The Board of Pharmacy Must Respond To Ideas For Making EPCIS Work

cross-examinationImportant Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.There was a particularly interesting public dialog that occurred during the March 14, 2013 meeting of the Enforcement Committee of the California Board of Pharmacy.  I have been waiting for the official video recording of the meeting to be posted by the State of California but something seems to be holding it up.  Fortunately, I recorded the audio myself.

UPDATE:  Apparently the video has been out there for almost 3 weeks.  I was looking for it in the wrong place.  Find it here.

The dialog was between Joshua Room, Supervising Deputy Attorney General at California Department of Justice assigned to the California Board of Pharmacy, and Bob Celeste, Director, GS1 Healthcare US.  Mr. Celeste had just finished presenting an update to the Committee on the recently published GS1 US Guideline (see “The New GS1 Healthcare US Track & Trace Guidance”) when Mr. Room asked him to remain at the front of the room to serve as a foil for an experiment he wanted to try.  Mr. Room had
a few questions for Mr. Celeste.

Listening to the exchange live, I could tell that something significant was being attempted.  I just wasn’t quite sure what.  That’s why in times like these I like to go back and listen to it several times and capture the exact words so I can, hopefully, extract the intended meaning.

Mr. Room first asked a question about the GS1 EPCIS standard and its use by companies for compliance with the California pedigree law.  Here is the dialog starting with Mr. Celeste’s response to this first question.

Mr. Celeste:  “Yeah, obviously the intention here and the intention of the work we have been doing with the community and the investment the community has made in EPCIS is that, there is a general belief that we can meet the, at least the intent of “pedigree” with EPCIS.  It’s more flexible [and so on].  And what we are working on is—that’s the goal, to get to that, that we can provide pedigree that is verifiable and traceable.”

Mr. Room:  “And is it fair to say that one of the greatest difficulties, or one of the greatest gaps that you have to get over between EPCIS and our law’s requirements is the ability, particularly of downstream supply chain participants to be able to see the entire chain of custody as the product comes to them?  And that instead of seeing individual shipping events or individual capture events, to be able to see those … that precede their immediate trading partner, for instance?”

Mr. Celeste:  “So that can be answered in a couple of different ways.  And again, this is where there, as I pointed out, there are a couple of things we haven’t really answered yet—one of them being architecture.  Of course if we all put all of our information into one big area then it’s all there for us to get at and answer these kind of questions.  If it’s distributed, we do have mechanisms, we do have standards that apply to that.  It’s a matter of how we deploy those and test those in the environment.  We do have a “Discovery Service” and a few other areas where I’ve talked about “Checking Services” that would, under certain rules that the community would agree to, be able to determine whether a pedigree existed in the supply chain.  Whether that information was available in the supply chain.  And then be able to retrieve that data if you wanted that distributed.  When we talk about centralized, then it’s less complex technically, but it’s more complex from a data governance standpoint.  Who gets to see what?  What do we reveal to the other trading partners?  And are we opening holes up in the system or not?”

Mr. Room:  “And as I understand, the other primary complication is how are downstream data partners privy to the certifications or the other…way…the non-tamperability that is placed on that data by their non-immediate trading partners.  In other words, how do they know for sure that whatever data was exported to a central cloud, or a decentralized cloud by a trading partner two or three removed from them, it’s reliable and non-tamperable?”

Mr. Celeste:  “Yeah.  And actually, one of the things that we have in the guideline—and this is a general concept—is the comparison of events as they take place through the supply chain.  So one of the things that you will see in the guideline is that the shipping event and the receiving event, and we ask the two trading partners to say what exactly…what they saw took place.  Do those two things say the same things or not?  Not to say that they are the same data…”

Mr. Room:  “Right”

Mr. Celeste:  “…but are they both truthful?”

Mr. Room:  “Right”

Mr. Celeste:  “‘I shipped something’, ‘I received something’, now we’ve got collaboration between the two trading partners.  And whether that means that we needed to lock those things or not, is another story.”

And that was it.


It seems to me that Mr. Room was attempting to bring out into the open the two things he sees as possible barriers to compliance in the use of EPCIS-based systems—particularly in a cloud-based architecture—for meeting the California pedigree law.  These appear to be:

  1. How the buyer of drugs can see all of the EPCIS event data that constitutes the full ePedigree for a drug, and
  2. How the users can encode the “certifications” that the law requires within a collection of EPCIS events that constitute all of the other data that is necessary in a pedigree.

