Re: Open behind the firewall?

Hi Phil,

Thanks for following up on that point.  The traffic light system is useful but might not be sufficient in all situations.

The use case I mentioned on today's DWBP call is about sharing of serial-level traceability information within supply chains using open data standards, but sharing on a 'need-to-know' basis. 
 
The GS1 EPCIS open standard [ http://www.gs1.org/gsmp/kc/epcglobal/epcis ] (together with the GS1 Core Business Vocabulary open standard) [ http://www.gs1.org/gsmp/kc/epcglobal/cbv ] provide a way for any organisation to represent and exchange real-world 'event data' (such as observations, packing/unpacking, transformations of input objects (ingredients) into output objects (products)) and to annotate these with the relevant business context (such as the business process step ('shipping', 'receiving', 'commissioning' etc.), disposition ('in_transit', 'damaged', etc.)) and the business transaction types and identifiers (such as purchase order numbers, shipping waybills etc.) that explain why a particular real-world event was happening.  EPCIS also provides an open standard query interface for retrieving such event data from a repository, with the ability to match/filter/select on various specified constraints, such as the location where the event took place, the type and identities of things (e.g. product classes, assets) participating in the event, the business process step (e.g. just show me 'shipping' events), transaction type and ID and even some prospective fields such as prospective business location (where the objects are expected to be following the event) or intended next custodian / owner.

So, EPCIS (together with CBV) provides an open standard data model and open standard query / capture interfaces for exchanging/retrieving/sharing event data.  These are currently defined abstractly, with bindings defined in XML, Web Services and AS2 - and mainly using URNs for defined codified values (e.g. for enumerations of values for business step, disposition, etc.)
The GS1 Core Business Vocabulary code lists are published openly within the GS1 Global Data Dictionary.  For example, you can find a list of CBV Business Step values at
http://apps.gs1.org/GDD/Pages/clDetails.aspx?semanticURN=urn:gs1:gdd:cl:EPCISBusinessStep&release=1  and 
http://apps.gs1.org/GDD/Pages/clDetails.aspx?semanticURN=urn:gs1:gdd:cl:EPCISDisposition&release=1

Eric Kauz and I are developing a GS1 Linked Data ontology, initially focusing on product master data rather than EPCIS event data, but drawing upon definitions in the GS1 Global Data Dictionary and GDSN data models, which are already published as open data, though admittedly not yet as 5-star open data - although our aim is that the GS1 Linked Data ontology will be 5-star open data and follow DWBP best practices.

However, much of that supply chain event data is commercially highly sensitive because it can reveal information about inventory volumes, production rates, trading relationships etc., when you have the ability to follow a uniquely identified object at each step of its journey as it moves through a supply chain from manufacturer, through distributors and wholesalers to retailers or providers (e.g. hospital pharmacies).  

Now of course there are valid reasons when it is important and justifiable to either have access to such data - or to be able to know that the captured traceability event data has been thoroughly checked and found to be plausible and free from any gaps and inconsistencies.  It is this approach which motivates the GS1 Event-Based Traceability work (in which I'm a co-chair / technical lead), in which we're developing further open standards to enable the secure sharing and automated checking of fine-grained traceability data against a number of test procedures, in order to detect the insertion of counterfeit products into legitimate supply chains.  The idea is that although counterfeiters can make increasingly convincing counterfeit products, there will be a mismatch in the traceability data for those product instances - or they won't be traceable all the way back to legitimate manufacturers.

For this reason, EPCIS event data is data that is exchanged using an open data standard [GS1 EPCIS / CBV] (for reasons of interoperability and supply chain efficiency), but whose commercial sensitivity means that it is not / cannot be published as completely open data available to all ('Green'), nor does it simply fall into the 'Red' or 'Amber' categories, since it is only acceptable to share it on a need-to-know basis, with organisations on the individual supply chain path, who actually handled that product.  

