On June 3, the Food and Drug Administration (FDA) released four guidances implementing the Drug Supply Chain Security Act (DSCSA).
- Final Guidance for Industry: Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification (Suspect Product Final Guidance)
- Final Guidance for Industry: Product Identifiers under the Drug Supply Chain Security Act – Questions and Answers: Guidance for Industry (Product Identifier Q&A Final Guidance)
- Draft Guidance for Industry: Definitions of Suspect Product and Illegitimate Product for Verification Obligations Under the Drug Supply Chain Security Act Guidance for Industry (Definitions Draft Guidance)
- Draft Guidance for Industry: Enhanced Drug Distribution Security at the Package Level Under the Drug Supply Chain Security Act (Enhanced Security Draft Guidance).
Comments on the Draft Guidances are both due August 3 and though there is no formal comment period on the Final Guidances, FDA will accept comments at any time. I’m still reviewing and will have more to say in the weeks ahead but I’ve just cancelled my July vacation.
Taking the two guidances on suspect and illegitimate products first, both are revisions to earlier released guidances. The Suspect Product Final Guidance was first released in June 2014 and then revised and reissued in 2016. 86 Fed. Reg. 30054 (June 4, 2021). The Suspect Product Final Guidance covers a lot of ground, addressing circumstances and scenarios that increase the risk of suspect product entering the supply chain and makes recommendations to manufacturers on notifications about products with a high risk of illegitimacy. It appears that the only substantive change from the 2016 Guidance is on page 3, with this addition addressing when trading partners must notify immediate trading partners that they have reason to believe a trading partner may have received an illegitimate product:
“FDA anticipates that the immediate trading partners to notify would include those to whom a trading partner has sold the drugs and in some cases, from whom a trading partner purchased the drugs.”
The Suspect Product Final Guidance also recognizes more explicitly the valuable and singular expertise of the manufacturer in suspect product investigations. Pages 6-7 include the following new language:
Because a product’s manufacturer is usually the best able to assess the authenticity and quality of a product, a trading partner should consult with the manufacturer when conducting any investigation of suspect product.
The Definitions Draft Guidance was first released in 2018 and, given the significance of the changes, FDA has re-issued it in draft. 86 Fed. Reg. 30056 (June 4, 2021). As a result of confusion in the supply chain regarding whether stolen product fell within the definition of “suspect” and “illegitimate,” FDA has added a new section to the Definitions Draft Guidance addressing the issue. FDA has now clarified that even though a stolen product is no longer in a trading partner’s possession or control, theft of that product nevertheless triggers applicable suspect and illegitimate product investigation, quarantining, and notification requirements under § 582. While this would seem to be contrary to the plain language of the DSCSA, neither is this interpretation a surprise to industry – FDA has been signaling for over two years that it deemed product thefts as potentially triggering DSCSA obligations, including possible reporting to the agency on the Form 3911 and notification to trading partners.
The agency also clarified the definition of “Unfit for Distribution” by adding that, to be unfit for distribution, the product must, among other things, “be reasonably likely to result in serious adverse health consequences or death to humans.” The Definitions Draft Guidance also clarifies that products awaiting reserve distribution and products subject to a waiver, exception, or exemption are not deemed “unfit for distribution” and would not trigger § 582 investigation, quarantining, and notification requirements.
With the suspect and illegitimate product guidances dispensed with, stakeholders will want to focus closely on the other two guidances, the Product Identifier Q&A Final Guidance (86 Fed. Reg. 30058 (June 4, 2021)) and the Enhanced Security Draft Guidance (86 Fed. Reg. 30053 (June 4, 2021)). For long-time DSCSA followers, both contain real difficulties and challenges.
The Product Identifier Q&A Final Guidance was issued a full 3 ½ years after the DSCSA requirement to affix product identifiers to all covered products and homogenous cases, and 2 ½ years after FDA’s enforcement discretion expired – which FDA granted because the effort to implement the DSCSA’s product identifier requirement was so significant an undertaking, the supply chain needed more time. In the absence of any FDA guidance on what the product identifier should be and how it should be presented on every DSCSA-covered prescription drug product label, industry had looked to the standards of GS1, the global standards-setting organization for the healthcare industry. Now, years after the requirement became effective, the Product Identifier Q&A Final Guidance appears to declare that products serialized and labeled in accordance with GS1 global standards are no longer aligned with FDA recommendations. Manufacturers (and repackagers) need to carefully review the Product Identifier Q&A Final Guidance, paying particular attention to the Product Identifiers section, IX.B, and Q&As 3 through 12, especially the discussions of presentation of expiration dating and the GTIN.
The Enhanced Security Draft Guidance requires a very careful reading as it is dense and presents, for the first time, FDA’s views of § 582(g)(1) of the FDC Act and what constitutes “enhanced drug distribution security at the package level,” which will go into effect on November 27, 2023. The Enhanced Security Draft Guidance purports to set out the system attributes necessary to enable the tracing of products in the pharmaceutical supply chain. This Draft Guidance helpfully emphasizes the acceptability of “aggregation” and “inference” and that trading partners will need to be able to provide, receive, and maintain the product identifiers for the products purchased and sold after November 27, 2023.
However, the Enhanced Security Draft Guidance also appears to describe “a system” where FDA and other state and government officials would be able to access, electronically and automatically, the confidential transaction data for all DSCSA-covered product purchases and sales held by a manufacturer, repackager, wholesale distributor, or dispenser. This “system” would also be expected to enable responses to verification requests within one minute, allow for the viewing of all product tracing information from all trading partners for all transactions involving a specific product, and enable real time “alerts.”
Review of the Enhanced Security Draft Guidance has only just begun. In my view, what seems to be described is not possible for the pharmaceutical supply chain to accomplish by November 27, 2023, even if such a “system” were contemplated by the DSCSA. Trading partners are struggling to establish the business-to-business connections necessary to enable the provision, receipt, and maintenance of transaction data that includes the identifiers for the products purchased and sold. It does not seem possible or likely that FDA, and every other government authority, would be able to establish similar electronic connections to the databases of every pharmaceutical manufacturer, wholesale distributor, repackager, and dispenser in the U.S. Moreover, there would have to be, it seems, some means for a query to go, simultaneously, across the entire pharmaceutical supply chain, to every privately-maintained data repository and the capability to return a response to that query. The prospect of a manufacturer, wholesale distributor, or dispenser opening up proprietary, highly confidential transaction data repositories to be automatically and electronically queried by unknown third parties and government authority strains credulity. The alternative might be the creation of a central database or blockchains that hold all pharmaceutical transaction data in the United States and could be queried. However, the DSCSA says nothing about the creation of such a system and there are no legal requirements that trading partners in the supply chain subscribe to such a system or upload or post data to it.
There will be more to come as I continue to evaluate these guidances and their impacts upon DSCSA compliance and the looming 2023 deadline for the interoperable, electronic tracing of prescription pharmaceuticals.