The Drug Supply Security Act

In 2013, members of the U.S. drug supply chain requested that Congress create a law that would govern the identification, management and traceability of all drug products within the United States. As a result, in 2013 The Drug Supply Chain Security Act (DSCSA) was adopted with the aim to facilitate the exchange of information (end-to-end traceability) at the individual package level to provide visibility about where a drug has been in the supply chain. This will enable verification of the legitimacy of the drug product identifier down to the package level, enhance detection and notification of illegitimate products in the drug supply chain and facilitate more efficient recalls of drug products. 

Key provisions over the next 10 years are requirements for:

Product identification: requirements for manufacturers and re-packagers to place a unique product identifier on certain prescription drug packages.

Product tracing: requirements for manufacturers, wholesaler drug distributors, re-packagers, and many dispensers (primarily pharmacies) in the drug supply chain to provide information about a drug and who handled it each time it is sold in the U.S. market.

Product verification: requirements for manufacturers, wholesaler drug distributors, re-packagers, and many dispensers (primarily pharmacies) to establish systems and processes to verify the product identifier on certain prescription drug packages.

Detection and response: requirements for manufacturers, wholesaler drug distributors, re-packagers and many dispensers (primarily pharmacies) to quarantine and promptly investigate a drug that has been identified as suspect, meaning that it may be counterfeit, unapproved, or potentially dangerous.

Notification: requirements for manufacturers, wholesaler drug distributors, re-packagers, and many dispensers (primarily pharmacies) to establish systems and processes to notify FDA and other stakeholders if an illegitimate drug is found. 

DSCSA Compliance Timeline

GS1 & GS1 EPICS

The FDA DSCSA regulation requires that the pharmaceutical industry implement end-to-end traceability by 2023. Trading partners in the supply chain have chosen to implement and test GS1 Standards-based solutions in real-world pilots to meet the deadline for interoperability. GS1 standards have been in place for over 40 years. The first and most notable application was in the grocery industry and the formation of the Uniform Product Code Council (UPCC). The GS1 Standards are the most widely used standards in the world with over 5 billion scans per day.

While GS1 Standards have created a hierarchy that reaches down to the product level for serialization, several industry entities have voluntarily chosen to use GS1 EPCIS even as this standard evolves to fully meet the spirit of the regulation. EPCIS (Electronic Product Code Information Service) is a global GS1 standard for swapping EPC (Electronic Product Code) information. It allows trading partners to exchange data, in concert with the products as they move through the supply chain. An industry pilot between Johnson & Johnson Supply Chain (JJSC) and AmerisourceBergen Corporation (ABC) did just that with actionable and repeatable results. The other two of the “Big 3” (Cardinal & McKesson) are likely to adopt another option which will likely create two parallel data pathways.

Data Integrity

To further complicate matters, in April of 2016, the FDA issued draft guidance specifically targeted towards data integrity within the pharmaceutical industry. Although this was primarily geared towards R&D, testing, clinical trials and production, the draft mandates that all records are complete and accurate while preventing the loss, misuse and deterioration of stored data. The draft also defined key terms such as data integrity, meta data, electronic signatures, audit trail and backup. Also addressed were the concerns surrounding shared log-ins, how often and by whom should audit trails should be reviewed and the use of electronic signatures.

FDA Terms Definitions:

Data Integrity

Refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate.

Audit Trail

Means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the “who, what, when, and why” of a record. Electronic audit trails include those that track creation, modification, or deletion of data.

Audit Trail Review

FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record. Audit trails subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.