Ten years after enactment by Congress, the Drug Supply Chain Security Act (DSCSA) serialization mandates finally took effect in November 2023. The U.S. Food & Drug Administration (FDA) has extended the implementation period of a key element as a one-year stabilization period, but after that, no excuses. How ready are you?

Drug supply chains in the U.S. were already complex, with layers of state and federally regulated manufacturers, intermediaries, logistics providers, health-systems, and pharmacy or clinic dispensers. As of November 27, that complexity has escalated to unprecedented levels. 

After a decade-long regulatory process, the FDA has flipped the switch and Title II of the 2013 Drug Quality and Security Act (DQSA), known as the Drug Supply Chain Security Act (DSCSA), has become law. DSCSA establishes a national, uniform chain of custody for drugs entering U.S. interstate commerce, with standards and processes for end-to-end product tracing, verification and identification from manufacturer to filled prescription. 

Serialization of data using labeling with unique multi-value barcode identifiers enables supply chain partners and the FDA to quickly verify each drug’s chain of custody back to the manufacturer, with ready data access and information-sharing through a decentralized network of private repositories. The end goal: a documented, certified, secure chain of custody among vetted partners, to catch counterfeit product and legitimate product stolen or diverted into the black market.

Here is how the process works: A bottle of Trulicity has its 10-digit National Drug Code (NDC) number and 2D bar code identifier from the manufacturer, similar to a QR code, linked to drug and shipment information — brand and generic name, shipment volume, dosage and expiration date. A box of 10 bottles (each bottle with a unique serial identifier) has its own box serial identifier linked to each bottle inside; a carton of five boxes has its own serial identifier linked to each of the five boxes, and so on. The manufacturer creates the initial aggregation of serialized data and identifiers; each successive receiving party in the supply chain through the pharmacy or clinic dispenser reports any changes in ownership, aggregation/de-aggregation, destruction, etc.

Each party’s responsibility under DSCSA, according to John Reichert, senior director of supply chain execution solutions with supply chain and warehouse management software provider Tecsys Inc., is ‘one-up, one-back’; to verify that the shipment and documentation were received by verified source, are complete and 100% accurate, and ownership change is reported to a valid DSCSA repository. When shipping, the owner is responsible for transmitting accurate shipping data to the next owner — including all serialization and aggregation details. “There’s a daisy chain effect,” he says, “so if there’s any kind of issue you can go back through the history to find where it originated.”

Documentation Requirements

DSCSA’s complexity is in the documentation and related information-sharing that follow each shipment, currently by batch or lot but, as of November 27, 2023, at the unit level by package. Beginning with the manufacturer, supply chain partners are required to provide: 

• Transaction information: Product and shipment data including product and lot identifiers, shipment volume and dates and contact information for transaction parties at either end. 

• Transaction statement: A document certifying that product has been transferred between authorized parties; and that it was accompanied by a complete, accurate history of prior transactions dating back to the manufacturer. In addition, certifying that the current shipper 1) had proper verification systems and processes in place; 2) didn’t knowingly ship a suspect product; and 3) hasn’t entered false transaction information or altered the transaction history.

Manufacturers, wholesale distributors, repackagers and dispensers must have systems and processes to respond to government requests for verification of suspect product. They must have the means to quarantine and investigate suspect product; to notify trading partners and FDA of illegitimate product; and to respond to notifications of illegitimate product. 

Rather than have a centralized government database manage potentially sensitive medication information, a decentralized network of private “repository” partners like Axway, TraceLink or rfxcel manage data storage, query access and compliance using GS1 Electronic Product Code Information Services (EPCIS) data-sharing standard. Given the urgency of tracking and tracing suspect or illegitimate products in the system, industry and standards organizations came together to develop the verification routing services (VRS) in 2019 to automate near-real time queries and responses.

Catch-Up Time  

Is all the associated cost and complexity necessary? “Yes,” says Dr. Valerie Bandy, a pharmacist and senior director of pharmacy solutions at Tecsys. “There’s a major problem with diversion; you can go into almost any healthcare system, and I guarantee within the last year they’ve had at least one case of a staff member diverting medication onto the street or ingesting it themselves.” Narcotics and high-value medicines are common targets, she adds, with entire trucks getting hijacked and products stolen and resold, at times cut with inactive or harmful ingredients to add volume and profits or stored improperly and then resold to a hospital or clinic. 

Supply chain partners were initially expected to have internal tracing, verification and information-sharing systems and processes in place by late 2015, when standardized federal/state licensing and reporting for distributors and 3PLs would also be ready. Serialization at the unit level was originally required of manufacturers by 2017, repackagers by 2018, with distributors and dispensers phased in by 2019.

A convergence of factors delayed full implementation, not least of which was Covid-related disruption. The main obstacle, however, has been implementation complexity and cost, especially for smaller players. A lengthy FDA process further encouraged a ‘wait and see’ attitude before committing upfront investment. Now DSCSA serialization is law (incremental to prior lot level regulations) with FDA enforcement of unit-level serialization delayed until November 27, 2024 — a “stabilization period,” the FDA calls it, as parties scramble to complete critical process and technology updates.

