The document summarizes a presentation given at the 44th Hawai’i International Conference on System Sciences about enabling RFID technology in pharmaceutical supply chains. It describes a formal model for representing supply chain entities and roles, presents a quantitative analysis of network traffic for a sample US supply chain, and evaluates security considerations for different roles. The model accounts for relationships between business entities and handling units from individual items to transport vehicles. Network traffic is estimated at 234.92TB annually for a supply chain with 15 billion goods and 7 links. Security is addressed through authentication, on-tag mechanisms, and a proposed "service provider for anti-counterfeiting" role.

1. A Formal Model for Enabling RFIDin Pharmaceutical Supply Chains 44th Hawai’i Int’l Conference on System Sciences 4-7 Jan, 2011 – Koloa, Kauai, Hawaii Matthieu-P. Schapranow Hasso Plattner Institute

2. Agenda Key Facts about the Hasso Plattner Institute European Pharmaceutical Supply Chain Formal Model Quantitative Analysis of Service Provider Contributions HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 2

3. Key Facts about the Hasso Plattner InstituteInternals Founded as a public-private partnershipin 1998 in Potsdam near Berlin, Germany Institute belongs to theUniversity of Potsdam Ranked 1st in CHE 2009 and 2010 500 B.Sc. and M.Sc. students 10 professors, 92 PhD students Course of study: IT Systems Engineering HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 3

4. Key Facts about the Hasso Plattner Institute Research Group Hasso Plattner / Alexander Zeier Research focus: real customer data for enterprisesoftware and design of complex applications In-Memory Data Management for Enterprise Applications Human-Centered Software Design and Engineering Maintenance and Evolution of SOA Systems Integration of RFID Technology in Enterprise Platforms Cooperations Academic: Stanford, MIT, etc. Industry: SAP, Siemens, Audi, etc. HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 4

5. Key Facts about the Hasso Plattner InstituteWhat can we do for you? Network between industry and academia,e.g. European section of the Curriculum RFID seminars for graduate / undergraduate students Trends & concepts lecture (Prof. Hasso Plattner) Enterprise Application Architecture Laboratory Enterprise software, e.g. SAP, Microsoft, etc. Equipped RFID Lab, e.g. deister electronic, noFilis, etc. Concrete sizing and simulation of customer supply chains HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 5

6. European Pharma Supply ChainManufacturing HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 6

7. European Pharma Supply ChainCounterfeits HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 7

8. Formal ModelBusiness Entities Belongs-To Relationship: soft relationship between business entities b for identification purposes, e.g. bi Coupling/Decoupling: tight relationship,e.g. epci +authi= tagi Degree: Number of boxing operations k Handling Unit: possible degrees k=0: atomic business entity bi k=1: product package holding bi k=2: transport package, e.g. paper box k=3: re-usable transport package, e.g. pallet or skeleton k=4: transport container, e.g. for transportation on ships k=5: freight vehicle, e.g. ship HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 8

9. Formal ModelBusiness Entities (cont’d) Boxing/Unboxing: merge/splitset of items Events: virtual product history stored in EPCIS repositories HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 9

10. Formal ModelRoles (Europe) Main Roles [1] A: Manufacturer: ~2.2k B: Center of Distribution: ~50k E: Licensed Dealer: ~140k D: Service Provider forAnti-Counterfeiting Other Roles C: Logistics Provider F: End Consumer HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 10

11. Formal ModelRoles (Europe) Main Roles [1] A: Manufacturer: ~2.2k B: Center of Distribution: ~50k E: Licensed Dealer: ~140k D: Service Provider forAnti-Counterfeiting Other Roles C: Logistics Provider F: End Consumer HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 11

12. Quantitative Analysis of Service ProviderSupply Chain Configuration for U.S. 1 Pharmaceutical Manufacturer 1 Center of Distribution 3 Logistics Provider 2 Wholesale Distributors HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 12

13. Quantitative Analysis of Service ProviderData Flow for U.S. Pharma Supply Chain Retailer sends product check request to service provider(12 Byte EPC) Service provider contacts involved EPCIS repositories(12 Byte EPC) EPCIS repositories return event sets to service provider(728 Byte / 4 events in avg., i.e. 1x in, 2x observe, 1x out) Service provider(12 Byte EPC + 4 Byte authentication details) Protocol overhead IP: 20 Byte UDP: 8 Byte HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 13

14. Quantitative Analysis of Service ProviderNetwork Traffic Network traffic c, p pharmaceutical goods, supply chain length l For p=15 billion and l=7: c=234.92TB / 32,475USD per year[2] Costs are adequate and can be handled by supply chain roles [3] HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 14

15. Quantitative Analysis of Service ProviderSecurity Evaluation Manufacturer: prevent unrecognized EPC reading, e.g. by mutual authentication schemes [4] Center of distribution: on-tag security implementations, e.g. physically unclonable functions [5] or predefined passwords [6] Logistics provider: kill command [7], service providers for anti-counterfeiting Wholesale Distributors: tracking and tracing via reader gates End consumers: digital advice letter, service provider [8] HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 15

16. Our Contributions Developed a formal model for RFID-aided supply chains Validated in context of the pharmaceutical supply chain roles Introduced separate role “service provider for anti-counterfeiting” Performed a quantitative analysis for the service provider Monetary impact for concrete supply chain sizing evaluated Security evaluation per supply chain role HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 16

17. References [1] J. Müller, C. Pöpke, M. Urbat, A. Zeier, and H. Plattner, “A Simulation of the Pharmaceutical Supply Chain to Provide Realistic Test Data,” in Proceedings of the International Conference on Advances in System Simulation, 2009 [2] Assuming Amazon EC2 mean network traffic costs per GB approx. 0.135 USD [3] M.-P. Schapranow, M. Nagora, and A. Zeier, “CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply Chains,” in Proceedings of the 18th International Conference on Software, Telecommunication and Computer Networks, 2010 [4] M.-P. Schapranow, A. Zeier, and H. Plattner, “A Dynamic Mutual RFID Authentication Model Preventing Unauthorized Third Party Access,” in Proceedings of the 4th International Conference on Network and System Security, 2010. [5] P. Tuyls and L. Batina, “RFID-Tags for Anti-Counterfeiting,” in Proceedings of the RSA Conference, 2006, pp. 115–131. [6] M.-P. Schapranow, J. Müller, S. Enderlein, M. Helmich, and A. Zeier, “Low-Cost Mutual RFID Authentication Model Using Predefined Password Lists,” in Proceedings of the 16th International Conference on Industrial Engineering and Engineering Management, 2009. [7] A. Mitrokotsa, M. R. Rieback, and A. S. Tanenbaum, “Classifi- cation of RFID Attacks,” in Proceedings of the 2nd International Workshop on RFID Technology, 2008, pp. 73–86. [8] M.-P. Schapranow, J. Müller, A. Zeier, and H. Plattner, “RFID Event Data Processing – An Architecture for Storing and Searching,” in Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications, Challenges, 2010. HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 17

18. Thank you for your interest!Keep in contact with us. Responsible: Deputy Prof. of Prof. Hasso PlattnerDr. Alexander Zeierzeier@hpi.uni-potsdam.de Matthieu-P. Schapranow, M.Sc. matthieu.schapranow@hpi.uni-potsdam.de Hasso Plattner InstituteEnterprise Platform & Integration ConceptsMatthieu-P. SchapranowAugust-Bebel-Str. 8814482 Potsdam, Germany HICSS11, Enabling RFID in Pharmaceutical Supply Chains, Schapranow, Jan 6, 2011 18