S TRATEGIC L AYER

The strategic layer contains the electronic pedigree which establishes a secure chain of custody of pedigree documents shared between custodians in the pharmaceutical supply chain. A design for an industry-wide electronic pedigree has been advocated by the Drug Security Network (DSN) and furthered by EPCglobal’s Healthcare and

Life Sciences Pedigree Task Force (Inaba 2008). This design is modelled at the

strategic layer as it captures the use of RFID as a source of information for pedigree information goals in the enterprise.

This electronic pedigree uses three elements: pedigree data format, pedigree

processing, and pedigree informationtransmission mechanisms (Inaba 2008). These

elements have been modelled in the respective partitions at the strategic layer of the reference model depending on whether these are: standalone components; involve several components by association; or are inferred from data from component associations. These are now briefly explained to justify their inclusion in the standard operating partition.

The pedigree data format represents the physical entity’s information, such as the

drug, in a format which can be distributed amongst custodians (Inaba 2008). It has supply chain wide scope which allows custodians in remote locations, or across countries, to understand and interpret information about entities. Digital signatures are used by the format to ensure the integrity and non-repudiation of data, and also that it complies with legislation and the need for governments to audit such data. As the format has been incorporated into a de-facto industry-wide specification, now essentially a superset of several formats complying with the electronic pedigree laws introduced by the National Association of board of Pharmacy (NABP) and the US states of Florida and California (Inaba 2008), it has been modelled as a component at the strategic layer in the reference model.

Electronic pedigree processing authenticates an electronic pedigree document,

validating the transactions of previous custodians from the document before the product arrives (Inaba 2008). When physical products arrive, pedigree processing verifies that the products match the electronic pedigree document; and prior to shipping a product, pedigree processing is used to sign the outgoing pedigree, and transmit the pedigree to the next custodian. Pedigree processing is a strategic layer

component which starts at the second custodian’s location as this is the first place where pedigree information would be verified.

The transmission mechanism of electronic pedigrees is used to transfer data to

custodians (Inaba 2008). This can happen in two ways: the propagating document

approach or the fragmented data approach. The propagating document approach

represents pedigree data into a single document which is appended, re-signed, and forwarded by each successive custodian in the supply chain. As each custodian appends and re-signs the document, a new layer is added to the document, effectively, creating a link between all custodians which can be unwrapped to verify a product’s point of origin, thus, it depends on associations forming between custodians. In this case, one-to-many (1:M) associations would be formed as the document is read in sequence between custodians which is why it is in the association partition of the strategic layer.

Conversely, the fragmented data approach allows custodians to retain electronic pedigree information for a document in their own database or a third-party database, rather than propagating it down the supply chain (Inaba 2008). Although this produces smaller pedigree documents, it increases the amount of network traffic to source pedigree information. It also means that a custodian could modify data after the product has been shipped. When considering this, as a custodian participates with each other through the database, different associations are formed, for example, a 1:M if documents are read in sequence, or one-to-one (1:1) if a single custodian examines a document in time. Effectively these belong to the strategic layer’s association partition.

As products may be assembled or aggregated in the real world layer, individual pedigree documents are combined into a Pedigree Business Document (Inaba 2008). As the Pedigree Business Document serves as a wrapper to consolidate the individual pedigree records, it is an inferred information structure, so it has been modelled in the strategic layer’s feature space. These wrappers specify information unique to each pedigree document (identifier, version of format, timestamp); and information unique to the product package (drug name, manufacturer/distributor, object identifier, National Drug Code (NDC), manufacturing date, expiry date, dosage

information attests to a component i.e. a drug. However, as additional information is added to the Pedigree Business Document prior to it being transmitted to the next custodian - information about the shipper; and transaction data (sale invoice number, date of purchase, quantity by lot number), belongs in the strategic layer’s feature space. This information is derived when several entities in the real world layer are associated with each other – such as through aggregation.

Finally, the custodian that is shipping a product, and hence, a business document as well, has to sign the document. Upon receipt of the goods and documents, the receiving custodian validates the digital signature (authentication) and after matching the received products with the pedigree document (verification), they then sign the pedigree to confirm receipt (confirmation). As the underlying movement of these aggregated products may happen repeatedly along the supply chain - the process of transmission, signing, and retransmission at the aggregated form gets repeated multiple times, which is why these elements are modelled in the strategic layer’s association space.

To understand how the strategic layer works in an actual pharmaceutical supply chain that uses RFID systems, the Cardinal Health system is now considered. Having trialled the use of RFID at the item-level, Cardinal Health was readying their Sacramento California distribution centre (DC) for California’s upcoming pharmaceutical electronic pedigree requirement (Bacheldor 2007). Having sourced information from the RFID layer, they were preparing to collect RFID data for drugs they receive from manufacturers and distribute to customers. They were also going to purge the serial numbers from any pharmaceuticals that were returned to its Sacramento distribution centre and that data was to be used in an electronic pedigree, to document product return, prior to the drug being returned to the manufacturer. As these procedures would be occurring above the RFID layer, in the enterprise, these would be considered at the strategic layer in the reference model.

