Status of this Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document.

This is a living OCI Document developed by OCI Members with input from relevant interested parties. It is anticipated that the contents of this document will be reviewed and updated to address any applicable feedback. A list of current public OCI Documents, including Conformance Criteria, can be found in OCI's GitHub repositories.

This document lays out the terms and conditions of OCI's governance.

Purpose

The Open Credentialing Initivative (OCI) was started as an Incubator of the Center for Supply Chain Studies. This document is based on the original Charter with necessary additions relating to governance details not previously recorded.

OCI is an open source initiative. All artifacts created by OCI are governed under the Apache 2.0 license (collaborative, open source software development).

As OCI artifacts are used by US pharmaceutical trading partners to comply with the Drug Supply Chain Security Act (DSCSA), other laws, regulations and industry consensus agreements and international standards, it is imperative that the OCI architecture design and maintenance is guided by industry participants (trading partners), regulators and stakeholders.

Hence, OCI encourages contributions from OCI member and non-member companies and individuals by following the processes described in this document. In particular, contributors should note the applicable license and required contributor assertions.

General Terms and Abbreviations

• Deliverable means all versions of the material developed by a Working Group for the purpose of creating, commenting on, revising, updating, modifying, or adding to any document that is to be considered for inclusion in OCI publications or releases.
• DSCSA (Drug Supply Chain Security Act) refers to an act of the U.S. Congress. Find more information on the FDA website.
• Ethereum smart contract refers to one or more self-contained programs run on the Ethereum blockchain that automatically execute when predetermined conditions are met.
• Incubator means the name of the Incubator that was established under the original Incubator Charter as a Center for Supply Chain Studies Incubator. Here this is the Open Credentialing Initiative (OCI).
• Incubator Charter means the agreement that establishes the Incubator under Center for Supply Chain Studies that this Incubator operates under.
• Industry Alignment Session refers to an open meeting intended to involve OCI members as well as representatives from organizations that are not directly associated with OCI but who have an interest in the OCI architecture and processes. Participants may be pharmaceutical industry business experts, compliance specialists, technical experts, or other relevant pharmaceutical industry professionals.
• OCI Member means a party, and that party’s Affiliates, that has executed the OCI Membership Agreement at any membership level offered, unless that OCI member has withdrawn or been terminated from the Incubator. An Affiliate is an entity that directly or indirectly controls, is controlled by, or is under common control of an entity. Control means direct or indirect control of more than 50% of the voting stock or decision-making authority.
• Supermajority Vote means an affirmative vote of no less than 3/4 of Steering Members or Working Group Participants, as applicable, that have attended/participated in at least 50% of the last 4 meetings of the group conducting the vote, where each Steering Member or Working Group Participant will receive only 1 vote regardless of how many individuals from that Steering Member participate. To ensure the group is capable of making decisions, the voting requirement for attendance/participation of at least 50% of the last 4 meetings shall be waived if there have not yet been 4 meetings.
• Trusted Issuer Registry refers to a public register of OCI-approved credential issuers in compliance with the OCI Credential Issuer Conformance Criteria.
• Trusted Issuer Registry Statekeeper means a person or entity with the technical capability and permission to change the Trusted Issuer Registry.
• Trusted Issuer Registry voting refers to the signing of a smart contract transaction to amend Trusted Issuer Registry parameters. This way the Statekeepers enact the decision of the Steering Committee with the smart contract.
• Working Group means a working group established under this Incubator to develop Deliverables within the Scope, i.e. a description of the deliverables that a given Working Group will develop. Each Working Group must have a Scope.
• Working Group Participant means an OCI Member who has joined a Working Group by indicating either in the Membership Agreement or subsequently in writing to the Facilitator that they have joined a Working Group.

What is a contribution?

A Contribution comprises any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted for inclusion in OCI Deliverables. For the purposes of this definition, “submit” means any form of oral or written communication for the purpose of discussing and improving the Deliverable but excluding communication that is conspicuously designated in writing as not a Contribution.
A Contribution to OCI encompasses the following:

• written submission of ideas, suggestions, drawings, or other content submitted via OCI GitHub;
• written submission of ideas, suggestions, drawings, or other content submitted via the OCI website;
• written submission of ideas, suggestions, drawings, or other content submitted directly to the OCI Facilitator, a member of the OCI Steering Committee, or a member of the OCI Policy and Architecture Committee;
• verbal submission of ideas, suggestions, or other content made in OCI meetings or conversations with OCI members and other interested parties at which the Contributor has been made aware of OCI's contribution process

A Contributor may be an OCI Member, a DSCSA-related organization, a technical standards body, a public organization or person, or any other interested party.

