Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.There are more than one reasons why you shouldn’t expect to use GS1’s EPCIS by itself to comply with the California pedigree law.  Part 1 of this series showed that the traditional distributed network of EPCIS repositories in the U.S. pharma supply chain doesn’t work.  But that analysis assumed the use of the “vanilla” EPCIS standard, without the use of any “extensions”.  That’s not really the way GS1 intended EPCIS to be used.  In this and future essays of this series I will explore some of the approaches that make full use of the extensibility that is built into the standard.

In this Part of the series I want to take a closer look at the work of the Network Centric ePedigree work group of the GS1 Healthcare Traceability group.  I am one of the leaders of that group along with Dr. Mark Harrison of the Cambridge University AutoId Lab, Dr. Ken Traub, Independent Consultant, and Gena Morgan of GS1, along with strong contributions from Janice Kite of GS1 and Dr. Dale Moberg of Axway.  The larger group consists of people who work for companies in the pharmaceutical supply chain, GS1, and solution providers from around the globe, although I think the majority are from the U.S.

The NCeP group published a very interesting recording of a presentation that explains the details of their work.  It is called “NCeP – Technical Analysis Sub-Group, Event Based Pedigree”.  The purpose of this recording is to help people outside of the close-knit NCeP group to learn about the pedigree models developed there, evaluate them and provide feedback to the group about which model(s) should be considered for ePedigree and traceability regulations in the future.


That’s right.  One of the first decisions the NCeP group made back when they were formed was that they would purposely avoid trying to create a solution that would specifically work in California.  The group recognized that the current California pedigree law as written leads you down a path that only ends up at a document-based approach to compliance.  If the group had chosen to go down that path, it would have only led to the creation of a duplicate of the existing GS1 Drug Pedigree Messaging Standard (DPMS).  The DPMS standard defines a document-based ePedigree model that was purposefully designed in 2006 to help companies comply with document-based ePedigree laws like the Federal Prescription Drug Marketing Act (PDMA), the Florida Pedigree Law, the California Pedigree Law and all of the “normal distribution” state pedigree laws that exist around the U.S. today.  There would be no benefit in reproducing the same kind of functionality by shoe-horning the non-document-based EPCIS standard into a document-based solution.

So instead, the group decided to focus on defining models that would allow the EPCIS standard to be used as it was designed to be used with the hope that the result could be used to persuade legislators in the U.S., the E.U. and elsewhere to produce new legislation that would embrace one of those models.  This was a much better approach because it removed the constraints imposed by the existing laws that come from their document-centric design.  In the U.S. the thinking is a new Federal pedigree law may define a network-centric approach to pedigree that aligns with one of the models defined by the NCeP group, and—most importantly—that it will pre-empt the California pedigree law so that the industry can veer away from document-based compliance before the deadline.

If Congress does not enact a new law that can be met using a network-centric approach by 2015 then companies will need to invest in DPMS-based systems.  Those systems would almost certainly also make use of the EPCIS standard to capture and hold serial number events but those events would be encapsulated in DPMS pedigree documents for exchange.  The same would occur if Congress enacts a new law but follows California’s lead and makes it document-specific.  How long can companies wait for Congress before they need to start investing in DPMS systems in preparation for California?  Maybe another 12 to 18 months I’d say.


The NCeP defined seven different models that make use of EPCIS to create a network-centric pedigree system.  The best way to find out about them is to listen to the recorded presentation that the group produced, but here is a listing:

  1. Single centralized model
  2. Semi-centralized model
  3. Distributed Push model
  4. Distributed Query Model Using ASN to Push Links
  5. Distributed Query Model with Discovery Services
  6. Distributed Model Using Centralized Discovery and Checking Services
  7. Push All Events Model

Personally I think that models 1 and 7 are equally impractical and probably shouldn’t be on the list for free-market countries.  Model 1 assumes only a single repository for pedigree data and would probably be implemented as a government-run entity.  Smaller countries might consider a model like that but because the volume of transactions would be so huge, larger countries should avoid it.  Model 7 is basically the shoe-horning of a document-model into an EPCIS-based approach.

What you are left with are the Semi-Centralized model and four distributed models.  For California compliance specifically, the distributed models have the fatal flaw that they are, well…distributed (see Part 1 of this series, “The Viability of Global Track & Trace Models”  and “Inspecting An Electronic Pedigree”).  That leaves us with the Semi-Centralized model.


The Semi-Centralized model requires all trading partners to push their EPCIS event contributions to a drug’s pedigree up to one of multiple pedigree repositories.  From that repository a pedigree “report” (a modified DPMS pedigree message perhaps that contains an overarching digital signature applied by the central service) could be requested that could contain all of the data elements that the California law requires (see the full list in Part 1 of this series).  Only the certifications required by California would require some special extension work but that could be done.  This model can even fulfill the need for each trading partner to validate the full transaction history on the pedigrees at each transaction without downloading the full report every time (the central checking service would perform the analysis and simply notify the data owner of the results).

I think it may be possible that the Semi-Centralized model could fill the requirements of the California regulations but it would take some work to add the elements that would be necessary.  This would take some special work by technical experts to accomplish properly.  See my essay “A Semi-Centralized, Semi-Distributed Pedigree System Idea”.  At this point in time, it would require a group of people to jump right on it so that the concept definition and development work gets done quickly and decisively.

I’m not sure there is sufficient interest in formalizing a true alternative to DPMS of any kind in California now that there appears to be some chance that the Congress might act soon, which would potentially pre-empt the California law entirely.  We have a tendency in this effort to put all our eggs into one basket and hope for the best.  That’s a lot of hope on top of hope in my view.

Technically this approach would not use EPCIS-alone because the pedigree report would need to be implemented with all the same characteristics of a DPMS pedigree with some modifications.  So I believe this model would be a combination of both the EPCIS and DPMS standards—a concept I have supported for many years (see this essay from 2008 “Combining EPCIS with the Drug Pedigree Messaging Standard”).


This essay is Part 2 of why a pedigree solution for California’s existing law cannot be based only on EPCIS and still comply.  We found that there is at least one NCeP model that might enable compliance but it would take an effort that may not get organized because of the distraction of the work that appears to be just starting in Congress.  Maybe that work will be fruitful and any work on alternate California models would turn out to be a waste of time.  That possibility may easily dampen the interests of those who are qualified to do the work.  In that case, we’d better do more than hope that Congress is successful.  I understand there is a coalition of companies who are pursuing just that.  We’ll see if they are successful in the next 10 months or so.

Which direction do you think we should spend our time and efforts on right now?  If the lobbying effort in Congress doesn’t work by the end of this session, are we happy enough with DPMS to move forward with that document-based approach there as the effort to get action out of the next session of Congress?

Leave comments below, either named or anonymously, or just send me an email with your thoughts (I won’t publish those).