10.2.1.2

RFIDL

The RFID layer contains the RFID system which is a source of information for electronic pedigrees. There are two sides when considering the RFID system: the lower technology elements (which are physical linkages or interfaces to a custodian’s location and products); and the upper data elements (derived from the physical

components which interface to the electronic pedigree). In the case of Electronic Product Code (EPC) based systems, these elements have been standardised, however, other proposals for the design of these elements exist, and therefore, a mixture of both are presented in the reference model. These depict how RFID is a source of information for the electronic pedigree. These elements are now explained in order from the most abstract to least abstract following the principle of abstraction expounded in Chapter 5.

RFID data can be distributed between custodians using various infrastructures. One such infrastructure is the EPC Infrastructure, proposed by the Auto-ID Labs, and now advanced by EPCglobal as the EPC Network. This infrastructure specifies a global schema for the distribution of data through components and associations (Staake et al. 2005). The main components of the infrastructure are: object name

service (ONS), EPC discovery service (EPCDS), and the EPC information service

(EPCIS). These elements are now listed:

• The ONS is a multi-layered directory service – containing root and local services - which locate information about tag EPC’s in a similar manner to that of the internet’s domain name service (DNS). The root ONS is the authoritative directory of manufacturers offering information about their products on the EPC network, whereas a local ONS is a directory for individual products of a specific manufacturer. (Staake et al. 2005).

• Next, the EPCIS is used by trading partners, such as custodians, to store and provide access to product information. (Staake et al. 2005).

• Finally, the EPCDS is a directory of addresses for other EPCIS servers to locate data about an EPC, to be located across several databases in order for track and trace to operate. (Staake et al. 2005).

As these components are networked components, most likely accessed over the internet, custodians would associate to these using remote database queries to derive RFID data for their electronic pedigrees, which is why this has been modelled in the association partition of the RFID layer.

On the lower side of the RFID layer, the organisation of RFID components can be reflected in RFID data stored in databases (Agrawal et al. 2006). The associations which arose at the component level, such as when a particular reader has read data from a tag can be inferred from the RFID data, and can be transformed into a

movement graph of associations.

In a movement graph, the physical associations are depicted in the data as entity

types: object, location, and organisation (Agrawal et al. 2006). A relationship

‘belongs to’ defines the association a location in the physical world has with a

custodian. To represent RFID events, other relationship types exist, such as: observed, assembled, and disassembled. The observed relationship represents an event of when an object was seen at a particular location at a certain time and represents the edges of an object movement graph – a trace of where an object has moved. This relation type, together with the relationship type ‘belongs to’, represents the edges of a traceability network, and hence, the associations between custodians.

Associations within a custodian location and the entities it produces can also be represented at a logical data layer as well. The assembled and disassembled

relationships capture associations which have formed between objects - such as hierarchical associations in packaging, for example, packaging of drugs in pharmaceutical supply chains. This is why these have been modelled in the RFID layer’s feature space. (Agrawal et al. 2006).

It is possible to build up a data view of the underlying RFID hardware – this was illustrated in a similar manner in Chapter 6 when associations and features were modelled.

Having defined the traceability network’s data and logical views in the data, it is then possible to infer new features from these structures by performing traceability

queries (Agrawal et al. 2006). A pedigree query could be used to reconstruct the

complete history of an object, whereas a recall query, issued to detect the current location of an object, and a bill-of-material query asks for everything that is contained in an object in instances of assembly or disassembly. That is why these queries have been modelled in the feature partition of the RFID layer.

Ultimately these logical associations and features arise from the underlying

traceability network which is made up of all the RFID sensing locations containing

RFID readers (Agrawal et al. 2006). Sensing locations within a custodian’s location are equipped with RFID readers which produce events that represent the state of an object at a certain time. As sensing locations are organised in sequence, and entities move in sequence along these locations, an object movement graph can be defined as the derivation of data records in sequence – essentially a history of the entity’s movement along a particular part of the RFID system. As each custodian has an RFID system which may be contributing to a centralised data repository, each location is effectively contributing a subset of the overall associations within the object movement graph, and hence, the overall entity trace.

However, as object movement and related data can be valuable business information which custodians may be reluctant to share, a system which maintains sovereignty of each query may be restricted. Agrawal et al. (2006) have proposed a query engine to support information sharing across multiple organisations at the traceability network layer. Provided the custodians run the query engine platform, they can run global traceability queries; the query engine rewrites the request to obtain data which is available to the custodian, complying with permissions in place at custodian gateway query engines. This shows that in the RFID layer’s association partition, even though a physical association may exist between components, not every feature can be inferred by a custodian.

