Copyright © 2024 Named editors. Contributors to the Open Credentialing Initiative.
This section describes the status of this document at the time of its publication. Other documents may supersede this document.
This is a living OCI Document developed by OCI Members with input from relevant interested parties. It is anticipated that the contents of this document will be reviewed and updated to address any applicable feedback. A list of current public OCI Documents, including Conformance Criteria, can be found in OCI's GitHub repositories.
This document lays out the terms and conditions of OCI's governance.
The Open Credentialing Initivative (OCI) was started as an Incubator of the Center for Supply Chain Studies.
This document is based on the original Charter with necessary additions relating to governance details not
previously recorded.
OCI is an open source initiative. All artifacts created by OCI are governed under the
Apache 2.0 license (collaborative, open source
software development).
As OCI artifacts are used by US pharmaceutical trading partners to comply with the Drug Supply Chain Security Act
(DSCSA), other laws, regulations and industry consensus agreements and international standards, it is imperative
that the OCI architecture design and maintenance is guided by industry participants (trading partners), regulators
and stakeholders.
Hence, OCI encourages contributions from OCI member and non-member companies and individuals by following the
processes described in this document. In particular, contributors should note the applicable license and required
contributor assertions.
A Contribution comprises any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted for inclusion in OCI Deliverables. For the purposes of this definition, “submit” means any form of oral or written communication for the purpose of discussing and improving the Deliverable but excluding communication that is conspicuously designated in writing as not a Contribution.
A Contribution to OCI encompasses the following:
A Contributor may be an OCI Member, a DSCSA-related organization, a technical standards body, a public organization or person, or any other interested party.
The Center for Supply Chain Studies hosts and facilitates industry-wide Studies as a way to openly exchange ideas, share expertise and explore the complex regulatory and operational issues facing today’s supply chain. Additionally, the Center offers Incubator support with a structure similar to its industry-wide Studies to groups of collaborating companies that are in the early process of implementing industry benefiting processes, technologies, and initiatives. The purpose of an Incubator project is to provide enough support to allow the Incubator Members to launch an initiative into a more formal structure or establish relationships with other organizations to transfer the initiative’s artifacts, activities, and discussions.
Incubator sponsors and participants are able to remove administrative burdens by leveraging the Center’s resources – freeing them to pursue the explorative goals that brought them together in the first place. All members will conduct industry-wide studies, private studies, and other Incubator work in accordance and in compliance with all applicable anti-trust laws and provide an educational environment for the benefit of the industry at large.
The original “Incubator Charter” established the intial terms under which this project operates as an Incubator of the Center for Supply Chain Studies (the “Center”). The Center provides resources for the duration of the project as well as confirming that Incubator Participants conduct their activities in accordance with the Center’s corporate purpose and policies, such as its non-profit status, accounting, and regulatory guidelines. Incubators are otherwise independent. The Incubator Charter was entered into and made effective as of March 1, 2021 (“Effective Date”).
The Membership Agreement is a separate stand-alone document that is provided by OCI on the OCI website or on request. Organizations join OCI as official members upon signing the Membership Agreement.
Each OCI Member company must assign a Steering Member from the organization that will participate on the Steering Committee. All other individuals from a Member company can participate at other membership levels.
OCI Members and the Center represent and warrant that they are legally entitled to grant the rights and promises set forth in the Membership Agreement . IN ALL OTHER RESPECTS THE CONTRIBUTIONS ARE PROVIDED "AS IS." The entire risk as to implementing or otherwise using an OCI Deliverable is assumed by the implementer and user. Except as stated herein, OCI Members expressly disclaims any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the material. IN NO EVENT WILL THE CENTER, ANY STEERING MEMBER, ASSOCIATE, OR CONTRIBUTOR BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OCI maintains a Trusted Issuer Registry. To this end, it employs an Ethereum smart contract managed by so-called Statekeepers. They execute the Steering Committee’s decisions concerning the Trusted Issuer Registry and report to the Steering Committee.
The Steering Committee SHALL be accountable and responsible for the Trusted Issuer Registry management. The voting on decisions concerning the Trusted Issuer Registry SHALL follow OCI’s Governance section Decision Making.
Following a decision, the Steering Committee SHALL request from the Trusted Issuer Registry Statekeepers to update the Trusted Issuer Registry.
The initial Statekeepers SHALL be assigned by the Steering Committee following the afore-mentioned OCI decision-making process. Any subsequent changes to the initial list of Statekeepers SHALL follow the process described in this chapter.
Statekeepers are OCI member organizations responsible for maintaining and updating the Trusted Issuer Registry on behalf of the Steering Committee. Statekeepers SHALL amend the Trusted Issuer Registry only upon approval by the Steering Committee. Statekeepers report to the Steering Committee.
Each Statekeeper SHALL have the permission and technical capability to sign Trusted Issuer Registry transactions. By signing, the Statekeeper exerts their voting power. Only when a transaction is signed in accordance with the respective governance parameters, will the smart contract be updated.
Each Statekeeper SHALL procure and employ a hardware wallet for storing and managing the Ethereum wallet that facilitates the Trusted Issuer Registry management. Statekeepers SHALL use the OCI-provided dApp to manage the Trusted Issuer Registry.
The executing Statekeeper MAY be a single assigned individual within the OCI member organization or represented by a multi-signature wallet. The latter is effectively a shared account, which can be managed by multiple individuals within the organization. Each Statekeeper has only 1 organizational vote regardless of the number of representing individuals.