Incubator within the Center for Supply Chain Studies

The Center for Supply Chain Studies hosts and facilitates industry-wide Studies as a way to openly exchange ideas, share expertise and explore the complex regulatory and operational issues facing today’s supply chain. Additionally, the Center offers Incubator support with a structure similar to its industry-wide Studies to groups of collaborating companies that are in the early process of implementing industry benefiting processes, technologies, and initiatives. The purpose of an Incubator project is to provide enough support to allow the Incubator Members to launch an initiative into a more formal structure or establish relationships with other organizations to transfer the initiative’s artifacts, activities, and discussions.

Incubator sponsors and participants are able to remove administrative burdens by leveraging the Center’s resources – freeing them to pursue the explorative goals that brought them together in the first place. All members will conduct industry-wide studies, private studies, and other Incubator work in accordance and in compliance with all applicable anti-trust laws and provide an educational environment for the benefit of the industry at large.

Incubator Charter

The original “Incubator Charter” established the intial terms under which this project operates as an Incubator of the Center for Supply Chain Studies (the “Center”). The Center provides resources for the duration of the project as well as confirming that Incubator Participants conduct their activities in accordance with the Center’s corporate purpose and policies, such as its non-profit status, accounting, and regulatory guidelines. Incubators are otherwise independent. The Incubator Charter was entered into and made effective as of March 1, 2021 (“Effective Date”).

Membership

Membership Agreement

The Membership Agreement is a separate stand-alone document that is provided by OCI on the OCI website or on request. Organizations join OCI as official members upon signing the Membership Agreement.

Membership Levels

Each OCI Member company must assign a Steering Member from the organization that will participate on the Steering Committee. All other individuals from a Member company can participate at other membership levels.

• Steering Member. Steering Members may participate in each Working Group and, unless waived per the Membership Agreement, the Steering Committee.
• General Member. General Members may participate in each Working Group, but do not participate on the Steering Committee.
• Associate. Associates may participate in each Working Group, but do not participate on the Steering Committee and are not eligible to participate in decisions that require a Supermajority Vote.

Representations, Warranties and Disclaimers

OCI Members and the Center represent and warrant that they are legally entitled to grant the rights and promises set forth in the Membership Agreement . IN ALL OTHER RESPECTS THE CONTRIBUTIONS ARE PROVIDED "AS IS." The entire risk as to implementing or otherwise using an OCI Deliverable is assumed by the implementer and user. Except as stated herein, OCI Members expressly disclaims any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the material. IN NO EVENT WILL THE CENTER, ANY STEERING MEMBER, ASSOCIATE, OR CONTRIBUTOR BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Organization

• Steering Committee. The Steering Committee is the body that is responsible for governing the Incubator, identifying new Working Groups, tracking Working Group progress, ensuring Working Group meet their goals, etc.
• Facilitator. The Incubator has a Facilitator whose responsibilities are set forth in the Series Agreement and include organizing meetings, organizing voting, and any other activities approved by the Steering Members.
• Operations. Administrators support the Facilitator, Working Group activities and perform any other tasks necessary for OCI's operations.
• Advisors. Advisors are outside subject matter experts called upon by the Steering Committee for a set period.

Decision-making

• Consensus/Voting/Approval. The Steering Committee and each Working Group will endeavor to make all decisions by consensus. Where the Steering Committee or Working Group cannot reach consensus with respect to a particular decision, the Steering Committee or Working Group will make that decision by a Supermajority Vote of the Steering Members or Working Group Participants, as applicable.
• Notifications and Electronic Voting. The Facilitator is responsible for issuing all notifications of meetings and votes of the Steering Members and each Working Group chair is responsible for issuing all notifications of meetings and votes of the Working Group for which it is the chair, in each case subject to the following minimum criteria:
  (i) in-person meetings require at least 30 days prior written notice,
  (ii) teleconference meetings require at least 2 days prior written notice (this requirement only applies to the notification of the first meeting of automatically recurring teleconference meetings),
  (iii) electronic votes require no advance notice but must be made pursuant to a clear and unambiguous ballot with only “yes” and “no” options, and the voting must remain open for no less than 7 days. These notification requirements with respect to the Incubator or that particular Working Group may be overridden upon unanimous consent of all Steering Members or all applicable Working Group Participants that have attended and participated in at least 50% of the last 4 meetings of the Incubator or Particular Working Group.

