Industry-wide DSCSA Compliance Pilot Successfully Completed

Spherity brings industry-wide DSCSA pilot to digitally verify Authorized Trading Partners into next phase

In partnership with the Healthcare Distribution Alliance and the Center for Supply Chain Studies, Spherity implemented a pilot to develop a solution for digital verification of the Authorized Trading Partner (ATP) status in the context of the Drug Supply Chain Security Act.

AmerisourceBergen, Bristol-Myers Squibb, Johnson & Johnson, Novartis, SAP, rfxcel and Legisym participated in developing and piloting this solution. The developed solution is an efficient and automated approach to ensure that trading partners interact only with authorized supply chain actors, as defined within the law.

Industry-wide DSCSA Compliance Pilot Successfully Completed – Photo by Viktor Forgacs

The cross-functional pilot group establishes a Verifiable Credential based ecosystem to support existing Product Identifier (PI) verification scenarios for DSCSA saleable returns. The DSCSA requires that US pharmaceutical supply chain actors only interact with trading partners that are “authorized”. Trading partners are “authorized” when a wholesaler maintains a state license and as a manufacturer obtains a federal U.S. Food and Drug Administration (FDA) Entity Identifier (FEI) that is valid at the time of interaction.

For more information about Authorized Trading Partners (ATP) in the context of the U.S. DSCSA have a look at our case study about DSCSA-Compliant Verification of Authorized Trading Partners. Before staring the pilot project, we successfully tested with SAP and Novartis the electronic verification of “authorized” U.S. trading partners in a proof of concept.

The challenge of being DSCSA compliant

To meet the Authorized Trading Partner requirements under DSCSA today, trading partners or their service providers need to manually check if their counter parties have an active license that is published in a state or federal database. When there is not a business relationship with the company requesting the Product Identifier (PI) verification, the ad hoc due diligence process to confirm license validity exhibits its limit. Especially when thousands existing trading partners are obliged to verify Product Identifiers and expect a response within 24h, it will be hard to assure compliance to the DSCSA requirements.

Supply chain interactions require ATP verification — by Spherity

Digital process for Authorized Trading Partner verification

Trading partners need digital and automated processes to prove DSCSA compliant interactions with other trading partners. An identity layer built on Decentralized Identifiers (DID) and Verifiable Credentials (VC) provides the infrastructure for such a mechanism and additionally enables data integrity compliance. Manufacturers, wholesale distributors and dispensers can use Cloud Identity Wallets to identify any previously unknown trading partner and to verify the respective Authorized Trading Partner status in real-time. The Decentralized Identifier (DID) is anchored on a blockchain network as DID registry. This enables every ecosystem participant to verify the integrity of the DID.

Seamless and trusted interaction of Authorized Trading Partners — by Spherity

To establish trust in this ecosystem, each trading partner needs to walk through an onboarding process to interlink company with their self-sovereign Decentralized Identifier (DID). As a root of trust, notarized company documents or the DEA signing certificate are used by solution providers like Legisym to verify the company data and issue a Company Identity Verification Credential to its DID. This credential serves as proof that the due diligence process was performed and the company DID is trusted.

“The credentialing process based on Verifiable Credentials is the first proven industry digital process that addresses ATP compliance gap of knowing if the counter party using the system is an authorized trading partner per DSCSA requirements. This is a foundation for 2023.”
– David Mason, Regional Serialization Lead, Novartis

Based on the successful due diligence for the Company Identity Verification Credential, Legisym issues an Authorized Trading Partner credential, which travels with the Product Identifier Verification message. Legisym operates a database of state licenses and FDA Entity Identifier (FEI) records for pharmaceutical companies. This validated and trusted source is used to issue, maintain and revoke Authorized Trading Partner credentials. Without having a direct access to a registry of state licenses, every trading partner in the ecosystem can now verify the Authorized Trading Partner status of other supply chain actors in a more efficient way.

This diagram shows how the credential issuer can issue credentials and the trading partner can store them in the Cloud Identity Wallet:

Credential issuance process — by Spherity

Technical implementation of a digital Authorized Trading Partner verification

To exchange the Authorized Trading Partner (ATP) credential between trading partners, the pilot implementation utilizes the existing GS1 Lightweight Messaging Standard for Verification of Product Identifiers. A simple additional API call to Spherity’s Cloud Identity Wallet generates a Verifiable Presentation of the ATP credential that can be attached as JSON Web Token (JWT) to the PI Verification message. Hence, every trading partner or Verification Routing Service (VRS) provider using the designed logic is able to send a Product Identifier Verification request or response message including the Authorized Trading Partner status information. Any receiver of such enriched PI Verification message can verify the Authorized Trading Partner credential presentation by sending the JWT via API to his Cloud Identity Wallet.