The above examples conclude the upper side of the RFID system in the reference model’s depiction of standard operations. Now the lower RFID side is discussed. In order for these higher RFID concepts to be supported, the radio frequency of tags and readers will influence the establishing of associations and features at the RFID layer’s lower side. The Pharmaceutical Benchmark has examined the use of the three RFID frequency types in pharmaceutical supply chains (Howe et al. 2007). High-Frequency (HF) can be used close to liquids such as a vaccine vial, while far field Ultra High Frequency (UHF) cannot. However, UHF has a much longer reach than HF, as beyond 12 inches HF does not function, whereas UHF is effective up to 36 inches. In addition, UHF is more sensitive to the orientation of the chip relative

data from cartons arranged on a pallet. Finally, Near Field UHF has been proposed as replacing HF and UHF, but is still under development. Thus, the choice of radio frequency will impact on the granularity of tag reads on associated entities in the real world layer. Further complicating matters is the influence the physical contents of the entities has, as mentioned above; some frequencies are impacted by water and metals. As will be discussed, frequency will influence how deeply within an assembled package the reader will be able to identify tags, and hence, infer the contents of the assembled product in containing physical entities such as drugs. Consequently, this impacts on what is inferred in the association and feature space of the data layers of the RFID layer. In essence, radio frequency emanates from readers, antenna, and tag components to enable associations being formed – which is why it has been modelled in the RFID layer’s association space, while components appear in the RFID layer’s component partition. This analysis via the reference model illustrates the model’s ability to capture these elements.

In the Cardinal Health system a single radio frequency has been used. Alien Technology 915 MHz Class-One Generation-Two tags have been attached to individual packages of all brand-name and generic prescription drugs as opposed to using several different frequencies (Bacheldor 2006a, b). This shows that even though a variety of tag frequencies exist and for different purposes, some companies have found that a single radio frequency can read tags across several physical layers of packaging, and also across the entire pharmaceutical supply chain.

The adoption of RFID within pharmaceutical supply chains determines the horizontal production of data – between custodians – and the vertical production of data – within a custodian’s location (Bapat and Restivo 2005). RFID deployment also occurs in phases. In Phase One, a custodian may conduct a closed-loop pilot to derive a business case for widespread adoption of RFID. By applying tags to a limited number of product pallets, the mandates of downstream custodians may be achieved. In Phase Two, there would be an increasing level of integration of RFID into the custodian’s business operations, where the technology may be pushed outwards and into upstream or downstream custodians. It may also include increasing the level of granularity of tagging, to the item-level or into production processes, incorporated into a company Manufacturing Execution System (MES), thereby extending RFID onto the plant floor. The effect would be an increase in the

identification granularity to a point at which raw materials can be tagged, and the integration of several raw ingredients to form new products could be recorded. This would provide a record of product formulation. As various interactions could be recorded under such a scheme – raw ingredient interaction through to ingredient interaction with plant equipment or custodian locations - this could all be reflected in the electronic pedigree at the strategic layer.

Thus, modelling the RFID layer between the strategic layer and real world layer, enables the interrelationships (which influence the configuration of this technology and which will shortly be illustrated as influential in security analysis) to be considered.

10.2.1.3

R

W

L

The real world layer contains the pharmaceutical supply chain’s physical components and processes. These enable the movement of drugs between all custodians to deliver the drug all the way to the consumer. This layer is interfaced to the RFID layer by the physical tags and readers when they are associated with different physical entities in the real world layer association partition. The degree of integration of RFID technology into the physical world is dependent on the level of integration enabled by the phases of RFID deployment, in addition to the physical components and processes.

A product’s form can change over the pharmaceutical supply chain. A drug product

can begin life as an active raw ingredient in a chemical plant. The chemical plant ships the ingredient in barrels to the drug manufacturer. The drug manufacturer processes the active ingredient, perhaps transforming it into a solid drug, such as a tablet or pill, at a manufacturing plant. The manufacturing plant may aggregate many individual drug products using layers of packaging or containers, in which event new associations are formed between individual products to derive aggregated products.

The manner in which RFID is integrated with the physical layers which shape aggregated products impacts on the derived data for the electronic pedigree. However, what can be inferred at the strategic layer’s feature partition of an

electronic pedigree’s documents ultimately may depend on the configuration of entities that interact in the real world layer’s association partition.

An example of this multi-layered association and how it influences what can be inferred by the electronic pedigree can be seen in the Cardinal Health system, when the assembly of packages and products varies. Products can be assembled into: foils, blister packs, bottles, liquids, and solids – and at different points along the pharmaceutical supply chain (Bacheldor 2006a, b). Accordingly the RFID technology is integrated into this physical structure as follows:

• The RFID tags are embedded into printed labels at Cardinal Health’s Printed Components facility in Moorestown New Jersey. The RFID labels are then transferred to the company’s Philadelphia packaging plant, to be automatically applied to the individual product items and encoded with unique serial numbers. Labels are automatically applied to the individual product items and cases, and manually applied to pallets. (Bacheldor 2006a,