Working Groups

• Working Groups. The Incubator may have multiple Working Groups, and each Working Group will operate as set forth in this Section and any additional agreements made within the Working Group.
• Working Group Chair. Each Working Group will designate at least one chair for that Working Group. A Working Group may select a new chair upon approval of the Working Group Participants.
• Working Group Requirements. Each Working Group must be comprised of at least 2 Working Group Participants. No Working Group Participant will be permitted to participate in a Working Group without first joining the Working Group.

Trusted Issuer Registry Governance

Overview

OCI maintains a Trusted Issuer Registry. To this end, it employs an Ethereum smart contract managed by so-called Statekeepers. They execute the Steering Committee’s decisions concerning the Trusted Issuer Registry and report to the Steering Committee.

Steering Committee Oversight

The Steering Committee SHALL be accountable and responsible for the Trusted Issuer Registry management. The voting on decisions concerning the Trusted Issuer Registry SHALL follow OCI’s Governance section Decision Making.

Following a decision, the Steering Committee SHALL request from the Trusted Issuer Registry Statekeepers to update the Trusted Issuer Registry.

The initial Statekeepers SHALL be assigned by the Steering Committee following the afore-mentioned OCI decision-making process. Any subsequent changes to the initial list of Statekeepers SHALL follow the process described in this chapter.

Trusted Issuer Registry Statekeeper

Statekeepers are OCI member organizations responsible for maintaining and updating the Trusted Issuer Registry on behalf of the Steering Committee. Statekeepers SHALL amend the Trusted Issuer Registry only upon approval by the Steering Committee. Statekeepers report to the Steering Committee.

Each Statekeeper SHALL have the permission and technical capability to sign Trusted Issuer Registry transactions. By signing, the Statekeeper exerts their voting power. Only when a transaction is signed in accordance with the respective governance parameters, will the smart contract be updated.

Each Statekeeper SHALL procure and employ a hardware wallet for storing and managing the Ethereum wallet that facilitates the Trusted Issuer Registry management. Statekeepers SHALL use the OCI-provided dApp to manage the Trusted Issuer Registry.

The executing Statekeeper MAY be a single assigned individual within the OCI member organization or represented by a multi-signature wallet. The latter is effectively a shared account, which can be managed by multiple individuals within the organization. Each Statekeeper has only 1 organizational vote regardless of the number of representing individuals.

Trusted Issuer Registry Parameters

The scope of registry management and corresponding voting thresholds are as follows:

Note 1
The Trusted Issuer Registry captures Credential Issuers in the form of their unique identifier (DID). A Credential Issuer MAY be associated with more than one DID. However, a single DID SHALL only ever be associated with one Credential Issuer. As far as Trusted Issuer Registry management is concerned, each DID is regarded as a single Credential Issuer. Thus, the addition or removal of each DID SHALL be subject to approval by the Steering Committee.

Reference Set-up for Performance Testing

Purpose

To enable standardized performance testing of service providers’ systems that yields comparable results, OCI provides an openly accessible test set-up intended for:

• Checking whether the technical implementations perform within the expectations stated in the current conformance criteria;
• Understanding the performance impact of (proposed) design changes in OCI’s specifications;
• Confirming the performance of incoming new service providers.

OCI encourages any interested party to vet and comment on any of the open-sourced material.

Scope

While OCI makes the reference material for performance testing publicly available and encourages service providers to use it, OCI does not intend to coordinate test runs unless tasked to do so. Testing efforts are assumed to be driven and managed by service providers.

Data Ownership

Any service provider who uses OCI’s reference material to generate test data remains the owner of that data. OCI encourages service providers to submit data to OCI for publication in its GitHub repository and processing by OCI. The following terms apply to such shared data (see also Figure 1 below).

Boundaries of Transparency

OCI will replace company names with anonymous OCI identifiers before processing and publishing any shared data. OCI will maintain a confidential file containing mapping actual company names with OCI identifiers. Access to this file will be limited to the OCI admin(s) overseeing the performance test.

For any coherent test runs, OCI will maintain the same public OCI identifier for the same solution provider across all test conditions so that data can be directly compared. The OCI identifier will be changed haphazardly between test runs that do not belong together, so a correlation of individual service provider performance across time is impossible. Each service provider may know their own OCI identifier.

