News
June 9, 2021

FDA Releases Guidance on the Drug Supply Chain Security Act

Advisory

On June 3, 2021, the US Food and Drug Administration (FDA) released one new draft guidance, two final guidances, and a revised draft guidance document regarding the Drug Supply Chain Security Act (DSCSA). The released DSCSA guidances are:

Collectively, these documents provide new and enhanced guidance to the biopharmaceutical industry to help ensure that prescription drugs are identified, serialized and traced as they move through the US supply chain.

Draft Guidance: Enhanced Drug Distribution Security at the Package Level

The DSCSA requires all trading partners in the US pharmaceutical distribution channel to adopt and implement systems, policies, procedures, and processes to enable the secure tracing of product at the package level, including allowing for the use of product verification. FDA’s Draft Guidance on Enhanced Drug Distribution Security provides recommendations for industry on the “enhanced system” attributes necessary for such tracing, including use of interoperable, electronic, package-level tracing systems and process, which may include inference and aggregation tools as necessary. The DSCSA requires trading partners to adopt and implement such interoperable and enhanced systems by November 27, 2023.

  • System Attributes: FDA notes that enhanced system attributes should include systems and processes to: 1) exchange transaction information and transaction statements in a “secure, interoperable, electronic manner”; 2) receive or pass transaction information that includes all product identifier data elements at the package level; 3) verify product at the package level; 4) promptly gather transaction information to respond to FDA, government agency, or other trading partner requests in the event of a recall or to investigate a suspect or illegitimate product; and 5) associate a saleable return with its applicable transaction information and transaction statement to allow a trading partner to accept a returned product.1
  • Aggregation and Inference: The DSCSA uses the terms “aggregation” and “inference” in describing how enhanced system requirements could be met by creating a connection between packages used for transport and the serialized drugs in that packaging, but does not define these terms. As such, FDA proposed to define the terms as follows:
  • Physical Security Features: FDA recommended that industry use physical security features on shipping units (e.g., homogenous cases or pallets) to help indicate when product may have been tampered with, previously unsealed, or damaged. Examples of physical security features FDA noted include, but are not limited to: 1) tamper-evident tape or wrap; 2) color-shifting inks; 3) holograms; and 4) anticounterfeiting technologies like physical-chemical identifiers (PCIDs) in solid oral dosage forms of products. FDA notes that if a trading partner determines that “the integrity of the shipping unit has been compromised, the trading partner should treat the product contained within as suspect”2 (e.g., credible evidence the product is misbranded, adulterated, unfit for distribution, stolen, diverted, etc.).
  • System Structure: While FDA recognized that “each trading partner should have its own individual validated system and process for managing its product and data, FDA recommends that the enhanced system enable the interoperable integration of such individual systems to the degree necessary to allow appropriate access, efficient information sharing, and data security.”3 This includes enhanced systems that can communicate with FDA, other federal and state officials, and authorized trading partners.
  • Incorporation of Product Identifier in Product Tracing Information: Starting November 27, 2023, authorized trading partners must begin to include the product identifier information in the transaction information. FDA explained that trading partners should “use steps and technical functions to enhance security that accommodate the inclusion of” each element of the product identifier (e.g., serial number, expiration date, lot number, etc.).
    • Selling Trading Partners: FDA explained that selling trading partners should develop and use processes that automate the recording and transmission of the electronic data in the transaction information (e.g., product identifier) and transaction statement associated with the product physically shipped to the purchasing trading partner
    • Purchasing Trading Partners: Likewise, FDA recommends that purchasing trading partners develop and use processes that “automate the reconciliation of the associated electronic data in the transaction information and transaction statement with the product received.” Further, FDA recommends that purchasing trading partners “undertake reconciliation upon physical receipt of the product and then before selling the product to help confirm the veracity of the inbound and outbound transaction.”4
  • Handling Aggregation Errors and Other Discrepancies: FDA explained that if a wholesale distributor, dispenser or repackager purchases product and identifies a potential clerical error or other discrepancy in the product tracing information it received, that trading partner should resolve the error or discrepancy within three business days.5 This may include contacting the trading partner to provide product tracing information to resolve the issue. FDA recommends that the products involved “not be sold to the next trading partner until the error or discrepancy has been resolved.” If the error or discrepancy cannot be resolved and the product is determined to be suspect or illegitimate product, the trading partners must follow the applicable steps for product verification, and if applicable, quarantine and investigation. Examples of potential clerical errors or discrepancies include, but are not limited to:
    • Missing Product: (e.g., tracing information reflects 10 bottles, but purchaser only received 9 bottles).
    • Extra Product: (e.g., tracing information reflects 10 bottles, but purchaser received 12 bottles).
    • Duplicate Data: (e.g., tracing information contains the same information twice (i.e., product listed twice)).6
    • Missing Data: (e.g., product identifier for homogenous case missing).
    • Address Information: (e.g., transaction information is missing or misstates address of purchaser).
    • Quantity Information: (e.g., transaction information is missing the quantity of product, but purchaser received the quantity of product that it ordered).

