How to Audit and Qualify Third-Party Logistics Providers for DSCSA Electronic Tracking Compliance

The Drug Supply Chain Security Act (DSCSA) reshaped how pharmaceutical products move through the U.S. supply chain. As of the November 2024 enforcement milestones and the subsequent stabilization period, all trading partners — manufacturers, repackagers, wholesale distributors, and dispensers — must exchange transaction information electronically at the package level, with interoperable, secure tracing of products through the supply chain.

For manufacturers and biotechs that rely on third-party logistics providers (3PLs) for warehousing, distribution, and order fulfillment, the 3PL is now a critical node in DSCSA compliance. A 3PL that cannot send, receive, verify, and store DSCSA data correctly will create compliance liability that the manufacturer ultimately owns.

This guide walks through how to audit and qualify a 3PL against DSCSA electronic tracking requirements — what to evaluate, what to ask, what evidence to demand, and what disqualifies a partner.

What DSCSA actually requires of 3PLs

Under DSCSA, 3PLs are licensed trading partners with specific obligations. The core electronic tracking requirements that 3PLs must satisfy includes these 8 items:

1. State licensure as a 3PL in each state where they operate, plus federal reporting to FDA
2. Receipt, capture, and transmission of transaction information (TI), transaction history (TH), and transaction statement (TS) — collectively, the “T3” data — at the package level for prescription drugs
3. Interoperable, electronic exchange of T3 data using a secure system, typically EPCIS (Electronic Product Code Information Services) over AS2 or similar
4. Verification capability — ability to verify product identifiers (the 2D DataMatrix on each package) for suspect and illegitimate product investigations
5. Saleable returns verification — verification of product identifiers when accepting returns for resale
6. Record retention of T3 data for not less than six years
7. Quarantine and notification procedures for suspect and illegitimate products
8. Authorized trading partner verification — only doing business with other licensed trading partners

These obligations apply to the 3PL directly. They do not absolve the manufacturer of its own obligations — and a 3PL failure typically becomes a manufacturer-level compliance issue.

The qualification framework

Qualifying a 3PL for DSCSA compliance should follow a structured, risk-based framework with four phases:

Phase	Activity	Output
1. Initial qualification	Document review, license verification, questionnaire	Go/no-go for on-site audit
2. On-site audit	Facility, process, and system audit	Audit report with findings and CAPA
3. Contractual onboarding	Quality agreement, master services agreement, technical integration testing	Approved supplier status
4. Ongoing oversight	Periodic audit, metric review, incident management	Continued qualification or requalification trigger

Phase 1: Initial qualification documents to request

Before scheduling an on-site audit, request and review:

• Current state 3PL licenses for every state where they will store or ship your product, plus federal facility registration
• FDA inspection history — last 3-5 years of inspections, Form 483s issued, and warning letters if any
• DSCSA compliance attestation — written attestation of compliance with current DSCSA requirements, signed by an authorized officer
• Quality management system overview — SOP inventory, evidence of a QMS, certification (e.g., ISO 9001) if applicable
• EPCIS implementation documentation — what version of EPCIS, what conformance level, integration partners, exchange protocols supported
• SOC 2 Type II report for IT systems handling DSCSA data, with recent audit period
• Insurance certificates — product liability, errors and omissions, cyber liability
• Organizational chart and key personnel with DSCSA responsibilities
• List of other manufacturers served in your therapeutic area (helpful for reference checks)
• Suspect and illegitimate product procedures
• Disaster recovery and business continuity plans

A 3PL that hesitates to provide this documentation, or provides marketing summaries instead of actual documents, is signaling something. Reputable 3PLs have these materials packaged for prospective customer review.

Phase 2: On-site audit scope

An on-site audit for DSCSA qualification should cover both the operational facility and the IT systems. Plan for at least two days on-site for a full audit, with the right team composition: a QA auditor with DSCSA experience, and ideally an IT/serialization specialist who can probe the technical implementation.

