Countdown to 2023 DSCSA Compliance

Over the past year—and in the face of a pandemic that has snarled supply chains and work schedules—the US pharma industry has made measurable progress in its march to the November 2023 deadline for compliance with the Drug Supply Chain Security Act (DSCSA). DSCSA, passed in 2013, set out a 10-year process for creating “interoperable, electronic tracing of products at the package level to identify and trace certain prescription drugs as they are distributed in the United States.” Although both industry and FDA have marked some key steps, there is a lot yet to be done, and not all of the pharma supply chain (from manufacturers to dispensing pharmacies and hospitals, with distributors and contractors in between) is moving at the same pace.

In the past 12 months, FDA issued a batch of guidance documents that detailed its view of product verification processes (clarifying what a “suspect” product is) and procedures for handling product returns that are salable. One guidance, “Enhanced Drug Distribution Security at the Package Level,” however, elicited a sharp reaction from the Healthcare Distribution Alliance (HDA), which said that the document should be withdrawn since it proposes a system that “does not exist, cannot be built by 2023, and poses unacceptable security and compliance risks.”

HDA objected, among other things, to the recommendation that a trading partner, FDA, or a state official, could get a rapid response to trace a suspect product with one request; HDA suggests that because the data of such transactions are stored across multiple databases, that quick response is not possible. FDA has been quiet about revising or withdrawing the guidance.

Another key guidance, issued early this year, was the long-awaited proposal for managing the licensure of drug wholesalers and third-party logistics providers (3PLs) by FDA—superseding the many state-level procedures already in place. This guidance represents the first time that FDA officially will oversee wholesaler and 3PL activities, and will be issuing operating licenses and inspecting facilities going forward. (At press time, the comment period on this guidance was still open.)

On the industry-collaboration front, there are at least three significant activities going on: the Partnership for DSCSA Governance (PDG); the Open Credentialing Initiative (OCI), and HDA’s ongoing surveying and codifying of industry practices and readiness. None of these organizations has force of law or regulation, but all of them, one way or another, are trying to establish agreed-on industry practices to make both interoperability and understandable data file transfers happen.

In early 2022, HDA published an updated Guidelines for Barcoding, superseding pre-DSCSA guidance and essentially defining what the barcodes will look like for fast data collection at distribution centers. The organization is also surveying its members (most recently, to determine how extensively the electronic product code information services, or EPCIS standard for electronic communication, is being adopted) and providing feedback to FDA on its guidances. In the recent past, HDA took a leadership role in establishing the concept of a “verification router service” (VRS), which will serve as a phone book for how queries on product identifiers will be directed from the query source to the information source.

Partnership for DSCSA Governance (PDG), set up intentionally to bring together manufacturers, wholesalers, and dispensers to represent the full breadth of the supply chain, issued the first chapter of a “Foundational Blueprint for 2023 Interoperability” last year. The document is fairly technical and detailed around file descriptions; the next step is to take the output of four working groups to set up how connections will be made between trading partners. The working groups are Credentialing and User Authentication; Serialized TI/TS Data Exchange; Verification Architecture; and Tracing Architecture.

OCI is organized by the Center for Supply Chain Studies, a Pennsylvania nonprofit, and skews toward software vendors of blockchain-related technology (see OCI’s article on interoperable electronic credentialing). So far, it has published several proof-of-concept projects that demonstrate how the technology could function.

“It’s pretty clear that there will not be one communication technique, or one software application, that will connect all trading partners to each other,” says Perry Fri, EVP, industry relations, at HDA. “Industry standards will help.”

“Manufacturers have one answer to interoperability, and wholesalers have another,” notes Greg Cathcart, president of Excellis Health Solutions. He agrees that “multiple systems and standards will be written,” but that “the ultimate question is, ‘Who owns the data?’”

TraceLink (see related article), generally regarded as the most widely used IT system for DSCSA compliance, has gone in a direction of creating a network of trading partners across the supply chain, and setting up communication processes within that network for connectivity. There will always be outsiders to the network, or special cases, though, and so Shabbir Dahod, CEO of the company, says that the Opus platform, the company’s newly announced software version, will be set up to provide interfaces to other software tools. “Other companies have already layered applications on Opus, and we can support that,” says Dahod.

Solution providers evolve

The solution provider landscape has changed in recent years. Most notably, Antares Vision, an Italian provider of packaging line equipment and software, has acquired rfXcel, Tradeticity (a Croatian traceability software vendor), Acsis, a software provider oriented toward warehouse management, and the assets of Adents, a French firm. Systech, an early innovator in packaging serialization, was acquired by Dover Industries and linked to the Dover subsidiary Markem-Imaje, a marking/labeling firm. Movilitas, a European consulting and systems integration firm, has been acquired by Engineering Group, a global IT provider; similarly, Excellis Health Solutions, based in the US, is now owned by NNIT, a Danish IT firm.

According to industry sources, the great majority of manufacturers are now routinely barcoding their products with unique serial numbers (this was an early DSCSA milestone). Packaging vendors benefited from the business driven by that requirement. However, those numbers are not being routinely shared and verified up and down the supply chain—that requirement has been delayed to 2023. A key element of serial code transmission is aggregation—the ability to infer what codes are inside a case of product (which might have dozens or hundreds of individual units), from the “parent-child” relationship established by the packager when the case was composed.

Lacking aggregation, wholesalers and distributors will be compelled to break down pallets and open cases, and perform a manual serial code check.