    FDA recommends that trading partners notify each other of such aggregation errors or discrepancies to determine the reason for the error, “work together to promptly resolve the error”, and “document that they resolved the error through current business practices,” including: 1) the nature of the error; 2) a description of how the error was resolved; 3) the names of the persons involved; and 4) the date of the resolution.7 FDA explains that trading partners could resolve errors by providing new and revised product tracing information or new tracing information for any extra product received.

  • Gathering Product Tracing Information: The draft guidance recommends that trading partner systems and processes be able to collect transaction information and transaction statements “in a rapid, electronic manner from all trading partners” regarding a potential recall or suspect/illegitimate product investigation. FDA states that it could “initiate a single, targeted request for information to trading partners via the enhanced system,” including use of a “third party to securely manage such requests.”8 FDA recommends that authorized trading partners “respond within 1 business day” of receiving such requests.
  • Enhanced Product Verification: FDA recommends that trading partners adopt processes to automate the verification of product down to the package level, including how the request is made (e.g., reading the 2D data matrix barcode to initiate the request) and how the response to the request is managed and communicated back to the inquirer. Such systems and processes should also address verification of saleable returned product. Based on industry pilots managed by FDA, the draft guidance recommends that trading partners provide a response to a verification request “within 1 minute of receipt of the request.”9
  • Illegitimate Product Alerts: The draft guidance recommends that trading partners ensure enhanced systems provide a message or alert to the supply chain for: 1) recalls; and 2) illegitimate product. FDA recommended that trading partners implement systems and processes that can associate the alert with the affected product identifier (e.g., the alert is “retrieved when a trading partner scans the product identifier upon receipt or as the product is being processed for sale or shipment”), including when it is part of aggregated data.10

 

Final Guidance: Product Identifiers: Questions and Answers

The DSCSA requires manufacturers and repackagers to affix to each package and homogenous case of product intended to be introduced in a transaction into commerce the National Drug Code (NDC), unique serial number, lot number, and expiration date in both human- and machine-readable formats. FDA recommends that the human-readable portion of the product identifier appear in the following format:

                        NDC: [insert product’s NDC]

                        SERIAL: [insert product’s serial number]

                        LOT: [insert product’s lot number]

                        EXP: [insert product’s expiration date]

FDA’s Final Guidance on Product Identifiers includes new recommendations to industry regarding how to display each of these elements on a product label or package, and explains that each element of the human-readable information “may appear at a different location on the drug package label than the other elements” “[i]f necessitated by space.”[[N:FDA, Final Guidance on Product Identifiers Under the Drug Supply Chain Security Act - Questions and Answers: at 8 (Jun. 2021)(hereafter “Product Identifier Guidance”).  FDA “recognize[d] that space limitations may necessitate placement of elements of the human-readable portion of the product identifier in a different order or location on the drug package label” than FDA recommended. Id.]]

  • NDC: FDA recommends that the NDC be displayed in its 3-segment format, such that the segments identify, respectively, the labeler, product, and package size and type.11
  • Serial Number: The DSCSA requires manufacturers and repackagers to include a serial number that “shall be comprised of up to 20 alphanumeric characters.”12
  • Lot Number: FDA acknowledged common abbreviations that could be used for “lot number” and acknowledged that lot numbers “may contain letters and numbers, as determined by the manufacturer or repackager.”13
  • Expiration Date: FDA previously recommended that the expiration date include year, month, and day in YYYY-MM-DD format. FDA added that if an expiration date includes only a year and month “due to space limitations, FDA considers the drug’s actual expiration date to be the last calendar day of the month that is included in the human-readable expiration date on the drug package label.”14
  • GSI GTIN: The Final Guidance reiterated its recommendation “against using the [GSI Global Trade Identification Number (GTIN)] in place of a separate NDC in the human-readable portion of the product identifier.” FDA explained that the GTIN format “contains additional digits and does not present the NDC in its traditional 3-segment format,” which “would obscure ready identification of the NDC by human readers.”15
  • Location of 2D data matrix barcode: FDA recommended that in “situations where multiple barcodes are affixed to, or imprinted upon, a package, each barcode should be surrounded by sufficient blank space to avoid confusion and ensure that the barcode can be scanned correctly” (e.g., placing the 2D data matrix barcode on one side of the package and the linear barcode on the opposite side to help prevent individuals from accidently scanning the wrong barcode).
  • Package Size for Product Identifier: FDA clarified that manufacturers and repackagers should apply a product identifier to individual product units “if it is reasonably foreseeable that a wholesale distributor might sell individual product units to a dispenser.”16

