Ups and downs in the march to DSCSA compliance

It could be that years from now, when the dust has settled, there will be books and Harvard Business School case studies on the successful implementation of the US Drug Supply Chain Security Act (DSCSA), written into law in 2013. But for now, the outlook is still murky, as there are still substantive obstacles between the law’s interpretation by FDA, and the capability (and willingness) of industry to comply. Complicating the matter, the pharmaceutical supply chain participants who have made the biggest investments in DSCSA compliance (manufacturers and wholesalers) have less to do with the nominal purpose of DSCSA—to prevent counterfeit or substandard drugs from reaching patients—than hospitals and pharmacies, yet those supply chain partners are less ready to meet the 2023 deadline for regulatory compliance.

One result of this situation—not readily admitted to by most parties close to the evolving regulatory picture—is to delay implementation beyond 2023. It can be argued that FDA has acclimated industry to such delays by at least a year, as it did in past years when intermediate DSCSA deadlines were postponed. Most recently, it pushed the final few regulatory deadlines from late 2019 to 2023, essentially saying that everyone should get to the finish line then. For its part, the Healthcare Distribution Alliance (HDA), in a recent statement, cautioned “industry should not make this assumption [of a postponement]. In fact, in FDA’s recent public meeting, they once again stated that they expect industry to meet the end goal on time.”

All of which is not to say that FDA and industry are standing pat until 2023. Both have been busy, the former with issuing some (overdue) guidances for industry compliance, and the latter with beavering away at a variety of technical issues that will make DSCSA compliance ultimately successful.

In its latest (November) annual “Readiness Survey,” HDA found that 40% of manufacturers were set to send DSCSA-compliant data to their wholesaler trading partners; conversely, 60% of HDA members were ready to accept such data (both of these are 2023 requirements; both require weeks to months of coordination between trading partners to set up). The clock is ticking.

Unfinished business

Last summer, FDA issued four guidances relevant to DSCSA, two of which finalized the agency’s stance, while the others were draft documents open for review. Of the latter, the “Enhanced Drug Distribution Security at the Package Level” document elicited an almost visceral response from HDA, which called for its complete withdrawal. “EDDS,” as people in the field call it, is meant to be the fruition of the 10-year slog to full DSCSA compliance. It would feature an interoperable, all-electronic system for trading partners to exchange serialization and product data throughout the regulated supply chain.

In presentations since issuing the draft EDDS guidance, FDA has made reference to an otherwise unspecified “system” by which it (or other regulatory bodies, such as state boards of pharmacy) would obtain tracking data on product transactions, with the nominal goal of verifying product authenticity and/or preventing counterfeit product from reaching patients. HDA’s objection:

“[T]he Draft Guidance seems to assume that all government authorities and trading partners are networked or connected in some unspecified way, that all transaction data held in the supply chain can be queried in a single request, that the system can return an automated response to that request, and that this enhanced system enables system-to-system, bidirectional connections and communications.”

In a follow-up with Pharmaceutical Commerce, HDA reiterated this concern:

“FDA’s vision is inconsistent with the law and vastly different from what the industry is building. If the agency were to move forward with a ‘system-to-system’ interface (in which trading partners would have access to other partners’ proprietary transaction data) or a proposed ‘communications hub,’ stakeholders will not be able to meet the 2023 deadline.”

Figure 1. What HDA and the pharma industry does not want from FDA is a “communication hub” where all transaction data would come together for regulators’ review. Credit: FDA

Other organizations, including the Pharmaceutical Research and Manufacturers of America (PhRMA), the National Community Pharmacists Association (NCPA) and the Partnership for DSCSA Governance (PDG) voiced similar concerns. On the flip side, the National Association of Boards of Pharmacy (NABP) offered that its existing NABP e-Profile Connect, a “central services hub” that includes data “for over a million licensees ranging from individual practitioners and pharmacies to wholesale drug distributors and other regulated facilities” could be built out to facilitate gathering trading-partner data.

HDA’s and others’ objections to the EDDS guidance might boil down to an issue of “semantics,” according to one informed source; even if a fully automated system were technically feasible, there are many places in the process where some manual intervention is needed. Various commentators noted that FDA’s own language in the guidance is inconsistent—it speaks of an enhanced system in a “post-2023” environment, which could be any time after 2023 and not necessarily at that moment.

Industry groups, including PDG, HDA and others, are settled, more or less, on an alternative approach: a fully distributed data system (i.e., most if not all trading partners maintain their own databases of the transactions of products they control, with agreed-on linkages to poll each other), and a “one-up, one-down” method of tracing products. In practice, a regulator like FDA would come to a trading partner (say, a retail pharmacy) and query it as to the origin of products in its control. Next, the regulator would go to that previous trading partner and repeat the process.

