Open Credentialing Initiative

View Original

Guest Blog: Spherity — EU Digital Product Passports and enabling compliance in the US pharmaceutical supply chain

Reposted from Decentralized Identity Foundation Blog.

Spherity builds Decentralized Identity management solutions designed to power the Fourth Industrial Revolution. The company participates in standards-setting processes and interacts with developer, industry, and research communities to enable compliance and interoperability in increasingly complex technological and regulatory landscapes. Spherity is active in various industry segments, but currently has a focus on the pharma industry and works on circular economy topics.

We caught up with Dr Susanne Guth-Orlowski, Chief Innovation & Solution Officer, Christiane Wirrig, Product Manager CARO, and Ricky Thiermann, Product Owner Digital Product Passports to learn about their work on Digital Product Passports in the EU, and promoting compliance with new pharmaceutical industry regulations in the US.

Why did you adopt a decentralized approach to implementing the EU Digital Product Passport, Susanne Guth-Orlowski?

The decision was taken by the European Commission (EC), not us. Currently manufacturers have to provide data such as product certifications for chemicals and automotive parts and energy labeling data for electronic products to central systems in order to comply with EU regulations (such as REACH and EPREL).

The EC knows how hard it is to set up and maintain these central systems and keep everybody happy. Supply chain actors in particular do not want to upload their data to centralized systems as they fear sharing business secrets and they have no control over their data, once it is uploaded.

The EC saw that a use case as big as Digital Product Passports across multiple product segments, with supply chain actors scattered around the world, is very complex. It is difficult to set up a single platform to manage it and to satisfy the needs of all supply chain actors concerning business confidentiality.

How is Decentralized Identity being integrated alongside existing systems and standards?

This is an area where we’re working directly with the EC’s policy officers, participating in standardization groups at Stand.ICT and CEN/CENELEC, as well as contributing to research projects such as Battery Pass, CIRPASS and others. We’re bringing in decentralized concepts that enable the requirements to be met, incorporating W3C standards into the EU Digital Product Passport (DPP) specifications and designing and implementing Proof of Concepts (PoCs), such as our latest T-Shirt use case. Textiles are one of the first regulated product segments, and therefore we are using Decentralized Identifiers (DIDs) as a product identifier and resolver technology to reach the Digital Product Passport, and verifiable credentials for the product information.

What Decentralized Identity capabilities are you leveraging?

Information discovery is highly relevant in the DPP use case, and is fully solved by Decentralized Identifiers (DIDs). Being able to locate a product’s DID and obtain all kinds of information from the DID document or service endpoint(s) enables you to meet so many use cases, from compliance certificates to pointing end customers to the product website. There’s so much flexibility.

Verifiability is another major driver. If you’re using the DPP to query a product’s carbon footprint, you need to ensure you’re looking at verified data. Products with a large footprint will be taxed more, creating an incentive for fraud. We need to ensure we can validate the data is accurate.

Verifiability has several important ingredients.

The first is cryptographic standards and protocols including signature schemes.

Then there’s trust verification, which is the ability to trace documents and data back to the supply chain’s root of trust (such as the digital signature of a competent authority).

Finally, there are semantics and calculations. It is critical to have standardized definitions (such as Scope 3 emissions) and methods for calculating these values.

How are you handling product identification and data exchange?

For some products such as batteries, it makes sense to use Decentralized Identifiers (DIDs) from Day One. The end product’s digital passport will include the identifiers of all materials and components, which in turn will have their own passports. This makes it possible to validate the product’s carbon footprint by summing the footprints of the pre-products and checking that it tallies.

For other categories such as textiles, existing systems in retail are built around the Global Trade Item Number (GTIN) and Global Location Number (GLN). For those systems it will take some time until they can handle Decentralized Identifiers (DIDs) as globally unique identifiers.  

With regards to data exchange, we are looking at using different methods depending on the requirements. For example, a Verifiable Presentation request might be handled via OpenID Connect for Verifiable Presentations (OIDC4VP) for human identity use cases. On the other hand, we see the need for ongoing trusted connections between the supply chain actors associated with a finished product, so we are planning to use DID Communications (DIDComm) for data exchange within the supply chain.

Turning to CARO, Spherity’s credentialing service for  US Drug Supply Chain Security Act (DSCSA) compliance, what value does Decentralized Identity bring in this use case, Christiane Wirrig?

The way the pharma industry is set up in the US requires a decentralized approach. The FDA (US Food & Drug Administration) doesn’t work like the EMA (European Medicines Agency). In the US, you have all these product repos sitting with the manufacturers themselves. Moreover, there’s no central register of participants in the supply chain.

From November 2023, supply chain actors, such as wholesalers and dispensers, will be required to verify the authenticity of the pharmaceutical product they are trading in a new way. Those opting for an automated solution can use a Verification Router Service (VRS) provider for the product verification. However there’s still an unanswered question, namely how do the pharma companies know who’s enquiring and responding?

This is where CARO comes in. The solution enables participants in the pharmaceutical supply chain to obtain a Verifiable Credential confirming their Authorized Trading Partner (ATP) status. In combination with VRS, this enables them to prove their legitimacy and complete an electronic product enquiry in real time.

The US pharmaceutical supply chain sounds quite fragmented. How is this being coordinated?

In a decentralized ecosystem, it’s essential to provide a safe environment for information exchange as well as shared standards as pointed out earlier by Susanne. We saw the need for a neutral body to play the role of ecosystem coordinator. That’s why we are one of the founding sponsors of the Open Credentialing Initiative (OCI).

The OCI is where the industry comes together to agree the format of the ATP credentials, who is authorized to issue, hold and verify these and other considerations such as how to handle credential revocation.

Creating OCI was a stroke of genius because it lowers the barriers to entry for everyone. Service providers understand the required benchmarks and service users can expect interoperability and a degree of consistency across providers.

What Decentralized Identity capabilities are you leveraging in the CARO solution, Ricky Thiermann?

OCI has standardized on W3C Decentralized Identifiers and Verifiable Credentials. CARO allocates Ethereum-based did:ethr as unique identifiers to its users.

Veramo is one of the core libraries we use and to which we contribute. We also use DIF Credential Manifest, and some of the cryptographic signature pieces being standardized in DIF.

Hyperledger Aries RFCs and DIDComm are very important for CARO, and will be the standard for Presentation Issuance and Exchange between OCI-compliant wallet providers. Aside from the technical benefits, it’s also about ecosystem efficiency and lowering the market entry barriers. At the moment the service provider ecosystem is small and we still have the capacity for active collaboration to align on shared standards and processes to avoid homebrewed niche approaches. Imagine if even just a couple of issuers and a handful of wallets had to integrate with each other’s provider-specific hook-ups in every possible combination!

Using DIDComm, there’s no need for issuers and verifiers to integrate. Once you’ve put the work in upfront to comply with the specification, you’re interoperable by design. This allows for an open market to emerge, and will ultimately enable the solution to scale.

What value does DIF bring?

We need the standards to be out there and recognized in order to implement a solution around Decentralized Identifiers (DIDs) successfully. For that, we need a home that further develops Decentralized Identity technologies and specifications in a highly professional way, and closes any gaps that emerge around industry needs. For us, that’s what DIF brings to the table.