 

Final Guidance: Identification of Suspect Product and Notification

FDA also finalized an earlier December 2016 draft guidance with this title, addressing how trading partners can identify a suspect product, notify FDA, and terminate the notifications in consultation with FDA.17 The DSCSA requires trading partners, upon determining that a product in their possession or control is illegitimate, to notify FDA and all immediate trading partners (that they have reason to believe may have received the illegitimate product) not later than 24 hours after making the determination. FDA made several changes in finalizing the earlier draft guidance, including finalizing a section for manufacturers on suspect products that pose a high risk of illegitimacy notifications that had been previously distributed for comment only.

  • High Risk of Illegitimacy: Under the final guidance, FDA interpreted the DSCSA to require manufacturers to notify FDA and the manufacturer’s immediate trading partners where at least one of three high risk factors are present.
    • Within 24 hours after determining or being notified by FDA or a trading partner that there is high risk that a product is an illegitimate product in an immediate trading partner’s possession.
    • Within 24 hours after determining or being notified by FDA or a trading partner that there is a specific high risk that could increase the likelihood that illegitimate product will enter the US pharmaceutical distribution supply chain.
    • Within 24 hours after determining or being notified by FDA or a trading partner that there is an “other high risk” as determined by FDA.

    In the finalized guidance, FDA continues to maintain the language surrounding each of these three circumstances, as well as detailing examples for each of these scenarios, as provided in the December 2016 draft guidance for prior comment.18

  • Clarification to the Binding Effect of the Process by Which Trading Partners Must Terminate Notification in Consultation with FDA: FDA made revisions to the introduction of this guidance, providing clarification that while FDA guidance typically do not have the same force and effect of law, the DSCSA granted a specific authorization to FDA to implement the process for terminating notifications of illegitimate product in consultation with FDA. The final guidance indicates that this specific section of the guidance is therefore not subject to the usual guidance practice, and such binding effect is indicated by the usage of the words, “must, shall, or required.”19
  • Revisions to Use the Term “Questionable”: FDA made revisions through the guidance to utilize the term “questionable” over the prior term “suspicious” where referencing observations connected to potentially suspect product.
  • Additional Clarification as to the Role of a Trading Partner: FDA made additional clarifications as to the role and responsibility of a trading partner, noting that FDA expects that a trading partner would notify those to whom a trading partner sold the drugs, and in some cases, from who a trading partner purchased the drugs, in fulfilling the DSCSA requirement.20 FDA also noted that a trading partner should consult with the manufacturer when conducting any investigation of a suspect product, as a manufacturer is usually best able to assess the authenticity and quality of the product.21
  • Cross-Referencing FDA Resources: FDA also made revisions to the guidance to include cross-references to other FDA resources, including the draft guidance on the Definition of Suspect Product and Illegitimate Product for Verification Obligations Under the Drug Supply Chain Security Act,22 as well as contact information for CDER’s Division of Supply Chain Integrity for other supply chain issues.23

Revised Draft Guidance: Definitions of Suspect Product and Illegitimate Product for Verification Obligations Under the DSCSA

FDA revised its prior draft guidance on suspect and illegitimate product verification obligations, clarifying certain points from its earlier March 2018 draft, and adding a new definition of the term, “stolen.”

