Most Companies Will Do DSCSA Verification Wrong

A lot has been written about the concept of “verification”, here in RxTrace and elsewhere.  It’s all good, but I still don’t think the critical point has been made yet by anyone—including me (see “What’s So Hard About Unique Identifier Verification?”)—and until it is, companies are going to do it wrong.  Less than an hour after I posted my essay last Wednesday (see “GS1’s Messaging Standard For Verification Of Product Identifiers”) I received an email from a subscriber who had questions about it, the essay was referenced in a post on LinkedIn by a reader in Europe, and I found a great link to a brand new essay about verification by Scott Pugh that had just been posted about the same time.  So here is my new take on why most companies are going to get it wrong.

Let’s start with the question raised in the email I received from that subscriber, who happens to work for a wholesale distributor.  He said he has heard from several of their suppliers that they do not plan to respond to some verification requests because they cannot be sure the product in question is actually theirs and not a counterfeit.  The question the subscriber asked was, “have you heard that argument before?”  Sadly, I have, and Scott’s essay discusses a version of this issue (see also “Does the DSCSA Have A ‘Spirit’”).  And because of the construction of GS1’s first pass at their verification messaging standard, companies will be misled.

Like Scott, I believe companies need to go beyond the letter of the DSCSA, but more importantly than all else, they need to meet the letter of the DSCSA.  That is, they must respond to every request for verification received from legitimate participants in the pharma supply chain, whether they sold the units in question directly to the requester or not.

The problem is, too many companies are using their own idea of what the word “verification” means, rather than the statutory definition in the DSCSA itself.  A DSCSA verification request does NOT mean “please verify that you made the unit I have in my hand”.  It does not mean “Is this unit OK to sell?”.  It does not mean “Can you verify that this unit is not counterfeit?”.  These mis-interpretations are only natural, because the DSCSA definition of “verification” is so different from what anyone would assume if they were just asked to verify something.  To really understand exactly how you are expected to respond to DSCSA “requests for verification” you have to keep the specific DSCSA definition of “verification” in mind.  Clearly, that’s hard to do.  So here it is again:


The term ‘verification’ or ‘verify’ means determining whether the product identifier affixed to, or imprinted upon, a package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager, as applicable in accordance with section 582.”  DSCSA Section 581(28).

All you are expected to do when you receive a verification request is to respond whether or not the product identifier provided in the request “corresponds” to one that you assigned to that product.  Obviously the product might be counterfeit, stolen, tampered with, dispensed and then refilled with counterfeit product, or any other creative things criminals might do with it.  When you respond “Yes”, you are not guaranteeing that the unit in the hands of the requester is still the one you made.  All you are saying is, “Yes, we made one like that and introduced it into commerce”.  The DSCSA does not expect any more than that from “verification”.  Will the FDA expect more?  Read on.

It is the responsibility of the current owner of the product (the requester) to determine if the product might be “suspect”, even if they receive a “yes” response from their verification request to you.  Everyone—particularly downstream trading partners who submit requests for verification—should become familiar with the contents of FDA’s draft guidance on verification systems under the DSCSA, published last October (see “DSCSA: Verification Systems Draft Guidance”). 

Clearly GS1 and those from the industry who participated in the design of the new GS1 verification messaging standard did not read that guidance closely enough (see “GS1’s Messaging Standard For Verification Of Product Identifiers”).  If they had, then the standard would have included the ability for manufacturers who use it to respond with why they believe the product may be illegitimate, if they do, and that the requested product has a “high risk of illegitimacy”, whenever it does.  From that draft guidance under section III.F, “System for Responding to Requests for Verification”:

“…If the manufacturer or repackager has reason to believe that the product is illegitimate, it must indicate as much in its response to the request for verification from a trading partner, and should inform them why they believe the product may be illegitimate. [see DSCSA Sections 582(b)(4)(C) and (e)(4)(C)]…”

“In addition, section III.E [in the draft guidance] describes the recommendation for a system to notify FDA and other trading partners when an illegitimate product is found (and, for manufacturers, when products with a high risk of illegitimacy are found).”  [underlines added for emphasis.]

According to this draft guidance, there appear to be multiple things that the response to “requests for verification” must be capable of conveying:

  1. Verification (does the product identifier correspond to one that was applied to a product like the request, yes or no);
  2. If the manufacturer/repackager believes the product is illegitimate,
    1. an indicator of that belief, and
    2. WHY they believe that;
  3. If the manufacturer/repackager believes the product has a high risk of illegitimacy, an indicator of that.

Notice that “verification”, as defined in the DSCSA is different from “illegitimate”.  An illegitimate drug can easily be “verified”.  And so, all of these are valid responses (!):

  • Yes, this product is verified, but it is illegitimate because it was stolen.
  • Yes, this product is verified, but it is illegitimate because it has been destroyed.
  • Yes, this product is verified, but it is illegitimate because it has previously been dispensed.
  • Yes, this product is verified, but it has a high risk of illegitimacy.
  • No, this product is not verified.

Unfortunately, the only one of these three things GS1’s new messaging standard is currently capable of conveying is #1 above.

We keep talking about the need for systems for verification to meet the November 27, 2019 requirement for wholesale distributors to verify saleable returns using the Standardized Numerical Identifier (SNI), but the systems for responding to requests for verification using SNIs were required by manufacturers and repackagers as of last November 27.  Right!  You are already expected to be able to do all of this above…within 24 hours.  All the wholesalers are demanding is that you be able to do it within a fraction of a second by next November 27.  Other than the accelerated timing, their expectations are no different than what the FDA expects you to do today.

I’ll say it again.  Most companies will do DSCSA verification wrong.