FDA’s 2022 proposed guidance, for the first time, explicitly permits inference from aggregated cases; however, this puts the onus on the packager to collect the unit data to create the parent-child relations. “While essentially everything we receive is barcoded, only half of it, at best, is aggregated,” comments Pat McGinn, SVP of supply chain integration at Eversana, a 3PL and commercial-services provider to life sciences. “While the aggregation levels are improving, it’s a problem, especially for generic manufacturers.”

McGinn has some good advice for industry supply chain managers, regardless of how rapidly they’re aggregating: pay close attention to how your products enter the supply chain, and where it’s best to compose larger or smaller aggregated containers. An example of this is the use of inner packs—the bundles of product (say, four bundles of 12 in a case of 48); if used, these need to be aggregated as well. But it’s conceivable that the packager might do better with shipping cases of 12 rather than 48. “You might spend a little more on the packaging, but you could save substantially on service requirements or product damage across the supply chain,” he says. Eversana offers to consult with its clients in this matter.

Back on the software side of the DSCSA compliance march, there is some industry buzz around a recent product offering of LSPediA, which provides serialization and supply chain software. When fully implemented, DSCSA will require the documentation of a shipment (in digital form) actually match up with the physical shipment; ideally, the documentation arrives prior to the shipment, and then the receiver verifies the identity of the two. But errors are rampant in both the documentation (where an errant “0” or hyphen could throw off an identification field) and in the physical shipments, where a nominal case of 48 might have 47—or 49—units.

LSPediA has introduced the Investigator application, a tool that automatically (and with some programmed intelligence) goes through an EPCIS or similar file and identifies errors in the documentation. Without such an automated tool, the checking needs to be performed manually. According to Michael Ventura, a VP at the firm, some companies have spent hours looking for an error, which Investigator found in minutes. In recent months, both AmerisourceBergen and Cardinal Health—which together represents roughly two-thirds of primary distribution of pharmaceuticals in the US—have adopted Investigator, as well as numerous small distributors and some manufacturers.

New business value

One unexpected outcome of the COVID-19 pandemic is the intense focus, these days, on supply chain practices and problems (think of how the suppliers of baby formula are currently dealing with that issue). “We don’t have to explain to outsiders what the importance of supply chains is anymore,” notes HDA’s Fri. For all the disputes for and against the value of DSCSA in its early days, the industry is benefiting from the new capabilities that serialization and traceability are beginning to provide to the industry.

TraceLink’s Dahod says that traceability is foundational to what the industry will be able to accomplish going forward. An example of this is a newly announced capability to predict product shortages in TraceLink’s Opus platform. The company claims that shortages can be predicted 90 days out, with 80% accuracy. Similar supply chain improvements are expected from a newly announced partnership between TraceLink and Kinaxis, a company that specializes in supply chain and logistics analytics and optimization.

Other companies have adapted traceability to specialized applications: rfXcel, for example, demonstrated the utility of tracking cold chain shipments via its software (cold chain products need to have documentation of the temperature and environmental conditions of the shipment, when the shipment arrives).

And then there is anti-counterfeiting, which, from a legislative perspective, was the driving force to DSCSA passage in 2013. Although most US observers note that counterfeit product is at worst a minor factor in US distribution, there have been some recent, startling instances. The worst example, arguably, was Gilead Sciences’ findings that some $250 million worth of its HIV and other products was allegedly diverted or counterfeited in the past two years. Gilead brought civil suits against a wholesaler and pharmacy ring that crossed 10 states. The US Dept. of Justice is reportedly now looking into the matter.

While DSCSA barcodes figured in the Gilead and other counterfeiting discoveries recently, industry experts agree that the serial codes alone won’t be unbeatable countermeasures. The use of authentication technologies—holograms, security inks, microprinting, and the like—will also figure. A few vendors working in the DSCSA environment, notably Systech and Covectra, are offering authentication technologies that use the same label as where the serial codes are printed.

Recently, Covectra updated its previously announced StellaGuard technology, which enables an investigator (or, a consumer) to use a smartphone camera and internet connection to verify a label, based on the precise positioning of star-shaped particles in the label (the positioning is unique to each unique serial code).

Systech is promoting its e-Fingerprint technology, which uses a similar logic based on the fine details (flaws) in a printed label. Both technologies depend on accessing a database of the labels’ original features that the smartphone compares; both have the utility of enabling consumers to do their own, on-the-spot authentication.

Yet another direction being taken in the traceability path (but not necessarily DSCSA-compliance-driven) is the use of radio-frequency identification (RFID) labels in addition to the 2D barcodes. RFID scanners in place at a hospital pharmacy can be integrated into an inventory- and security-management process, as well as to ensure the right medication is being received by the right patient. Kit Check has been a pioneering firm in this effort, and there is now an industry group, the DoseID Consortium, that brings together the labeling service providers and suppliers of RFID technology. Last fall, ears perked up when AmerisourceBergen announced it would offer RFID labeling for medication trays (which hold multiple doses of medicines) used in hospitals.

These new applications are not only instances of how technologies can find places in niches of the overall pharma supply chain, but also how technology has continued to move on over the near decade that DSCSA has been in place. Nevertheless, the DSCSA mandate is in place for all parties in the pharma supply chain, and time is running short. “Manufacturers need to be working now on finalizing their connections with their wholesalers,” says Fri. “Next year, those wholesalers will be busy getting aligned with the downstream pharmacies and hospitals, who have big hurdles to get over.” To that end, HDA is generating content and pooling together resources for the pharmacy community on its website, HDA.org.