As part of the data anonymization, the solution provider is expected to remove any details from the raw data considered confidential by the service provider before sharing any data with OCI. For each test flight, the essential data required for analysis are:

• Requester Digital Wallet Provider
• Requester VRS Provider
• Responder Digital Wallet Provider
• Responder VRS Provider
• Timestamp & corrUUID of all VP Generate request initiations
• Timestamp & corrUUID of all VP Generate response receipts
• Timestamp of all VRS request initiations
• Timestamp of all VRS response receipts
• Timestamp & corrUUID of all VP Verify request initiations
• Timestamp & corrUUID of all VP Verify response receipts

Service providers may retract consent for publication of their raw or OCI-processed data.

Data Processing

Any service provider who makes data available to OCI for publication agrees that OCI processes that data in line with the reference guide for data processing, which itself is publicly available in OCI’s dedicated GitHub repository.

In general, OCI’s data processing involves basic mathematical calculations without interpretation in any applied industry context and without concluding recommendations to solution providers. OCI may evaluate calculated performance results with reference to its own approved Conformance Criteria.

Processed data will be published for scrutiny by independent external parties.

Contributions

Any OCI Member or external party makes Contributions to OCI in agreement with the Apache License, Version 2.0 (the “License”). All published OCI material is licensed under this License; OCI material may not be used except in compliance with the License. A copy of the License may be obtained at apache.org. Unless required by applicable law or agreed to in writing, OCI-published material distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

OCI Architecture Contribution and Change Process

The OCI Steering Committee has approved authors (Document Authors, Code Authors, etc.) within the OCI Policy and Architecture Committee who are responsible for managing Contributions and communicating with contributors. The Policy and Architecture Committee has a process to vet document and code changes resulting from Contributions against requirements provided by industry trading partners and other stakeholders.

1. A Contribution or Change Request SHALL be submitted via the afore-mentioned dedicated communication paths provided by OCI.
2. The Policy and Architecture (P&A) Committee performs a detailed assessment and impact analysis to derive an initial decision about the validity and extent of the proposal. Where further consultations with other organizations or experts are required, these will be carried out as appropriate. The Policy and Architecture Committee also keeps the Steering Committee informed regularly about received change requests and their evaluation.
3. If the proposal is not deemed worthy of any further consideration, the Policy and Architecture Committee will inform the Contributor.
4. Should the Policy and Architecture Committee approve the change request and it does not constitute a substantive change to existing OCI rules or requirements, it will be scheduled for implementation. The result will be published and the Contributor informed.
5. Should the Policy and Architecture Committee approve the change request and it constitutes a substantive change to existing OCI rules or requirements, it will be proposed to the Steering Committee.
6. The Steering Committee assesses whether further consultations with industry professionals are needed to ensure alignment with industry needs.
7. If the Steering Committee does not see any need for further enquiry with industry professionals, the proposal will not be taken to an Industry Alignment Session. The Steering Committee will decide whether to approve the Request. If it is rejected, the Contributor will be informed by the Steering Committee. If the change request is approved, it will be scheduled for implementation. The result will be published and the Contributor informed.
8. If the Steering Committee deems it necessary to enquire with industry professionals, the change request will be proposed at the next possible Industry Alignment Session. The Contributor may participate at this open meeting. If the group present at that meeting deems it necessary to perform further detailed impact analysis on behalf of the industry, a special Industry Alignment Session will be scheduled to focus on the change request. The Contributor may also participate at this discussion.
9. If the change request obtains final approval by the Steering Committee after the held Industry Alignment Session, it will be scheduled for implementation. The result will be published and the Contributor informed.
10. If the change request does not obtain final approval after the held Industry Alignment Session, it will be rejected and the Contributor informed by the Steering Committee.
11. The Contributor may then launch the OCI Architecture Appeal Process described in the following Section to justify their re-submission of the proposal for further consideration.

Changes to OCI documents and code are bundled together into interoperability profiles that define the document and code sets that must be implemented together to maintain interoperability across the industry. OCI, through the Policy and Architecture Committee and approved by the Steering Committee, will maintain an industry implementation roadmap including sunrise and sunset dates for interoperability profile versions.

OCI Architecture Appeal Process

It may be the case that a particular Contribution is rejected by the OCI committees. OCI has instituted this appeal process to allow the contributor to defend their case.

