think it is time to examine what is going on.  There are definitive answers to these questions, and they are contained within the DSCSA itself.

There are a number of things in the DSCSA that many people find surprising—even illogical.  The definition of “verify” is usually on that list.  Unless you read the definition of “Verification, or Verify” contained in the DSCSA, you will assume it means something different.  If you don’t read the DSCSA carefully, odds are, you will assume that companies who receive drugs in the supply chain are required to verify them before they can dispense or sell them to others.  But that’s wrong (see “5 Myths About The DSCSA In 2023”).  In fact, myth number 5 in that essay is exactly the topic we are discussing in this essay, but now we will take a closer look.

In fact, in the interest of providing flexibility, the DSCSA explicitly bars the FDA from adopting any specific business systems for the maintenance and transmission of data.  Here is a pertinent text extract from Section 582(g)(4) “Procedure”, under the Enhanced Drug Distribution Security phase that starts on November 27, 2023:

“…[FDA], in promulgating any regulation pursuant to this section, shall—

  1. provide appropriate flexibility by—

(i) not requiring the adoption of specific business systems for the maintenance and transmission of data;”

Does the phrase “specific business systems” include things like blockchain and GS1’s Electronic Product Code Information Services (EPCIS)?  Or does this phrase just mean that the FDA is not allowed to mandate that everyone use SAP or some other commercial application?  It certainly includes the latter, but I think it may also include the former.

Further, Section 582(h)(4)(A) of the DSCSA requires the FDA to update and finalize the draft guidance identifying standards for data exchange they issued back in 2014.  That finalized guidance must:

“(i) identif[y] and make[] recommendations with respect to the standards necessary for adoption in order to support the secure, interoperable electronic data exchange among the pharmaceutical distribution supply chain that comply with a form and format developed by a widely recognized international standards development organization;

(ii) take[] into consideration standards established pursuant to subsection (a)(2) and section 505D;

(iii) facilitate[] the creation of a uniform process or methodology for product tracing; and

(iv) ensure[] the protection of confidential commercial information and trade secrets.”

GS1’s is a “widely recognized international standards development organization”, and EPCIS is a standard that identifies a “form and format” for use in the interoperable exchange of electronic supply chain data.  That fits perfectly, except EPCIS doesn’t offer any security, so something else would need to provide that necessary element.  Blockchain is just one of many data exchange architectures that could supply that element.

This DSCSA language could give the FDA the ability to mandate EPCIS if they want to, but because of the prohibition on identifying a specific business system, I think the most they will do is what they have already done:  include EPCIS on a list of acceptable standards (see “FDA Publishes Draft Guidance For DSCSA Data Exchange”), leaving it up to the industry to actually “pick” it.  Blockchain is not a standard that is “developed by a widely recognized international standards development organization”, so it will almost certainly not be mandated by the FDA.


There is growing support for potentially using blockchain for some part of DSCSA compliance (see “Blockchain Reigns At GS1 Connect 2017”), but there also appears to be opposition to its use for routine DSCSA data exchange between supply chain entities (see “Blockchain Will Not Be Used For DSCSA Data Exchange”).

What I think this means is that no one should expect the FDA to tell everyone that they must, or must not, use any specific technology for meeting the 2023 requirements.  For this reason, I say, FDA will not mandate blockchain, EPCIS or any other technology for DSCSA.  It will remain up to the industry to make these hard choices and hope everyone in the supply chain follows that chosen approach–absent a mandate (see “A US Medicines Verification Organization (USMVO)?”).

The FDA does not employ heavy-weight IT experts.  That’s not what they do.  The Agency is not qualified to select and mandate IT technologies for meeting the DSCSA, and they recognize that.  This is not a surprise to anyone, except perhaps to those who expect the FDA to establish technology mandates.

But everyone has their own opinion (this is America, after all).  Without the teeth of a mandate, it is unlikely everyone will follow along with the industry-consensus technology–if one is ever established.  That will definitely make some people very happy, but it will likely result in a patchwork of systems and approaches that will never achieve the true interoperability that the DSCSA mandates.  That fate was sealed when the DSCSA was enacted with the current text, and it is in stark contrast to the Falsified Medicines Directive (FMD) in the EU, where the Delegated Regulation mandates a minimal level of technology, including the necessary governance and funding model (see “A US Medicines Verification Organization (USMVO)?”).

Without true interoperability, will DSCSA 2023 ever happen?