  • Definition of the Term “Stolen”: FDA defines stolen, as it relates to a package of products to refer to:
    • Any product that has been taken or removed without permission of the owner of the product;
    • Any packaging of a product that has been taken or removed without the permission of the owner;
    • Any prescription drug that has been taken or removed without permission of the owner of the product; or
    • Any prescription drug and/or its packaging, in physical custody of a trading partner, that is missing all or any portion of the drug as a result of the drug being taken or removed without permission of the owner.24
  • Clarifications Regarding the Definition of “Unfit for Distribution”: FDA supplemented the definition of “unfit for distribution” to include circumstances where “there is a reason to believe or credible evidence shows that the product would be reasonably likely to result in serious adverse health consequences or death to humans.” FDA also clarified that “unfit for distribution” does not include product: 1) that is awaiting reverse distribution and processing and will not be distributed to patients; 2) undergoing a suspect or illegitimate investigation; or 3) that has been granted a waiver, exception, or exemption, or grandfathered products.25
  • Clarifications Related to the Definition of “Diversion”: FDA clarified that it would not consider a product to be diverted if a trading partner obtains the drug product as a result of an FDA regulatory action to address a drug shortage, or where an Emergency Use Authorization (EUA) has been issued. FDA also introduced usage of the term “pharmaceutical distribution supply chain” to refer to what had previously been referenced as the “prescription drug distribution system.”26
  • Clarifications Related to the Definition of “Fraudulent Transaction”: FDA clarified that a fraudulent transaction would include circumstances in which a transaction statement contains “information knowingly falsified by a trading partner who has provided or received the information.”27

*          *          *

These DSCSA guidance documents, the first issued under the Biden Administration, reflect FDA’s ongoing efforts to implement the DSCSA, including the enhanced interoperable systems required by trading partners by November 2023. Industry and stakeholders should consider assessing current policies, procedures, systems and processes to analyze potential implications by these new, revised and finalized documents.

*Nathan Shiu contributed to this Advisory. Mr. Shiu is a graduate of the University of California at Los Angeles (UCLA) School of Law and is employed at Arnold & Porter's Washington, DC office. Mr. Shiu is admitted only in Maryland. He is not admitted to the practice of law in Washington, DC.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. FDA, Draft Guidance on Enhanced Drug Distribution Security (Jun. 2021) at 2-3 (hereafter “Enhanced Distribution Guidance”).

  2. Id.

  3. Id. at 5-6.

  4. Id. at 9.

  5. Id.

  6. FDA notes that if there are “duplicate serial numbers {} listed for two packages of product{,} this scenario would be considered as suspect”). Id. at 10.

  7.  Id. at 10-11.

  8. Id. at 11.

  9. Id. at 12.

  10. Id. at 13.

  11. FDA explained that the NDC may appear at a different location on the drug package label than the other elements of the human-readable portion of the product identifier “if necessitated by space.”  FDA stated that it “is aware that it is common practice for the product’s NDC to be affixed or imprinted on the principal display panel.”

  12. FDA explained that industry can use the following abbreviations for “serial number”: 1) Serial; 2) Serial No.; 3) Ser. No.; or 4) S/N.

  13. Abbreviations could include: 1) Lot; 2) Lot No.; 3) LOT.

  14. Product Identifier Guidance at 10.  FDA noted that industry can use the following abbreviations: 1) EXP.; 2) EXP; 3) EXPIRY; 4) EXP Date; and 5) Exp. Date. Id. at 9.

  15. Id. at 10-11.  FDA acknowledged that “companies might also affix or imprint the human-readable GTIN on the package label, in close proximity to product identifier elements.”

  16. Id. at 12.

  17. FDA, Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification (June 2021), Guidance for Industry. A suspect product is defined in the DSCSA as a product for which there is reason to believe it (A) is potentially counterfeit, diverted, or stolen; (B) is potentially intentionally adulterated such that the product would result in serious adverse health consequences or death to humans; (C) is potentially the subject of a fraudulent transaction; or (D) appears otherwise unfit for distribution such that the product would result in serious adverse health consequences or death to humans.

  18. Id. at 8-12.

  19. Id. at 2.

  20. Id. at 3.

  21. Id. at 6-7.

  22. FDA, Definitions of Suspect Product and Illegitimate Product for Verification Obligations Under the Drug Supply Chain Security Act (June 2021)(“Definitions Guidance”), Draft Guidance for Industry.

  23.  CDER’s Division of Supply Chain Integrity can be contacted at DrugSupplyChainIntegrity@fda.hhs.gov.

  24. Definitions Guidance, at 4-5.

  25. Id. at 5-6.

  26. Id. at 4.

  27. Id. at 5.

People

Subscribe
Subscribe Link

Email Disclaimer