1. The Contributor SHALL use the afore-mentioned dedicated communication paths for Contribution to launch the OCI Architecture Appeal Process. This will require a justification for the re-submission.
2. The Policy & Architecture (P&A) and Steering Committees will evaluate the justification for the appeal, including any newly provided information. If the justification raises arguments that convince both committees to re-consider the proposal, they will engage in activities to consider the new information and determine how to handle the proposal. This may involve the examination of modifications or alternatives.
3. The Steering Committee assesses whether further consultations with industry professionals are needed to ensure alignment with industry needs.
4. If the Steering Committee does not see any need for further enquiry with industry professionals, the proposal will not be taken to an Industry Alignment Session. The Steering Committee will decide whether to approve the appeal. If it is rejected, the Contributor will be informed by the Steering Committee. If the appeal is approved, it will be subjected to the OCI Architecture Contribution and Change Process described in the previous Section.
5. If the Steering Committee deems it necessary to enquire with industry professionals, the appeal will be proposed at the next possible Industry Alignment Session. The Contributor may participate at this open meeting. If the group present at that meeting deems it necessary to perform further detailed impact analysis on behalf of the industry, a special Industry Alignment Session will be scheduled to focus on the appeal. The Contributor may also participate at this discussion.
6. If the appeal obtains final approval by the Steering Committee after the held Industry Alignment Session, it will be subjected to the OCI Architecture Contribution and Change Process described in the previous Section.
7. If the appeal does not obtain final approval after the held Industry Alignment Session, it will be rejected and the Contributor informed by the Steering Committee.
8. The Contributor MAY NOT open another appeal process on the same proposal. Any such attempt will be disregarded.
9. If the appeal process reveals suggestions for improvement that the Contributor is willing to accept, they are encouraged to submit an amended proposal by starting a new request for change process.

Submissions to Standards Bodies

No OCI Deliverable may be submitted to a standards development organization without approval by the Steering Members. Upon approval by the Steering Members, the Facilitator will coordinate the submission of the applicable Deliverable to a standards development organization with Center for Supply Chain Studies. Working Group Participants that developed that Deliverable agree to grant the copyright rights necessary to make those submissions.

Withdrawal and Termination

• Withdrawal or Termination. An OCI Member may withdraw from a Working Group or the Incubator at any time by notifying the Facilitator in writing, and that withdrawal is effective upon receipt of the notice. Upon a Supermajority Vote of all Steering Members (calculated without the vote of the Steering Member in question), a OCI Member may be terminated from the Incubator or withdrawn from a Working Group.
• Incubator Termination. Upon a Supermajority Vote of the Steering Members, the Incubator will cease and terminate as of the effective date designated in that vote. The Facilitator will coordinate with the Center to facilitate that termination.
• Effect of Withdrawal or Termination. Upon an OCI Member’s written withdrawal from a Working Group or upon the termination of its Incubator membership, all existing commitments, and obligations with respect to the Incubator or Working Group, as the case may be, up to the effective date of withdrawal or termination will remain in effect, but no new obligations will be incurred. Notwithstanding the foregoing, the license granted in Section 6 shall survive any withdrawal, termination, or expiration of this Incubator Agreement.

Use of Name or Marks

• Participant Name or Marks. The Incubator may not use any Steering Member’s or Associate’s logo, trademark, or service mark on any Incubator material without that party’s express prior written authorization.
• Incubator Identification. Incubators may identify themselves as a Center for Supply Chain Studies Incubator. The Incubator must use the formal Incubator name in all legal transactions.
• Center Listing. The Center may not publicly identify the Incubator, including its member list, as a Center for Supply Chain Studies Incubator, unless the Steering Committee otherwise notifies the Center Facilitator in writing.

Non-Confidential, Restricted Disclosure

OCI Members may not make any public disclosures of information disclosed in connection with the Incubator and any Working Group activity, including but not limited to meetings, Contributions, and submissions without the Approval of the Steering Members or Working Group, as applicable, authorizing that disclosure. Any distributions of technical information to third parties must include a notice materially similar to the following: THESE MATERIALS ARE PROVIDED “AS IS.” The owners and contributors expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE OWNERS AND CONTRIBUTORS BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Antitrust

OCI Members acknowledge that they may compete with one another in various lines of business and that it is therefore imperative that they and their respective representatives act in a manner that does not violate any applicable antitrust laws and regulations. Each Steering Member and Associate may have similar agreements with others. Each Steering Member and Associate may design, develop, manufacture, acquire or market competitive deliverables, products, and services, and conduct its business, in whatever way it chooses. No Steering Member or Associate is obligated to announce or market any products or services. Without limiting the generality of the foregoing, the OCI Members agree not to have any discussion relating to any product pricing, methods or channels of product distribution, division of markets, allocation of customers or any other topic that should not be discussed among competitors.