Facility and operations

• Receiving processes — how T3 data is received, validated, and reconciled against physical product
• Storage conditions and segregation — cold chain, controlled substances, quarantine areas
• Pick, pack, and ship processes — how product identifiers are captured at outbound
• Returns handling — segregation, verification before saleable resale
• Suspect and illegitimate product handling — quarantine area, escalation procedures, notification timelines
• Damaged product procedures
• Inventory accuracy and reconciliation cadence
• Pest control, sanitation, security (cameras, access control, alarm systems)

EPCIS and serialization systems

• EPCIS version and conformance — most current implementations use EPCIS 1.2 with growing adoption of 2.0
• Master data management — how GTINs, lot numbers, and serialized identifiers are managed
• Inbound EPCIS event processing — how shipping events from manufacturers are received and aggregated
• Outbound EPCIS event generation — how shipping events to customers are created with correct aggregation hierarchy
• Aggregation accuracy — the parent/child relationships between cases, pallets, and individual saleable units must be maintained correctly through the warehouse
• Exception handling — how mismatches between physical receipts and EPCIS data are resolved
• Verification request handling — turnaround time for product identifier verification requests, automated vs manual
• Audit trail — system audit trails on EPCIS data changes, with appropriate Part 11-aligned controls if records support GxP
• Data retention — how six years of T3 data is stored, accessible, and retrievable
• Integration with manufacturer systems — typically via AS2, with PKI-based authentication and message-level encryption

People and training

• Training records on DSCSA for warehouse staff, supervisors, and IT personnel
• Designated DSCSA coordinator or compliance officer
• Turnover rates in key positions
• Procedures for FDA inspection readiness

6 Things to actually test during the audit

Documentation review tells you what the 3PL claims to do. Operational testing tells you what they actually do. Build the following into the audit plan:

1. Trace a real shipment end-to-end. Pick a recent inbound receipt, follow it through storage, picking, packing, and outbound shipment, and verify that EPCIS events match physical reality at each step.
2. Test verification request response. Submit a product identifier verification request through the 3PL’s standard channel and measure response time and accuracy.
3. Walk a returns scenario. Observe how a saleable return is received, the verification performed, and the disposition (re-stock vs quarantine vs destruction).
4. Run a suspect product simulation. Walk through what happens if a product identifier fails verification — quarantine, investigation, manufacturer notification, FDA reporting if applicable.
5. Pull T3 data from six years ago. Or as far back as the 3PL has operated. Verify it can be retrieved in a usable format. Many 3PLs cannot demonstrate this.
6. Review recent exceptions. Ask to see the last 10-20 EPCIS exceptions and how they were resolved. Pattern of root causes tells you a lot.

This testing is what separates a perfunctory audit from a real qualification. SOPs can look excellent on paper while operations fail in practice.

10 Red flags that should disqualify a partner

Findings that warrant disqualification (or, at minimum, a hard stop and remediation gate before contracting):

1. Lapsed or missing state 3PL licenses for jurisdictions where they will operate
2. Open FDA warning letter or unresolved Form 483 observations related to DSCSA
3. Inability to demonstrate EPCIS event generation for real outbound shipments
4. Aggregation errors during the traced shipment — parent/child relationships not maintained
5. Verification response times that exceed regulatory expectations (24 hours is the standard expectation for routine verification requests)
6. No documented suspect/illegitimate product procedures, or procedures that don’t reflect current DSCSA requirements
7. Unable to retrieve historical T3 data on request
8. Use of manual processes for activities that should be automated (e.g., manual data entry of serialized identifiers)
9. Quality system that exists on paper but with no evidence of execution (no internal audits, no CAPA records, no management review minutes)
10. Significant security control gaps in IT systems handling DSCSA data

10 Contractual protections in the quality agreement

The quality agreement with your 3PL is where you codify roles, responsibilities, and remedies. Specific DSCSA-related provisions to include:

1. Specific DSCSA obligations assigned to the 3PL, by regulation reference
2. Notification timelines for suspect/illegitimate product (typically immediate or within 24 hours)
3. Notification of any FDA inspection or regulatory communication concerning DSCSA at the 3PL’s facilities
4. Audit rights — annual at minimum, plus for-cause audits with reasonable notice
5. Subcontracting restrictions — any 3PL use of subcontractors for DSCSA-related activities must be disclosed and approved
6. Data ownership — your T3 data is yours; the 3PL holds it but cannot use it for other purposes
7. Data return or destruction on contract termination
8. Change control — material changes to the 3PL’s EPCIS systems or DSCSA procedures require advance notification
9. Indemnification for regulatory penalties arising from 3PL non-compliance
10. Service-level agreements with measurable DSCSA-related metrics (verification response time, EPCIS error rate, etc.)