Integral to the interoperability that these organizations hope for with their vision for DSCSA compliance is use of the EPCIS 1.2 communications standard, a protocol that has been developed by the GS1 US Healthcare organization. GS1, best known as the “owners” of global barcoding standards, has helped in moving industry along an interoperability path (including the 2D barcodes now in place on pharmaceutical packages in most of the world). Along with criticisms of FDA’s “community hub” concept, HDA and others have been beseeching FDA to simply standardize on EPCIS 1.2 for digital DSCSA communications. Whether or not FDA does so (the original legislation only asked for a communication standard broadly used internationally), EPCIS 1.2 might become the de facto standard simply by enough US trading partners insisting on it (a business not using such a standard would have a complicated issue to communicate with other trading partners).

Who are you?

Something that is not specifically laid out in DSCSA legislation—but will be essential for successful functioning in the post-2023 environment—is establishing a so-called “trust framework” whereby supply chain participants can trust the online identity of message senders and receivers. A fundamental concept in DSCSA is the “authorized trading partner” (ATP), which is usually set up between one seller and one buyer. But many aspects of DSCSA will require second- or third-hand transactions (the buyer’s seller, or the customer’s customer, for example) Without trust, a nefarious actor (pretending to be, say, a local pharmacy) could query an ATP supply chain participant for trading data to obtain drug data in order to then counterfeit that drug. As Bob Celeste, a longtime leader in DSCSA-related standards-setting, notes, “There’s the old joke of two dogs talking to each other, with one saying to the other, ‘Online, no one knows you’re a dog.’”

Celeste’s organization, the Center for Supply Chain Studies, is acting as a facilitator for both a working group at PDG, and a new effort, the Open Credentialing Initiative (oc-i.org). OCI brings together several manufacturers (Novartis, Genentech, Amgen and Sanofi), some DSCSA software vendors (TraceLink, rfXcel, RXscan, and other software vendors active in digital-identity technologies (LedgerDomain, Spherity); more participants are actively being sought. OC-I started up in September; it is aiming to establish “global and open standards [that] ensure no vendor lock-in.” The PDG working group has similar goals. In recent months, both Spherity and LedgerDomain have run pilots that demonstrated the usefulness of being able to verify trading-partner identities quickly and reliably.

Should this credentialing initiative go forward, there are at least two looming problems ahead. One, industry will have to coalesce around some third party who will be the repository of the identities, and the grantor of credentials. At the same time, another component of DSCSA, a federal requirement to register drug wholesalers in the US, is yet to be finalized by FDA; it’s possible to conceive of a situation where the private sector will be better equipped than FDA to register legitimate wholesalers—but, the law is the law.

Another enabling technology of DSCSA compliance, but one—like credentialing—not specially called out in the legislation is managing drug master data. Master data, in a simplistic sense, is the information about a manufacturer’s products, not including (unless required) current transaction data. Access to this information helps DSCSA trading partners keep track of which products are in circulation.

At its Traceability Seminar in mid-November, HDA included a demonstration of the Global Data Synchronized Network (GDSN), a years-old effort by GS1 to provide a digital network for storing and communicating product data. The presenters, which included representatives of Walmart Pharmacy and AmerisourceBergen, have been working on basic business rules to set up such a network. In practice, GDSN calls for a group of participants in a supply chain to subscribe to a “data pool” where product data is uploaded, updated and downloaded by the pool subscribers; one advantage is that the product data need only be updated once and then is available to all pool participants (as opposed to a company needing to send new information to each of its customers).

Here, it’s worthwhile to pause to consider the difference between such a data pool and the FDA “community hub” that HDA has been so exercised about. While both systems nominally connect everyone together, the master data pool is only for product descriptions, and not ongoing trade or transaction information. According to an HDA spokesperson, “GDSN is a way to share item master data consistently through the supply chain. That is a key hurdle now and is often why files ‘fail’—due to incorrect master data. It’s fundamental to receiving product and sending EPCIS files, as master data must be received and contained within the system prior to receipt of the product (either at distribution or at the dispenser level). GDSN does not exchange transaction information; that will still be done via EPCIS.”

Outside of pharma, GDSN has been very successful—tens of millions of products, across multiple industries, have been organized into data pools. Much of the US medical device industry has already adopted GDSN. There are other approaches to an industry-wide pool for product data, and DSCSA vendors like TraceLink and SAP have master-data offerings in their suite of services.

The 2013 DSCSA law envisioned a 10-year process to bring the national, electronic, interoperable system to fruition; it’s now in a two-year “countdown” to completion. At this point, industry and FDA might make it to the finish line in a timely manner and it might not; for now, the key is that industry continues to make progress.

- Nicholas Basta is Editor Emeritus and Founder, Pharmaceutical Commerce