If you operate in the healthcare domain within US jurisdictions,
the US Food and Drug Authority (FDA) naturally becomes a vital part of your compliance process.
Being able to perform timely and error-free submissions to FDA, seamlessly from your organization in-house systems,
will make your life much easier - not to mention the competitive edge your business can gain from
quicker approvals, shorter time-to-market, and a happier C-level.
Importance of AS2 for FDA regulatory submissions
As described in one of our previous articles,
FDA accepts submissions through two channels: WebTrader and AS2.
WebTrader is recommended for low-volume manual submissions, but for any medium-to-large-scale organizations,
and even for small businesses with an ambitious growth plan and projections, AS2 is the more future-proof submission method.
FDA accepts AS2 submissions over their Electronic Submissions Gateway (ESG).
Integrating regulatory submissions with the FDA ESG involves a number of steps,
but most of them are one-time tasks and can be performed by any IT personnel
with a basic knowledge in network communications and public/asymmetric key based security.
Steps to integrate your regulatory submissions with FDA
1. Register with the FDA ESG
E-mail your registration details
to FDA helpdesk (ESGHelpDesk@fda.hhs.gov), mentioning “New AS2 Test Account Registration” on the subject line,
to commence the onboarding process. Provide your company name, contact name and phone, submission method (as “AS2”), and a
Letter of Non Repudiation.
The approval process is manual and may take a few days. FDA will open a ticket in their ESG HelpDesk
and update you on the progress.
2. Find an AS2 provider
In AS2, both parties involved in a connection must have an AS2 application that can both send and receive traffic.
Usually it is quite simple, economical and maintenance-free to go with a
cloud-based AS2 provider, who will manage the data and connectivity on your behalf,
where you would simply upload the submission files/archives to their platform, and download the response files when sent back by FDA.
However if your organization has any strict security or regulatory compliance requirements regarding data retention or transfer,
you can install an in-house or on-premise AS2 solution and fine-tune it for your needs.
In either case, the AS2 solution has to have additional capabilities on top of the standard AS2 protocol support,
in order to be compatible with FDA ESG submission process:
- ability to include routing headers (HTTP request headers
indicating the destination FDA center/department and type of the submission) on a per-submission basis -
especially if you wish to deal with multiple centers and/or submission types
- ability to resume interrupted transfers, if you wish to make large sized (VLF, “very large file”) submissions in gigabyte ranges;
especially if you plan on submitting multimedia content like video files
- ability to receive response traffic over HTTPS, on port 4080
3. Create an AS2 identity (station) for yourself, and get it registered with FDA
- choosing an AS2 identifier
to represent your organization; also referred to as “routing ID” by FDA
- creating an AS2 key pair
(private key and public certificate) representing your organization;
FDA accepts self-signed certificates,
so there is no real need to get a CA (cartification authority) involved - unlike usually is the case with HTTPS/SSL certificates
- obtaining the AS2 receiver/listener URL and its HTTPS certificate from your AS2 provider;
this may be a common/shared one mentioned in their documentation or user interface (esp. in case of cloud AS2 platforms),
or it may be customized/tailored for you (e.g. with a subdomain of your organization domain name)
- submitting above details (commonly referred to as your partner profile),
via the support ticket opened in FDA’s ESG HelpDesk (from the first step).
Make sure that you do not share the private key from 2; FDA requires only the public certificate.
FDA attends to these tickets quickly, usually within 24-48 hours.
4. Register FDA as a partner on your AS2 provider
Upon completion of step 3, FDA will share its AS2 identity details for the test environment with you, over the same support ticket.
Similar to the partner profile that you shared, this will include:
- FDA’s AS2 identifier; usually ‘ZZFDATST’ for test and ‘ZZFDA’ for production, but may vary for some centers
- FDA’s public AS2 certificate
- FDA’s AS2 receiving URL, along with its HTTPS/TLS certificate
Now you can use these details to create a partner entity on your AS2 platform.
Partner creation process varies widely across platforms, but is generally
well-documented by most providers.
5. Get the AS2 connection “activated” from FDA side
In some cases, even with both ends configured correctly, FDA will continue to return HTTP 500 error code when you transmit files to them.
You need to request FDA to “refresh” your account, through a support ticket.
This may not always happen, but it is worth looking into - especially if you receive a 500 error during your first few submission attempts.
6. Complete the test transmissions back and forth
FDA may request you to perform one or two tests, based on the nature of your submissions:
- a “connect test”: transmit a small file to their GWTEST center
(with routing headers
X-Cyclone-Metadata-FdaCenter: GWTEST and
- if you wish to make large-sized submissions, a “size test” where you submit a 7 GB file (of the same type that you wish to submit in future),
to same GWTEST center - but with a different submission-type header value -
This test may take several hours to complete, and transmission may be interrupted -
this is where you can verify your platform’s AS2-restart capabilities as well.
For each of these, FDA will return an ACK1 (AS2-level MDN receipt)
(a response text file indicating that the center successfully unpacked your submission).
FDA will review the test submission(s) - which could take up to 1 week -
and if all looks good, will allow you to proceed to the next (and final) step.
7. Set up the FDA production connection
FDA will send you instructions on setting up your production account.
Once the account is approved (which, according to FDA, could take up to 48 hours), you will receive their production AS2 connection profile;
similar to the test connection, this will include their AS2 ID, URL and certificates.
There are no separate tests required for this step; once you set up FDA production system parameters as a partner on your end, you are good to go.
If you reached here, congratulations! You now have a working AS2 connection and submission channel with FDA.
Now you can start making regulatory submissions over the production channel.
Making well-formed, error-free FDA regulatory submissions, however,
requires some additional, careful design steps upon your data processing pipeline, such as:
- creating well-formed tar.gz archive files
- obscure issues caused by presence of some MIME types and AS2 headers
- processing multi-level acknowledgements that FDA returns, and correlating them with each original submission
You can learn about these, and common pitfalls that may arise due to negligence of any steps,
in our dedicated guide on the subject.
Getting up to speed with a smooth regulatory submission process with the FDA ESG, is much easier, faster and trouble-free,
when you go with a custom-tailored Regulatory Submissions Platform rather than a generic AS2 solution.
Check out what Aayu Technologies has in store for you,
and get started right away with a zero-commitment free trial.
You can sign up for an account with a one-month free trial (No credit card necessary)
on the hosted SaaS version of the MFT Gateway.
Alternatively, if you prefer an on-premise deployment, you can request to evaluate the AS2 Gateway
by contacting Aayu Technologies at https://aayutechnologies.com/contact/