DSCSA: Verification Systems Draft Guidance

Verification is an important part of the operation of the Drug Supply Chain Security Act (DSCSA), and from my observation, it isn’t understood very well.  People new to the DSCSA always think “verification” means something beyond what the actual definition is in the law.  Late last week the FDA published new draft guidance describing their current thinking about the “verification systems” that members of the supply chain are required by the DSCSA to have in place.  It’s an important draft because I suspect not many companies have “verification systems” that have the kind of capabilities spelled out by the FDA.  Of course, as usual, it’s only a draft, not for implementation but for comment only.  You have until December 24, 2018 to submit comments for consideration by the FDA as they someday make this guidance final.

Right off the top, the FDA clarifies their interpretation of the term “system” when used by the DSCSA in the phrase “verification systems”:

“…a coordinated body of processes and procedures that forms an organizational scheme.”

Though the draft guidance doesn’t say it explicitly, the term “system” does not necessarily mean a computer system–a common misconception, especially by vendors of those kind of “systems”.

In fact, based on the FDA’s interpretation, the coordinated body of processes and procedures could easily just be a set of Standard Operating Procedures (SOPs) written down in a binder.  It is clear from the recent McKesson DSCSA 483 that these processes and procedures must be written so the FDA and/or state regulators can inspect and evaluate them, but they must also be followed carefully by employees (see “McKesson’s DSCSA 483 Explained”).  I guess that’s true of any mandated SOP, but downstream trading partners in the supply chain might be surprised how much importance the FDA places on that.

That means these SOPs have to exist in the memories of your workers.  Those workers have to know exactly when a DSCSA requirement is triggered and how to respond, referring to the written SOPs only to refresh their memory of the specifics.  You can get in a lot of trouble if they are only written, but nobody follows them at the critical moments.  That means frequent training and retraining must be involved.

You can download a copy of the FDA’s new draft guidance “Verification Systems Under the Drug Supply Chain Security Act for Certain Prescription Drugs” here and submit your comments here.

This new draft guidance is closely related to two earlier FDA guidances that describe DSCSA requirements that you and your workers should already be familiar with:

  1. Final:  Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification Guidance for Industry (see “FDA Finalizes Guidance On Suspect Product”);
  2. Draft:  Definitions of Suspect Product and Illegitimate Product for Verification Obligations Under the Drug Supply Chain Security Act Guidance for Industry (see “DSCSA Guidance: Definitions of Suspect and Illegitimate Product for Verification Obligations”).

The verification obligations are spelled out in Sections 582(b)(4) for manufacturers, 582(c)(4) for wholesale distributors, 582(d)(4) for dispensers and 582(e)(4) for repackagers.

Section III of the new draft guidance is broken down into the seven types of “systems” that are required under the DSCSA.  These systems have been required since January 1, 2015 so you are expected to have them right now, including working with Standardized Numerical Identifiers (SNIs) since November last year (see “DSCSA Verification and Suspect Product”).  All but the last two must be deployed by all trading partners in the supply chain (this includes DSCSA manufacturers, repackagers, wholesale distributors and dispensers).  The type of “system” covered in the last section must be deployed by all but dispensers and the type covered in the second to last section must be deployed by manufacturers and repackagers only.  Let’s take a closer look at each type.


Everyone has to have a system in place to recognize when a product is what the DSCSA defines as “suspect product”.  FDA says that these systems must be well-designed to detect and assess suspect product because those determinations are what trigger the quarantine and investigation requirements.  Fortunately we now have a final guidance to help us know how to do that.  See guidance number 1 in my short list above.  Guidance number 2 in that list contains some additional background on your obligations regarding suspect and illegitimate product so incorporate content from both of those document in your “system”.


Everyone must have a system for quarantining any product that is determined to be “suspect”, and for promptly investigating those products to determine if they are illegitimate or not.  If they are not illegitimate, then they can be returned to regular inventory and distributed further.  Quarantine can be accomplished either by physical separation or through electronic means—anything that prevents these packages from being distributed before the investigation is complete.

The guidance provides good recommendations on quarantining and the components of a robust investigation.  At a minimum, an investigation must include confirming the validity of the transaction history (TH) and transaction information (TI) (see “DSCSA: Transaction History” and “DSCSA: Transaction Information”) but should include more.  Of course, you need to keep meticulous records of what you do and who did it, and retain those records for six years.


Companies only need to notify the FDA of cleared suspect products when they were initially asked by the FDA to conduct an investigation into those specific products.  If your trigger to investigate was something other than a request by the FDA, then you do not have to notify them when the investigation finds that the product is not illegitimate.  This is just a way to ensure the FDA can close their records about whatever it was that caused them to ask you to investigate.  Apparently, whenever you do have to notify them of cleared product, you can notify them with an email and the guidance provides the email address and the minimum data that you should include.  Whether you need to notify the FDA of cleared product or not, you still have to keep meticulous records of what you did do, and who did it, for six years.


Notice that the draft guidance has two separate sections to discuss systems for quarantining suspect product and illegitimate product.  That reflects the higher level of public health risk from known illegitimate drugs, and the elevated rigor companies should apply when dealing with them.  And so, for illegitimate drugs, physical separation from normal inventory is recommended by the FDA.