This is also where your broader quality assurance framework intersects with supply chain — DSCSA compliance is, fundamentally, a quality and traceability issue, not just a logistics one.

Ongoing oversight: what to do after onboarding

Initial qualification gets you to launch. Ongoing oversight keeps you compliant.

• Annual on-site audit for high-volume or high-risk 3PLs; documentation-based requalification for lower-risk arrangements
• Quarterly business review with DSCSA metrics on the agenda — EPCIS exception rates, verification response times, suspect product incidents, returns processing
• Periodic data sampling — pull a sample of recent shipments and verify T3 data matches your records
• Notification monitoring — track and review all DSCSA-related notifications from the 3PL for patterns
• FDA enforcement tracking — monitor FDA actions in the 3PL industry for emerging issues that may apply to your partner
• Annual quality agreement review as DSCSA regulations and FDA guidance continue to evolve

Common pitfalls

• Trusting marketing claims. “DSCSA compliant” on a website is not evidence. Demand documentation and operational testing.
• Skipping the on-site audit. Remote audits are not adequate for DSCSA qualification. You need to see the operation.
• Inadequate IT scope in the audit. Most audit teams have QA expertise but lack the technical depth to evaluate EPCIS implementations meaningfully. Bring or hire that expertise.
• Treating qualification as one-time. Regulations change, systems evolve, personnel turn over. Without ongoing oversight, you’re qualifying a snapshot of a moving target.
• Weak quality agreements. Generic 3PL agreements rarely contain the DSCSA-specific provisions needed. Get a pharmaceutical regulatory attorney involved in drafting.
• No internal DSCSA SME. Manufacturers without internal DSCSA expertise often cannot evaluate 3PL claims meaningfully. Build or buy this expertise.

Frequently asked questions

• Does FDA inspect 3PLs directly for DSCSA compliance?
  • Yes. FDA conducts inspections of 3PLs and has issued enforcement actions for DSCSA-related deficiencies. Manufacturers should monitor FDA’s enforcement actions involving their 3PLs as a leading indicator.
• Are 3PLs required to be licensed by FDA?
  • 3PLs are required to report to FDA annually and meet federal facility standards, but state-level licensure is also required in each state of operation. Some states impose additional requirements beyond federal standards.
• How is EPCIS data exchanged between manufacturers and 3PLs?
  • Most exchanges use EPCIS XML or JSON messages transmitted via AS2 with secure authentication. Some implementations use API-based exchange or shared platforms. The technical method matters less than that the exchange is reliable, secure, and interoperable.
• What happens if our 3PL has a DSCSA failure?
  • FDA may take action against the 3PL directly, but the manufacturer typically faces business disruption (recalls, holds, replacement) and reputational risk. Your quality agreement should provide indemnification and remediation pathways.
• How often should we requalify a 3PL?
  • A risk-based approach is appropriate. High-volume or high-risk partners warrant annual on-site audits. Lower-risk partners may be requalified every 2-3 years with annual documentation reviews. Any major change (system replacement, ownership change, facility move) should trigger requalification.

Closing thoughts on 3PL

Qualifying a 3PL for DSCSA electronic tracking compliance is not a procurement decision — it’s a regulatory compliance decision with operational consequences that flow back to the manufacturer. A rigorous initial qualification, a substantive on-site audit including IT systems, a strong quality agreement, and ongoing oversight together protect against the most common failure modes.

DES Pharma consulting supports pharmaceutical manufacturers in scoping, executing, and ongoing oversight of 3PL qualifications and supply chain quality programs. If your team is evaluating new logistics partners or reassessing existing ones in the DSCSA-stabilized environment, this is exactly the work that benefits from external expertise and a structured framework.