More Guidance Released from FDA for Drug Supply Chain Security Act Compliance
The Food and Drug Administration (“FDA”) released additional guidance documents on Wednesday, August 30th pertaining to the enhanced drug distribution security requirements under the Drug Supply Chain Security Act (“DSCSA”). See here for Quarles’ previous coverage on this topic.
1. Enforcement Deadline Pushback
The first document, “Wholesale Distributor Verification Requirements for Saleable Returned Drug Product and Dispenser Verification Requirements When Investigating a Suspect or Illegitimate Product,” (which we realize is a bit of a mouthful), brings the unique wholesale distributor and dispenser requirements related to verifying saleable returned drugs and investigations of suspect or illegitimate products into alignment with the enforcement deadline extension of November 27, 2024 issued last week for the enhanced security requirements.
Section 582(c)(4)(D) of the Food, Drugs, and Cosmetics Act (“FDCA”) requires a wholesaler to verify the product identifier for each “sealed homogenous case” or individual package of a drug that was returned to the wholesaler and that the wholesaler intends to redistribute. This section was set to go into effect initially in 2019 but was subsequently pushed back until 2023. This guidance document further pushes back the enforcement deadline until November 27, 2024. However, FDA makes clear that this extension does not apply to a wholesaler’s obligation to have verification systems in place to determine whether a returned product is a suspect product.
The FDCA also requires dispensers to verify the product identifiers for the greater of either 3 packages or 10 percent of the packages, for any suspect or illegitimate products. This requirement was also set to go into effect originally in 2019, but has now been pushed to November 27, 2024 as well.
In issuing this guidance, FDA indicated it had received numerous comments and feedback from wholesale distributors and dispensers who were worried they would not be able to effectively comply with these requirements by the 2023 deadline. Concerns from stakeholders included the massive quantity of product that would need to be verified, the need to refine and test these systems in real-time, and the need to let these complex systems “mature” over time to ensure effectiveness.
2. Enhanced Security Requirement Guidance
The second document issued by FDA on Wednesday, “Enhanced Drug Distribution Security at the Package Level under the [DSCSA],” provides significant insight into FDA’s current thinking on the implementation specifics of the enhanced security requirements set to go into effect on November 27th of this year (though, as discussed earlier, will not be enforced until November 27, 2024).
The document reiterates the six requirements of the DSCSA’s enhanced security requirements (which FDA refers to as the six “system attributes”):
- The exchange of transaction information and statements in a secure, interoperable, electronic manner.
- Transaction information that includes the product identifier at the package level for each package included in the transaction.
- Systems and processes for verification of product at the package level.
- Systems and processes necessary to promptly respond with the relevant transaction information and transaction statement for a product upon government request in the event of a recall or to investigate a suspect or illegitimate product.
- Systems and processes to promptly facilitate the gathering of information necessary to produce transaction information for each transaction going back to the manufacturer. This includes requests made by the government for recalls or investigations, and requests by authorized trading partners, which must be conducted in a secure manner to ensure the protection of confidential commercial information or trade secrets.
- Systems and processes to associate a saleable return product with its applicable transaction information and transaction statement to allow a trading partner to accept the returned product.
In this guidance document, FDA clarifies some of the undefined statutory language in these system attributes, specifically pertaining to attribute number three above. The DSCSA directs FDA to prepare guidance on this attribute that “may include the use of aggregation and inference as necessary.” “Aggregation” and “inference” are left undefined, so FDA used this document to define them.
Specifically, “aggregation” refers to “the process of building a relationship between unique identifiers assigned to packaging containers.” FDA offers the example of a “parent-child relationship” between product identifiers for a package or group of packages (i.e., the “children”) that are contained in a homogenous case (i.e., the “parent”). FDA explicitly endorses data aggregation of product identifiers as a way of managing the logistics of products being sold and shipped, but encourages trading partners to work closely with one another to ensure interoperability between partners.
“Inference” is defined as “the practice of examining or using information for a higher level of packaging to infer information about the lower level(s) of packaging and its contents.” The example here is when information about individual packages is inferred from information about a case. FDA also endorses use of inference, but only in circumstances where a trading partner receives pallets or cases (either homogeneous or nonhomogeneous) where the integrity of the shipping unit is still intact. FDA strongly recommends including physical security features on shipping units, such as tamper-evident tape, color-shifting inks, holograms, and physical-chemical identifiers, which are recommended to assist trading partners in determining when product may have been rendered suspect. Note that this prohibition on the use of inference does not extend to cases where a government authority breaks a seal to examine or test the materials and provides appropriate documentation thereof.
In both cases, FDA makes clear that using such processes effectively will depend on the quality of the aggregated data, the documentation and shipping/packing integrity, and the ability of trading partners to effectively use that aggregated data to meet their enhanced security obligations.
In addition to the definitional clarifications, this guidance document will be particularly useful for stakeholders looking to prepare or adjust policies and procedures implementing the enhanced security requirements since it provides numerous concrete examples of the types of systems and processes FDA expects trading partners to have in place. The processes and expectations FDA outlines in this document pertain to the following:
- Data architecture (i.e., the use of a “distributed” or “semi-distributed” model using the Electronic Product Code Information Services (“EPCIS”) standard for capturing and exchanging data.
- Data and system security sufficient to protect against falsification and breaches.
- Confidentiality of commercial information and trade secrets.
- The ability for trading partners to request and respond to requests for information related to verification activities.
- The incorporation of product identifiers into the product tracing information (i.e., the inclusion of serial numbers and expiration dates in transaction information).
- Reconciliation of transaction information.
- Handling aggregation errors and other discrepancies (e.g., such errors should be resolved within 10 business days).
This document does a considerable amount of heavy lifting in clarifying FDA’s expectations for trading partner compliance with the enhanced security requirements. It should not be ignored when developing or reviewing processes related to these requirements, as it offers a key glimpse into FDA’s thinking and will be pivotal in implementing effective processes and avoiding penalties for faulty compliance.
Quarles will continue to monitor any updates to the enforcement deadline or other guidance on this topic. If you have any questions, please contact your local attorney or:
- Susan Brichler Trujillo: (602) 229-5318 / firstname.lastname@example.org