By questioning Mr. Celeste, I think he was hoping to establish what these barriers are and perhaps how they might be overcome.  I get the impression that Mr. Room, and perhaps the Board, would really like to find some way that the industry can make use of GS1’s EPCIS standard, but do so in a way that still complies with the law.  He said as much at the December meeting.  That makes sense to me.  In fact, that seems to be exactly what the industry wants too.

For barrier 1) above, GS1 is working on the Network Centric ePedigree (NCeP) effort known as the GS1 Pedigree Security, Choreography and Checking Service (PSCCS) standard (which I have mentioned frequently in the last six months, for example, “’The Shadows Of Things That MAY BE, Only’ : EPCIS and California Compliance”).

That effort is not focused solely on meeting California pedigree regulations because it is a global effort, but because many of the participants are hoping to use it for that purpose, I am hopeful that the group will generate something that could be used to meet many track & trace, pedigree and unique identifier authentication regulations around the globe, including the one in California.

Mr. Celeste referred to that effort when he mentioned the “Discovery Services” and “Checking Service” standards.  Neither one is a standard yet so despite his implication, they are not usable yet and won’t be for a while.  And no one knows yet if those future standards can be used to meet the requirements of the law when they are complete.

For barrier 2) above, no one is formally working on solving that right now.  My hope is that the GS1 PSCCS effort will work on documenting a way that it might be done because I believe it has to be an integral part of the NCeP architecture and choreography, but there is no certainty they will.

I have written extensively on the topic of pedigree certification, starting as far back as August 2009.  In fact, it’s one of my favorite topics.  Here is a list of RxTrace essays that either address the concept directly or discuss it in part:

August 26th, 2009 Digital Signatures
May 24th, 2010 Inference in the Pharmaceutical Supply Chain
October 26th, 2010 Certifications In A California-Compliant Drug Pedigree
January 24th, 2011 Electronic Message Security and More on Certifications
February 14th, 2011 Attributes Of A Global Track & Trace Application
September 1st, 2011 California Board of Pharmacy Re-awaken
October 24th, 2011 Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1
October 31st, 2011 Inspecting An Electronic Pedigree
November 14th, 2011 Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2
December 17th, 2012 California Board of Pharmacy Clarifies Use Of GS1 EPCIS
January 7th, 2013 “The Shadows Of Things That MAY BE, Only” : EPCIS and California Compliance
February 4th, 2013 California ePedigree Uncertainty
March 11th, 2013 The New GS1 Healthcare US Track & Trace Guidance


I presented one way to circumvent the two barriers in the essay “’The Shadows Of Things That MAY BE, Only’ : EPCIS and California Compliance”.  See the sections “HOW ABOUT THIS WAY?” and “THE PEDIGREE CHECKING SERVICE”.  I don’t own these ideas, I just presented them here.  We can come up with ideas all day long, but they are all meaningless unless the Board offers some kind of indication that a particular idea could work or not.  It is hard to get anyone to invest time and expense to work on a GS1 group for months-on-end unless the industry knows that once its work is complete, the result will be something that could be used.  We don’t have enough time left to work on efforts that do not already have a high level of confidence that they will be accepted and therefore usable.

No one is looking for confirmation that if you use technology X you will be guaranteed to be compliant.  All the industry needs to know is that if they use technology X or technique Y, if they use it properly and with all of the correct information and the information is presented truthfully, they will not be out of compliance just because they made use of X or Y, or that something is still missing that they intended X or Y to provide.

And so I conclude that the Board must respond to ideas for overcoming these barriers or an EPCIS-based NCeP will never be accepted as an interoperable way for the industry to comply.  For that to happen, there needs to be a formal process for presenting the ideas that the Board should consider.


And here it is.  Also at the March meeting Joshua Room distributed copies of his current draft of proposed regulations for the separate topics of Certification, Inference and Inspections.  Because the draft was only made available on that date the Committee decided not to take any action on it except to request comments from the industry and the public.  You can find a copy of the handout in the “Additional Materials” link for the March Enforcement Committee meeting on the Board’s “meetings” page.  Or just click here.  The document starts on page 4 of this PDF.

I don’t expect to submit any formal comments to the Board, but that won’t stop me from publishing my thoughts on the topics here in RxTrace.  Watch for my commentary on the draft Certification regulation–the regulation that will determine whether or not an NCeP will be compliant or not–here real soon.