It’s important to review the DSCSA-specific definition of the term “disposition”, because it may not be obvious.  Here is the definition directly from Section 581(4) of the law:

“(4) Disposition.–The term `disposition’, with respect to a product within the possession or control of an entity, means the removal of such product from the pharmaceutical distribution supply chain, which may include disposal or return of the product for disposal or other appropriate handling and other actions, such as retaining a sample of the product for further additional physical examination or laboratory analysis of the product by a manufacturer or regulatory or law enforcement agency.”

Keep this definition in mind as you read the draft guidance and create your “system” to handle the disposition of illegitimate product.

I am thankful that the draft guidance includes additional recommendations from the FDA regarding the retention of samples of illegitimate drugs uncovered in an incoming shipment or in your inventory.  The law requires you to keep “a sample” of illegitimate product for further analysis by the manufacturer or the FDA (or other appropriate Federal or State official).  But the guidance makes that plural, and it says, “Samples should be […] of a sufficient amount, if available, to permit proper laboratory examination by both the manufacturer and FDA or another government agency”!

So how many “samples” should you retain if you are unlucky enough to discover illegitimate product in your possession or control?  More than one package, unless that’s all there is.  And carefully follow the FDA recommendations for handling, labeling and storing the product, including keeping “…a record/log identifying each person who handled the product, identifying the date they handle it, and describing the manner in which they handled it…”.

Remember the McKesson DSCSA 483.


Everyone must have a system in place for notifying the FDA and immediate trading partners when they discover illegitimate product in their possession or control.  Manufacturers must include in their “system” the notification of these entities when they are aware of products that have a high risk of illegitimacy.  This section of the draft guidance mostly just refers you to their earlier guidance document (#1 in the list above), which includes a new section, added during finalization, on notifications related to products that have a high risk of illegitimacy.  Make sure your SOPs were updated after that finalization.


This is a very interesting and important section that is aimed mostly at drug manufacturers and repackagers, but should be read carefully by everyone.  It covers an area that I have written a lot about:  responding to requests for verification (see “Drug Verification: EU Vs US”, “DSCSA: Saleable Returns Verification”, “DSCSA Red Light Green Light: Verification Responses”, “DSCSA Verification and Suspect Product”, “What’s So Hard About Unique Identifier Verification?” and more).

I’m really surprised that the FDA still hasn’t addressed any obligations downstream companies have when they request a verification of a product from the manufacturer and then receive a negative response (a “red light”).  As far as I read the DSCSA and the FDA’s guidance, these companies have no explicit obligations, unless they are notified that an investigation has been initiated by someone else.  Wouldn’t you think they would be obligated to treat these drugs as “suspect” and start an investigation?  Nope.  Theoretically, they could just toss the drugs into the “destruction” bin and be done with them.  Of course, that would be crazy, but I haven’t seen anything in the DSCSA or from the FDA to refute it.

What the DSCSA and FDA guidance appears to say in this situation is that, beginning November 27, 2017, it was the obligation of the drug manufacturer (and next month, repackagers) to immediately initiate a DSCSA “investigation” into these drugs [see Section 582(b)(C) for manufacturers].  The problem is, these suspect products will not be in their possession or control.

Think about what’s happening here.  The manufacturer or repackager was just asked to confirm that a given NDC, serial number, and/or lot and expiration date match one that they placed on the market, but the manufacturer or repackager did not make one like that.  There is no match.  That’s pretty serious and, seems to me, would indicate a high potential of illegitimacy, or simple error, but the manufacturer/repackager doesn’t know which.

Isn’t their best course of action to notify the company requesting the verification that those drugs have a “high risk of illegitimacy” (HROI)?  In fact, according to the DSCSA and this new draft guidance, any “system” conveying a negative response to these requests must be capable of including the HROI indication at the discretion of the manufacturer or repackager.  In that case, the downstream trading partner will be obligated to assist with the investigation and cannot just throw away these packages.

On a related note, the wholesale distributors have been saying they will accept a list of DSCSA unique identifiers in each shipment as a way for them to later fulfill their DSCSA requirement to “verify” each saleable return before they redistribute them (see “DSCSA Serialization: What Wholesalers Expect” and “What’s So Hard About Unique Identifier Verification?”).  But if, when processing a return using such a list, they cannot find any evidence that they ever received that particular unit from the manufacturer or repackager, they had better not throw those units into a “destruction bin”.

The correct action, in my view, would be to submit a request for verification to the manufacturer, whether through the future Verification Router Service (VRS) being developed by the industry, or through other means (see “DSCSA: Saleable Returns Verification”, “First Meeting of the HDA Verification Router Service Task Force” and “DSCSA Red Light Green Light: Verification Responses”).  This will give the manufacturer/repackager the opportunity to confirm that the unit is verified, or suspect, or HROI.  In my view, this new draft guidance document would have been a perfect medium for the FDA to clarify this and perhaps other related implications of this part of the regulation.  We’ll have to wait for the final version to see if they let this opportunity go.


Manufacturers, repackagers and wholesale distributors are pretty well aware that they are required to have systems in place that will allow them to process saleable returns.  This brief section just reiterates those requirements.


This is an important new draft guidance with sections that every member of the supply chain needs to study.  Think about your current “systems” for meeting the DSCSA.  Are they detailed enough to meet the descriptions included in this guidance?  Do they spell out the level of rigor indicated?  Do your employees know when to trigger each of these systems, without needing to refer to the written SOPs?  All I can say is, remember the McKesson DSCSA 483burn it into your memory–and take another look at your systems, before it is too late.