The Drug Supply Chain Security Act was designed to make pharmaceutical products fully traceable through the supply chain. Its core elements of serialization, aggregation, interoperable data exchange, verification, and authorization will prevent illegitimate, damaged, or harmful drugs from reaching patients.
Its decade-long phased implementation concludes with a final enforcement deadline of November 27, 2023. After that date, trading partners who fail to implement the measures for their business type will be unable to receive or sell pharmaceutical products, and will be at risk of audits by the FDA and other bodies.
It can be difficult enough to operate your business in today's challenging environment, let alone while adapting to new regulations. You certainly don't need a solution provider stalling or telling you that they can't -- or won't -- bring your company into full compliance well ahead of the deadline.
And yet, as the deadline draws nearer, we've begun hearing just this kind of story: implementations that go months over schedule, or that seem to leave significant compliance gaps or risks to be mitigated. With limited time left before the enforcement deadline, and a number of important things to get right in advance, you don't want to see your provider's timeline padding all the way out to November; if that's the case, it may be time to start asking some questions.
The truth is that not all solution providers are ready for DSCSA. They won't say so, but you might have begun to pick up on clues. We can make the issue clearer by identifying some common myths about DSCSA requirements.
Myth 1: Nothing will really happen if you aren't exchanging EPCIS data by November 27, 2023.
It might be tempting to buy into the notion that things will continue more or less as before when the deadline hits, or that they can be treated as some sort of surface formality or paperwork. Nothing could be further from the truth. DSCSA serialization is transformational, and its measures are in place to ensure that suspect, illegitimate, diverted, or recalled medications don't make their way through the supply chain to patients. As such, industry cooperation is essential and will be enforced, both by regulators and by your trading partners.
Yes, your trading partners will expect you to comply with DSCSA. (If they don't, they're part of a major problem for you.) In fact, some take the deadline so seriously that they're enforcing their own penalties for not meeting onboarding deadlines far in advance of November. This is because failing to comply will seriously disrupt business, and compliance is a team effort. Product that arrives without EPCIS data must go into quarantine, and if you can't send or receive the data, you can't send or receive any product. So, it's understandable that some trading partners take such measures to protect their business — they need to know who's going to be ready and who's going to be a problem.
And, as an expert from law firm Arnold & Porter told Regulatory Focus, you can expect FDA inspections to cover DSCSA compliance, including trading with Authorized Trading Partners, having interoperable data connections, exchanging data ahead of transactions, and using product identifiers.
Anyone — especially any solutions provider — who says you can slide by the deadline without full compliance is leading you into danger.
Myth 2: The FDA will probably extend the enforcement deadline anyway.
Our team finds it very interesting that those who still ask us whether the FDA will extend the deadline tend to follow up by asking what the penalties are for non-compliance. Much like your suspicions about providers who aren't getting the job done, if you have to ask, you likely already realize there's a problem.
Simply put, at this point in 2023, there is no reason to believe that the FDA will grant enforcement discretion.
This is because it’s easier and safer to comply with DSCSA than to wait. Not only are the requirements well understood now, but accessible, affordable solutions are readily available. When trading partners across the pharmaceutical industry have the information and resources available to adopt DSCSA, there’s no regulatory rationale to accommodate businesses that don’t take these steps.
If your provider is saying the deadline will be extended, they're engaging in wishful thinking, or perhaps just trying to get you to do so. Anyone who's serious about protecting your business will make sure you're compliant well ahead of the deadline.
Myth 3: Some interoperable connections won't be possible.
Has your provider told you they can't establish EPCIS onboarding with certain trading partners? If so, that's a major red flag. Past the fact that your provider's limitations should not affect who you do business with, that's not how interoperability works. All serialization and traceability solutions must be interoperable — that's the point. (Of course, if a trading partner isn't cooperating or is ignoring DSCSA, that's an entirely different problem.)
There won't be a separate system for continuing outside DSCSA data with certain partners. Interoperability is a must, and EPCIS onboarding must be done for every company with whom you exchange goods.
These connections are the backbone of DSCSA, as they enable the traceability and supply chain visibility that the law was written to create. So, a DSCSA provider who won't work with one or more of your current trading partners isn't much of a DSCSA provider.
Myth 4: It's too difficult to switch DSCSA providers.
So, let's say you've called your solution provider after reading points 1-3, and rather than aligning their story with reality somehow, they double down. Then they warn you against switching to another provider, citing one technical limitation or another and, ironically, the looming deadline.
This is likely in line with the very limited, locked narrative they've given you from the beginning, and as you probably already suspect, it's false.
Worse than a simple case of technological lock-in, they're now endangering your ability to do business. In this case, it's time to start looking for help elsewhere, since they're not going to get the job done. It might seem unfortunate to be in this position in 2023, but don't let the sunk-cost fallacy get you. It's easier than you think to move to a provider who will actually get you to audit-proof DSCSA compliance, comfortably and with time to spare.
LSPedia's technology is cloud-based and system-agnostic, meaning that there won't be any limitations around your ERP system or any other existing tools. We'll form interoperable connections with any of your trading partners, and will ensure that you're not only fully compliant, but have the resources to lead the process with your partners who aren't up to speed.
In addition to establishing these connections conveniently, we also work with SAP to offer pre-tested, qualified connections that can make the process a snap.
Plus, our Investigator technology is the industry's leading solution for exceptions management, ensuring that you're automatically notified of any transaction problems and fully equipped with solutions, including a guided resolution process.