As the premier regulatory body for ingestible products in the United States, the FDA (Food and Drug Administration) is responsible for safeguarding public health through safety measures, guidance, and regulations. The importance of the FDA’s job cannot be stressed enough, and in the current global health crisis we find ourselves in, this responsibility is even more critical.
The FDA’s annual guidance schedule is often more aspirational than strictly practical, but it does a good job in providing useful insights into what areas the FDA’s CDER (Center for Drug Evaluation and Research) has given priority for that particular year.
You can find updated lists for the FDA’s guidance for 2021 here. In this article, we’ll focus on the guidance as it relates to the DSCSA (Drug Supply Chain Security Act).
Before we get into the actual guidance for 2021, let’s do a quick recap of the DSCSA and its importance. The DQSA (Drug Quality and Security Act) was put forth by Congress on November 27, 2013. Title 2 of the DQSA was the DSCSA. The Act aimed to streamline the process of drug identification by building an electronic, interoperable system that effectively tracks prescription drugs across the US supply chain.
The main reason for the DSCSA’s creation was to protect consumers from being exposed to counterfeit, stolen, contaminated, or illegal drugs. After full implementation, the DSCSA would also stop harmful drugs from entering the US as well.
The end goal is to establish national licensure standards for both wholesale sellers and third-party logistics partners to create an airtight supply chain.
The DSCSA’s implementation was carried out in distinct phases to make sure everyone was on board. Phase 1 of the DSCSA focused on serialization and traceability and enforcement began on January 1, 2015.
The timeline of Phase 1 of the DSCSA has three main parts:
- Manufacturers and distributors were required to exchange T3 information about every drug they bought or sold or even kept.
- Building on Part 1, the participants were required to be officially licensed and registered, and protocols for investigating and handling illegal drugs were also implemented. T3 information was also required to be stored for up to six years.
- PI’s (Product Identifiers) were introduced and verification at all stages of the process became mandatory.
Most vendors operating legally in the US have already fulfilled all these requirements. The deadline for full implementation of the DSCSA guidelines is November 27, 2023.
The final phase of DSCSA implementation involves effective interoperability. Having such vast amounts of information flowing in at all times and finding ways to decipher and make sense of all this through computers is a herculean task and while it may seem simple in theory, the reality of executing is very difficult.
To help the transition, the FDA is strongly committed to creating interoperable technological solutions to solve these problems and to get everything up and running before the deadline two years from the time this article is being written.
New FDA Guidance
Enhanced Drug Distribution Security at the Package Level Under the DSCSA
This guidance is intended by the FDA to help key players in the supply chain with requirements related to advanced drug distribution security at the packaging level.
The guidance clarifies the system requirements laid out in section 528(g)(1) of the FD&C act while also giving recommendations on the system attributes that will be required for successful long-term operation.
Suppliers have a big responsibility in ensuring the quality of the drugs they distribute is maintained throughout the entire process and they play an important role in protecting the integrity of the pharmaceutical distribution supply chain. Since 2013, the DSCSA guidelines have improved visibility dramatically by using product tracing, product identification, authorization of trading partners, and robust verification as effective tools for the job.
These are the characteristics the system should have to promote advanced drug distribution security. These are outlined in section 582(g)(1) of the FD&C act in detail. A brief summary of these would be:
- The exchange of transactional information in a secure manner
- Transaction information that includes data elements of the product identifier
- Package level product verification protocols
- Promptly showing transactional information if and when it is requested by the FDA
- Processes that facilitate the gathering of transactional information when requested by the FDA
- Easy information access for trading partners to accept returned products
Aggregation and Inference
While these specific terms aren’t defined in the DSCA, they help describe how the requirements laid out will be met.
Aggregation builds a relationship between unique identifiers assigned to packaging containers while inference refers to the practice of utilizing information from one level of packaging to come to a conclusion about a lower level of packaging.
The FDA is aware that many traders aggregate logistical data for all the products they sell. Because of its essential nature, the FDA supports data aggregation. Some examples of this include but are not limited to:
- Packages of the same product that are packed into a homogeneous case: A data file listing the standardized numerical identifier of the case and product should be provided to the trading partner.
- Multiple homogeneous cases of a product on a pallet: A data file exposing the contents of the case provided by the seller to the purchaser.
The option on how to share the data file should be decided by the trading partners in question.
2. Physical Security Features
The FDA has recommendations concerning the security features found on shipping cases as well. This is to help identify when and if a product has been altered in any way.
Some examples of this could be:
- Tamper evident tapes or wraps
- Color shifting inks
- Physical-Chemical Identifiers (PCIDs)
Inference is a common business practice and handling data, processes and products becomes much easier because of it. However, the FDA specifies that trading partners should only use inference upon receiving pallets or homogeneous cases if the security of the unit has not been compromised.
The only exception to this is if a federal agency breaks the packaging seal. In these cases, the product should not be treated as suspect.
Developing enhanced systems across the supply chain is incredibly complex, something the FDA fully recognizes and acknowledges. While most trading partners will have their own systems in place to interpret the data they handle on a daily basis, there should be interoperable integration to allow processes to run smoothly for everyone.