A High-Stakes Game

Manufacturers face the most acute challenges from unit-level serialization, first retooling production lines for more complex barcode packaging, labeling and inspection, then standardizing and storing much larger data volumes to be accessible across the supply chain for partner and FDA verification inquiries. 

This in turn creates potential downstream compliance problems. Returns of saleable prescription drugs, which make up 2-4% of the U.S. prescription drug market, are a case in point. While most verification requests are triggered by exceptions, all saleable returns must be verified as legitimate before they can be accepted and resold. 

KPMG has estimated that saleable returns will generate as many as 60 million electronic verification queries and responses annually among roughly 150 major wholesalers and 500 manufacturers and their authorized marketers and contract manufacturers. The urgency and limited shelf life around many of these drugs demands a quick turnaround from manufacturers; the Act’s requirement of verification within 24 hours was a key driver behind the VRS mandate and model. 

Signals from industry suggest problems ahead. A Healthcare Distribution Alliance (HDA) member survey released in early 2023 showed fewer than a third of manufacturer respondents able to send serialized data to their distribution partners, and half of distributors receiving incomplete data on full product lines. Pharmaceutical distributor McKesson’s vice president of distribution operations estimated in a July presentation that only 35% of manufacturers were sending serialized data to distributors, raising industry concerns about product being forced into quarantine. 

DSCSA penalties, it is worth noting, are severe: up to a year in prison and a $1,000 fine for a first violation; up to $3,000 and three years for subsequent offenses; and potential fines, imprisonment and license suspension or revocation for failure to meet system requirements or implementation deadlines. Penalties are written into the law itself, with little FDA enforcement discretion.

Hit the Ground Running

Fast-forward to the present, and the need to integrate all supply chain partners — especially small, mid-sized and niche healthcare providers and intermediaries — quickly into the system. 

As a pharmacist, Bandy sees an urgent need for supply chain partners to make the needed technology and process upgrades to become compliant, in the interest of both efficiency and patient health and safety. She recommends that companies immediately 1) designate an individual or team to take responsibility for understanding the legal requirements and implementing compliance; 2) reach out to upstream partners to assess their readiness, reinforce the need for action and begin coordinating on integration; and 3) draw on the expertise of industry groups, standards boards and qualified solutions providers in taking initial steps like selecting a repository and supply chain management solution partner.  

With unit-level serialization going live for everyone at varying times over 2024 (based on individual organization readiness), Reichert says, large manufacturers and wholesalers with the most to lose are taking enforcement into their own hands. “They recognize that their risk of non-compliance is huge,” he adds, “and they’ve got the IT staff and the compliance people to take the lead, so they’re setting their own standards and creating their own mandates to force everyone else to be compliant even in advance of the FDA November date.” 

He sees a two-step process ahead as distributors just getting familiar with serialized DSCSA rely on quick basic technology and labor-intensive solutions to ensure minimal compliance by the 2024 deadline, and then later a second wave of technology investment once DSCSA is up and running that focuses on making their compliance efficient. 

Reichert cautions against attempting shortcuts. A typical WMS (Warehouse Management System) solution, for example, might support lot control and serialization but not necessarily a nested structure of serial numbers within serial numbers; a pharmacy may need to track the pill count in each bottle, while the WMS is only tracking the lowest unit of measure such as the serialized bottle. Separately, DSCSA only requires pharmacies and health systems as end users to trace and verify inbound products, confusing most WMS’s that expect a corresponding serialized outbound move once a serialized item is received. 

“If you ask whether a WMS solution provider supports DSCSA and serial numbers, most will say yes,” Reichert explains, “but if you ask whether they support DSCSA reporting of aggregation and de-aggregation in all events, you will not necessarily get the same answer. What we are finding from RFPs and in the sales process is that people often are not asking the right questions about DSCSA.”

His checklist in shopping for a solutions provider includes:

• Applications with DSCSA regulations embedded and robust back-and-forth communications capability with repositories for handling complex, multi-layered serialization.
• A solution that fully supports the client’s specific industry segment because compliance requirements are different for each. 
• Serialization data embedded in the WMS, to trace product movement and any changes inside the warehouse, not just when it enters and leaves. 
• Demonstrated experience with DSCSA compliance as a significant part of the provider’s business, including references.

“Solutions are possible for fairly quick implementation with a minimal infrastructure of terminals and scanning technology,” Reichert says, but these will be labor-intensive and of limited longer-term use. A more efficient, robust solution will be essential over time. 

Companies need to take a dual-pronged approach at this stage, Reichert insists, and should get started now. “The farther along we get, the more panic there is going to be, everybody is going to be wanting something and providers will have trouble delivering the right resources, right systems, and the right quality. Earlier is definitely better.”

Resource Link: www.tecsys.com