A year ago, at INTERPHEX, the RFID Security Alliance described the considerations in implementing RFID as a security solution within the global supply chain (GSC), with regard to asset tracking. [The key points were summarized in the May 2009 issue of Pharmaceutical Processing.] Last month at INTERPHEX New York, members of the RFID Security Alliance presented a session on the progress being made in the implementation of RFID. The present article recaps the most recent discussion on how RFID technology is advancing as a secure solution to ensure the integrity of the global supply chain.
There can be no doubt that the pharmaceutical industry landscape is changing. Contraction within the U.S. market, coupled with the maturation of the emerging markets has transformed conventional thinking with regard to business competitiveness. There are very few businesses in therapeutic product development that do not include some sort of overseas strategy. Extending the supply chain has become a mainstay of most competitive strategies.
Along with this expansion, the challenges in securing products as they move through the supply chain have continued to escalate. The United Nations estimates that the business of counterfeit drugs has climbed to over $500 billion and is responsible for at least 700,000 deaths a year 1. In the U.S., drug diversion and counterfeiting cost our industry approximately 10 percent of total revenue.
The FDA has not ignored the issue of securing the expanding supply chain: it issued its first guidance on e-pedigree in 2006. The basic concept of an e-pedigree is to create a digital audit trail using digital signatures layered one upon the other to demonstrate control and verification at all key phases of the supply chain. Today, several technologies can achieve this type of integrity. However, taking into account the potential for illicit data acquisition and other handling considerations when you attempt to link an e-pedigree with an individual container, from a technology platform perspective the clear front-runner is RFID. The FDA built upon its initial direction and in March 2010 issued its latest final regulation: Guidance for Industry Standards for Securing the Drug Supply Chain – Standardized Numerical Identification for Prescription Drug Packages. The document describes employing a unique identifier called a Standardized Numerical Identifier (SNI) that consists of the 10-digit National Drug Code (NDC) and a 20-character alphanumeric or numeric serialization code. The guidance specifically lists RFID as well as 2-D bar coding as the preferred technology platforms for implementing the SNI.
Nonetheless, this guidance focuses on the final unit of sale and does not address the intermediate steps of the manufacturing supply chain. Outside of the FDA there are other sources of information that speak to the considerations and requirements for effectively implementing an RFID solution as part of the supply chain. EPC Global and its implementation arm GS1 have established global standards for implementing RFID within the supply chain. ISO has also issued a number of guidances pertaining to the use of RFID within the supply chain although only two are specific to the RFID tag—ISO18000-6C—which is specific to UHF tags, and ISO 15693 which is specific to HF standard. Depending upon the technology being considered (e.g. UHF, HF, etc.), the proposed standards are in place.
The promise of RFID is undeniable, but it is important to understand its technological limitations before launching into an RFID implementation. RFID tags can be grouped into four basic categories: passive tags, semi-passive tags, semi-active tags and active tags. Passive tags are by far the mostly broadly implemented and span several market sectors. These tags are designed to simply store data that can be read by a reader. They are the lowest priced technology, hovering around a $1-$0.60 a tag and can be as low as $0.05 in volume. They do not possess any intelligence or security. Semi-passive tags use power for sensors and can transmit as a passive platform when queried by a reader. Semi-active tags can initiate transmission like an active tag, but do not stay on all the time. Finally, we come to active tags. These typically come equipped with a lithium battery and can emit a signal periodically. The sky is the limit for these tags in terms of pricing: they can easily cost from $20 to $150 per unit.
Understanding what the supply chain needs is one key element in selecting the appropriate tag: another is recognizing the risks of implementation. Take the example of a standard 433 MHz active tag with its typical broadcast range of 100 yards. There are sensitive listening devices, easily acquired, that can detect it from over a mile away. Active tags offer the advantage of high-speed real-time communication and, at their most basic, provide continuous information. Anyone intending to track a high value supply chain could easily have continuous access to such information. For this reason, supply chains that are worried about adulteration and diversion prefer to employ RFID technology that does not continuously emit a signal.
Modern supply chains have the potential to move from real-time visibility and tracking to sophisticated modeling and predictive capability. There are many companies looking to build a cost effective active tag that will effectively balance price against performance. Small entrepreneurial companies such as Secure RF and Verayo have recognized that passive tags make up the majority of the market. They have developed specific algorithms and tag technology that will allow the user, using standardized protocols, to authenticate and transmit information securely. Other technologies provide authentication by exploiting the unique harmonic signature of a silicon crystal. Verayo uses their patented Physical Unclonable Functions (PUF) technology to create an instantaneous and unique identifier which cannot be cloned or duplicated.
Academia has been pushing the envelope of RFID technology, looking to utilize nanotechnology to make RFID tags cheaper without compromising functionality. Researchers from Suncheon National University in South Korea and Rice University in Houston have built an RFID tag that can be printed directly onto cereal boxes and potato chip bags. The tag uses ink laced with carbon nanotubes to print electronics on paper or plastic that could instantly transmit information about any package (see Figure 1).
Figure 1. Flexible RFID Tag using Nanotechnology
Two of the largest suppliers of RFID technology in the marketplace are Motorola and Alien Technologies. Both suppliers provide RFID solutions designed to handle real-time and batched track and trace information. These solutions enjoy the greatest success in markets where asset tracking is the primary concern.
The reality emerging from RFID implementations within the industry is that technology by itself cannot be a panacea. The technology must be combined with systems and solutions that will manage the risk appropriately through the supply chain. Every implementation should begin with a Threat Assessment. This is a risk management tool, not unlike a failure modes and effects analysis (FMEA), designed to identify, prioritize and rank the risk of an intervention to the supply chain.
An example of a threat model is shown below in Figure 2:
Figure 2. Threat Model (courtesy of GraniteKey)
Burdening the RFID tag with the total responsibility for security is high risk. Many levels of risk can be mitigated using a conventional threat reduction approach short of deploying RFID. In some cases threat can be diminished by simply restricting physical access to the server database that controls the critical supply chain data. A simple approach that has been implemented in many overseas contract services operations where intellectual property is an issue is to use computerized systems that restrict the ability to print or the ability to download information. Technology allows us to combine security measures in order to achieve the level of security necessary to meet our business practices. Stealth technology is available today that will make your network invisible to hackers attempting to learn about your supply chain. This type of technology makes it very difficult to exploit the current security weaknesses of RFID.
As we expand our overall supply chain, the need for balancing supply chain visibility and supply chain integrity becomes increasingly more difficult. RFID presents an opportunity for the industry to physically tie together a true e-pedigree to each individual container. However, performance comes with a price, particularly if security is the issue and the primary technology still being considered is passive RFID tags. To be successful we must combine these technologies with supportive technologies and practices to reduce the risk of diversion or adulteration within the supply chain. If you consider the supply chain in a broad sense, together with the business’ network, then the security approach should mimic our IT infrastructure utilizing hardware, software procedures and risk management tools to ensure security and GxP compliance. The future of RFID in our supply chain leaves no doubt, but we have not reached a point in its development where it can be the magic bullet we are looking for to secure our overall supply chains. It is one part of the remedy, but not the cure.
1 Keeping It Real – Protecting the world’s poor from fake drugs, May 5, 2009, International Policy Network