The scope of registry management and corresponding voting thresholds are as follows:
Registry Management | Voting |
---|---|
Add a new Statekeeper to the Trusted Issuer Registry smart contract | at least 60% of all Statekeepers SHALL vote in favor |
Remove a Statekeeper from the Trusted Issuer Registry smart contract | at least 60% of all Statekeepers SHALL vote in favor |
Add a Trusted Issuer to the Trusted Issuer Registry (see Note 1, 2) | at least 60% of all Statekeepers SHALL vote in favor |
Remove a Trusted Issuer from the Trusted Issuer Registry (see Note 1, 2) | at least 60% of all Statekeepers SHALL vote in favor |
Change a governance parameter concerning the Trusted Issuer Registry | at least 60% of all Statekeepers SHALL vote in favor |
Retire the Trusted Issuer Registry smart contract | at least 60% of all Statekeepers SHALL vote in favor |
Note 1
The Trusted Issuer Registry captures Credential Issuers in the form of their unique identifier (DID). A Credential Issuer MAY be associated with more than one DID. However, a single DID SHALL only ever be associated with one Credential Issuer. As far as Trusted Issuer Registry management is concerned, each DID is regarded as a single Credential Issuer. Thus, the addition or removal of each DID SHALL be subject to approval by the Steering Committee.
Note 2
A Credential Issuer SHALL be assigned per credential type (refer to Digital Wallet Conformance Criteria) to delineate which credential types each Credential Issuer MAY manage. A Credential Issuer MAY be associated with more than one credential type.
To enable standardized performance testing of service providers’ systems that yields comparable results, OCI provides an openly accessible test set-up intended for:
OCI encourages any interested party to vet and comment on any of the open-sourced material.
While OCI makes the reference material for performance testing publicly available and encourages service providers to use it, OCI does not intend to coordinate test runs unless tasked to do so. Testing efforts are assumed to be driven and managed by service providers.
Any service provider who uses OCI’s reference material to generate test data remains the owner of that data. OCI encourages service providers to submit data to OCI for publication in its GitHub repository and processing by OCI. The following terms apply to such shared data (see also Figure 1 below).
OCI will replace company names with anonymous OCI identifiers before processing and publishing any shared data. OCI will maintain a confidential file containing mapping actual company names with OCI identifiers. Access to this file will be limited to the OCI admin(s) overseeing the performance test.
For any coherent test runs, OCI will maintain the same public OCI identifier for the same solution provider across all test conditions so that data can be directly compared. The OCI identifier will be changed haphazardly between test runs that do not belong together, so a correlation of individual service provider performance across time is impossible. Each service provider may know their own OCI identifier.
As part of the data anonymization, the solution provider is expected to remove any details from the raw data considered confidential by the service provider before sharing any data with OCI. For each test flight, the essential data required for analysis are:
Service providers may retract consent for publication of their raw or OCI-processed data.
Any service provider who makes data available to OCI for publication agrees that OCI processes that data in line with the reference guide for data processing, which itself is publicly available in OCI’s dedicated GitHub repository.
In general, OCI’s data processing involves basic mathematical calculations without interpretation in any applied industry context and without concluding recommendations to solution providers. OCI may evaluate calculated performance results with reference to its own approved Conformance Criteria.
Processed data will be published for scrutiny by independent external parties.
Any OCI Member or external party makes Contributions to OCI in agreement with the Apache License, Version 2.0 (the “License”). All published OCI material is licensed under this License; OCI material may not be used except in compliance with the License. A copy of the License may be obtained at apache.org. Unless required by applicable law or agreed to in writing, OCI-published material distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
The OCI Steering Committee has approved authors (Document Authors, Code Authors, etc.) within the OCI Policy and Architecture Committee who are responsible for managing Contributions and communicating with contributors. The Policy and Architecture Committee has a process to vet document and code changes resulting from Contributions against requirements provided by industry trading partners and other stakeholders.
Changes to OCI documents and code are bundled together into interoperability profiles that define the document and code sets that must be implemented together to maintain interoperability across the industry. OCI, through the Policy and Architecture Committee and approved by the Steering Committee, will maintain an industry implementation roadmap including sunrise and sunset dates for interoperability profile versions.
It may be the case that a particular Contribution is rejected by the OCI committees. OCI has instituted this appeal process to allow the contributor to defend their case.
No OCI Deliverable may be submitted to a standards development organization without approval by the Steering Members. Upon approval by the Steering Members, the Facilitator will coordinate the submission of the applicable Deliverable to a standards development organization with Center for Supply Chain Studies. Working Group Participants that developed that Deliverable agree to grant the copyright rights necessary to make those submissions.
OCI Members may not make any public disclosures of information disclosed in connection with the Incubator and any Working Group activity, including but not limited to meetings, Contributions, and submissions without the Approval of the Steering Members or Working Group, as applicable, authorizing that disclosure. Any distributions of technical information to third parties must include a notice materially similar to the following:
THESE MATERIALS ARE PROVIDED “AS IS.” The owners and contributors expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE OWNERS AND CONTRIBUTORS BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OCI Members acknowledge that they may compete with one another in various lines of business and that it is therefore imperative that they and their respective representatives act in a manner that does not violate any applicable antitrust laws and regulations. Each Steering Member and Associate may have similar agreements with others. Each Steering Member and Associate may design, develop, manufacture, acquire or market competitive deliverables, products, and services, and conduct its business, in whatever way it chooses. No Steering Member or Associate is obligated to announce or market any products or services. Without limiting the generality of the foregoing, the OCI Members agree not to have any discussion relating to any product pricing, methods or channels of product distribution, division of markets, allocation of customers or any other topic that should not be discussed among competitors.