A further complication is that unlike the general 'Amber' situation, we have a specific challenge in determining whether a particular party requesting information was an actual downstream customer for that specific product instance with that specific serial number - or whether they are an outsider (maybe a competitor), outside of the actual supply chain path.  The reason this is challenging is that the individual path an object takes through a supply chain network is something that emerges over time, rather than being fully specified at the outset.   For example, a manufacturer might ship a pallet of several cases (cartons) of their product to a distributor, who when breaks the pallet down into individual cases and ships some cases to wholesaler 1 and other cases from the same pallet to wholesaler 2.  Each of these wholesalers might ship cases or even individual items of the product to different retail stores or hospital pharmacies.   The manufacturer knows the distributor they shipped to, but does not usually know what happened to their pallet of product after the first distributor received it.  This means that when a particular retailer or pharmacy asks the manufacturer (or any of the intermediate distributors or wholesalers) for traceability information about the product they have bought (or claim to have bought), the manufacturer cannot easily determine whether the party requesting the information actually received that product instance and has a right to know the traceability information for that serial number - or whether it might be a competitor making the request, to try to extract some competitive business intelligence that they're really not entitled to receive.

So, supply chain traceability information ('event data') is an interesting example of the use of GS1 open data standards (EPCIS, Core Business Vocabulary) for sharing data - but in an access-restricted manner, where the access control list is not trivial - but rather, something that depends on the emergent chain of custody / chain of trust as individual objects move through supply chains.

Strictly speaking, EPCIS repositories that host such event data can live either in the public space, behind the corporate firewall or in the demilitarised zone (DMZ), in the sense that they're not behind the corporate firewall but still have a security framework and access control restrictions.  There are also solution providers offering multi-tenant secure hosted repositories for such event data.

If anyone is further interested in this example, I can write this up as an additional use case for DWBP.  You can already find some public-facing information on the Event-Based Traceability work under development at http://www.gs1.org/healthcare/ebt_sc and http://www.gs1.org/healthcare/standards , including a narrated video presentation (about 15 minutes long).  Further information about the GS1 EPCIS open standard (including a presentation) is available at http://www.gs1.org/gsmp/kc/epcglobal/epcis

Best wishes,

- Mark



On 25 Jul 2014, at 16:14, Phil Archer <phila@w3.org>
 wrote:

> Today's discussion on 'open data behind the firewall' was very interesting I think and it's perhaps something we might pursue somehow.
> 
> I'm about to write up the Share-PSI workshop that we held in Samos at the start of the month and so I'm looking through all the presentations again [1]. The first one was from the Norwegian government and they have a traffic light system for their data:
> 
> Red: For internal use and the customer's use only.
> 
> Amber: data to be shared between public sector organisations and the customer.
> 
> Green: Open for all
> 
> (see slide 2 of Heather Broomfield and Steinar Skagemo's presentation [2]).
> 
> The Share-PSI workshop seemed impressed by this idea and it has proved useful to the Norwegian public sector.
> 
> WDYT?
> 
> Phil.
> 
> 
> [1] http://www.w3.org/2013/share-psi/workshop/samos/agenda
> [2] http://www.w3.org/2013/share-psi/workshop/samos/no
> 
> 
> 
> -- 
> 
> 
> Phil Archer
> W3C Data Activity Lead
> http://www.w3.org/2013/data/
> 
> http://philarcher.org
> +44 (0)7887 767755
> @philarcher1
> 

CONFIDENTIALITY / DISCLAIMER: The contents of this e-mail are  confidential and are not to be regarded as a contractual offer or acceptance from GS1 (registered in Belgium). 
If you are not the addressee, or if this has been copied or sent to you in error, you must not use data herein for any purpose, you must delete it, and should inform the sender. 
GS1 disclaims liability for accuracy or completeness, and opinions expressed are those of the author alone. 
GS1 may monitor communications. 
Third party rights acknowledged. 
(c) 2012.
</a>

Received on Friday, 25 July 2014 17:04:29 UTC