“Including the ATP credential in the header of the PI verification message to secure the network is a good idea. The upfront due diligence by the issuer in creating the credentials would be important to the audit trail that was piloted. This solution would need broad adoption.”
– Rosemary Hampton, IT Manager, Johnson & Johnson Information Technology

Trusted interaction between two trading partners using a Verification Routing Service — by Spherity

SAP and rfxcel tested the implementation in their environments and successfully performed all defined test cases:

1. PI Verification with active ATP credentials
2. PI verification with revoked ATP credentials
3. PI Verification with expired ATP credentials

To leverage existing systems, a seamless integration with Credential Issuers and VRS Providers is required. The pilot group built a system where interacting service providers only need two APIs, to use Authorized Trading Partner credentials.

Please find more details of the technical implementation in the API documentation of the ATP Pilot.

Simple Cloud Identity Wallet integration for Service Providers — by Spherity

“The ATP pilot is the most comprehensive effort to address the upcoming Authorized Trading Partner requirement for DSCSA. rfxcel was impressed to see how seamlessly it integrated with our solution. All participants work well together and rfxcel is excited to see this adopted by other solution providers and the industry.”
– Herb Wong, VP Marketing & Strategic Initiatives, rfxcel

All participating trading partners received access to the Spherity Cloud Identity Wallet to monitor credential operations with a Authorized Trading Partner monitoring module. Every time an Authorized Trading Partner credential is used in a PI Verification message or an incoming Authorized Trading Partner credential is verified, the Cloud Identity Wallet monitors the operation. The Cloud Identity Wallet provides investigators the audit trail of every transaction or the option export data for further analysis.

As part of the Pilot, all trading partners successfully performed the following test cases together with Legisym as credential issuer and Spherity as Cloud Identity Wallet provider:

1. Onboarding to Spherity Wallet and setup of account
2. Credential acquisition and maintenance by Legisym
3. Auditing and Investigation scenario for active, revoked and expired ATP credentials

Highlights of the proposed solution

Benefits of using Verifiable Credentials for Authorized Trading Partners

• Easy integration with Credential Issuers and VRS Providers
• Digital and cost efficient solution meeting legal and regulatory requirements
• Interoperable with existing GS1 Lightweight Standard for PI Verification
• Building the foundation for a digital identity layer for further DSCSA requirements

Summary and Next Steps

The DSCSA requires that manufacturers, repackagers, wholesale distributors and dispensers, may only interact with trading partners that are authorized. SAP, Legisym, Spherity and their industry partners AmerisourceBergen, Bristol-Myers Squibb, Johnson & Johnson and Novartis designed and successfully piloted a method using Cloud Identity Wallets and Verifiable Credentials meeting those DSCSA requirements and ensuring that participants in the ecosystem are Authorized Trading Partners.

This digital services model can be used by all supply chain actors to ensure full compliance. The next steps are to develop system standards with standards bodies and to onboard new providers to prove inoperability. Considering interoperability requirements, the pilot group is working on offering first movers the chance to adopt the developed Authorized Trading Partner solution. Further, the ATP pilot group has opened up, shared the developed solution, and invited dispensers and solution providers to test.

“The piloted solution requires no change in GS1 Lightweight Messaging Standard currently used for PI Verification. The team intends to submit Application Programmer Interface (API) and credential schema designs to GS1 US for standardization or guidance inclusion.”
– Bob Celeste, Founder, Center for Supply Chain Studies

Video: DSCSA compliant Authorized Trading Partner

This short video explains how Verifiable Credentials are used to establish a DSCSA Authorized Trading Partner status in the saleable returns process.

Guided Demo: Step through the Credential Acquisition Process

This click demonstration walks you through the process of
1. setting up a DID,
2. acquiring a Company Identity Verification Credential,
3. acquiring a DSCSA ATP credential and
4. communicating your Decentralized Identifier to your VRS provider.

-> Link to Guided Demo

Spherity — ATP Guided Demo

On a personal note, I would like to highlight the experience working with the highly skilled, open minded and innovative pilot group. It was a challenging journey and I am very glad that our journey doesn’t end here. Besides all compliance and business challenges, the compliance, operational and IT experts had the patience to explore the world of DIDs and VCs. I am very proud that we met all expectations. The group understood that the used technology has the potential to heavily accelerate verifiable data exchange between companies.

Visit spherity.com to receive more information about the Authorized Trading Partner pilot or to learn how to use Spherity’s Cloud Identity Wallet in other use cases.

Feel free to reach out with any question or to set up a demo to see how these tools work. If you just want to stay sphered join Spherity’s Newsletter list or follow us on LinkedIn and Twitter.