1. Data Architecture
There are many different models that can be used to effectively manage how data is sorted, managed, and integrated. These include:
- A mixture of centralized and distributed
The FDA supports a distributed or a semi-distributed data architecture model as it allows each partner to maintain control over their own data.
2. Adoption of Data and System Security
Appropriate data security protocols should be in place to protect the system from falsification, attacks, and breaches. All participants should consult with widely established standards development organizations to ensure security is upheld.
3. Protecting Confidential Information and Trade Secrets
Confidential commercial information and trade secrets must be protected at all costs. Individual systems should be in place to safeguard such information. The FDA will treat any information provided to them as strictly confidential.
Enhanced Product Tracing
1. Utilizing the Product Identifier in product tracing information
Secure, electronic, interoperable exchange of product information is a top priority for the implementation transition. The FD&C act requires that the product identifier be included in the transactional information for each product at the packaging level.
The PI must include the:
- Standardized numerical identifier
- Serial number
- Lot number
- Expiration date
The serial number and expiration date are not current requirements, but they must be incorporated into the transaction information starting from November 27, 2023.
2. Sellers should ensure the transaction information accurately reflects the product a purchaser receives
After each transaction, the selling trading partner is legally obligated to provide applicable product tracing information to the new owner. The act of storing and incorporating information related to the transaction into their individual system to be used for product tracing purposes is the responsibility of the seller.
Through the use of barcodes and electronic product tracing information, recording data should be effectively automated. If for some reason, a seller cannot send tracing information to the purchaser at the same time as the physical product shipment, the information should then be sent in advance.
3. Purchasers should ensure the transactional information they receive from the seller about the product is accurate
Under Section 582 of the FD&C Act, the trading partner purchasing the product should not accept it if the product tracing information is not provided by the seller at or before the time of the transaction.
Like the seller, the purchaser is also obligated to incorporate the tracing information they receive into their own systems to facilitate product tracing if required.
The purchaser should also use electronic data scanners to reconcile the product they receive quickly and efficiently. This process should be repeated both when the purchaser takes the product in and when they send it somewhere else.
Reconciliation mainly involves:
- Checking that the electronic product tracing information provided accurately reflects the contents of the package
- Physically checking the product identifiers for each package and verifying their authenticity
- Physically checking the seals of the case and product
4. Handling aggregation errors and other discrepancies
The FDA expects that all partners participating in the drug supply chain provide product tracing information that is accurate and complete. However, there may be errors in the information provided not necessarily because of a faulty product but because of some oversight or mistake.
If a wholesale seller, dispenser, repackager, or distributor identifies an error in the information provided, then they should resolve the mistake within 3 business days. This may involve contacting the partner they acquired the product from to resolve the issue.
The associated product should not be distributed further until the error has been resolved. If the product is found to indeed be suspect or illegitimate then the steps required for verification, quarantine, and investigation should be followed by the partners involved.
Here are some common aggregation errors:
- Missing products
- Extra products
- Duplicate data
- Missing data
Other errors relating to the information received might be:
- Missing address of the purchasing trading partner in the transaction information
- Wrong address mentioned in the transaction information
- The quantity of the product is missing from the transaction information
These examples are not exhaustive but highlight some common errors that can occur during the process.
5. Steps for resolving aggregation errors
If an error occurs, the next steps should look something like this:
- The purchaser notifies the seller about the problem and asks them to investigate
- The seller and purchaser then work together to resolve the problem
- Once the problem has been resolved, the involved parties should document their undertaking
- The documentation should include the error itself, an explanation of how the error was fixed, the people involved, and the date of its conclusion
- If the product is found to be suspect then the associated guidelines of quarantine, investigation, and disposal should be followed
Gathering Relevant Product Tracing Information
If a product has been identified as suspect or has been recalled by the distributor then all involved parties should have systems in place to promptly respond with the relevant transaction information for the product. This will effectively be the product’s transaction history.
This relevant transactional information should be collected by all the trading partners involved in the distribution of the product being investigated.
From November 27, 2023, all tracing information must be exchanged electronically as required by the FDA. A key component of this change involves incorporating product identifiers to verify the product at the packaging level.
1. Verification of Distributed Products
Upon receiving a request to verify a product, trading partners should utilize processes that help:
- Verify the product down to the package level
- Understand how the request has been made
- Understand how the response to the request is managed and communicated back to the inquirer
2. Verification of Saleable Returnable Products
Having robust identification systems in place will enable trading partners to accept saleable returns of products. Under the enhanced verification system, partners should automate the verification of data provided in the transaction information of the returned product.
3. Alerts for Illegitimate Products
Enhanced verification protocols and practices are essential in improving trader partners’ ability to identify and act upon illegitimate or faulty products before they enter the drug supply chain in the first place.
The FDA expects an alert or a message to be provided to the entire supply chain if a product has been identified for recall or illegitimacy. There will be a separate alert for an illegitimate product and a separate one for a recall.
The responsibility of issuing the alert depends on the nature of the problem. In case of a product recall, the manufacturer or repackager should be responsible for updating the system. If an illegitimate product has been identified, then the trading partner that submits the FDA 3911 Form should be responsible for the alert.
These alerts should surface when the affected products information enters any participant’s system and should be handled with the associated protocols required for each individual case.
About the Author: Christian Souza is the
Co-Founder of TrackTraceRx