v3.2.1

Status of this Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document.

This is a living OCI Document developed by OCI Members with input from relevant interested parties. It is anticipated that the contents of this document will be reviewed and updated to address any applicable feedback. A list of current public OCI Documents, including Conformance Criteria, can be found in OCI's GitHub repositories.

This document lays out the terms and conditions of OCI's governance.

Purpose

The Open Credentialing Initivative (OCI) was started as an Incubator of the Center for Supply Chain Studies. This document is based on the original Charter with necessary additions relating to governance details not previously recorded.

OCI is an open source initiative. All artifacts created by OCI are governed under the Apache 2.0 license (collaborative, open source software development).

As OCI artifacts are used by US pharmaceutical trading partners to comply with the Drug Supply Chain Security Act (DSCSA), other laws, regulations and industry consensus agreements and international standards, it is imperative that the OCI architecture design and maintenance is guided by industry participants (trading partners), regulators and stakeholders.

Hence, OCI encourages contributions from OCI member and non-member companies and individuals by following the processes described in this document. In particular, contributors should note the applicable license and required contributor assertions.

General Terms and Abbreviations

What is a contribution?

A Contribution comprises any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted for inclusion in OCI Deliverables. For the purposes of this definition, “submit” means any form of oral or written communication for the purpose of discussing and improving the Deliverable but excluding communication that is conspicuously designated in writing as not a Contribution.
A Contribution to OCI encompasses the following:

A Contributor may be an OCI Member, a DSCSA-related organization, a technical standards body, a public organization or person, or any other interested party.

Incubator within the Center for Supply Chain Studies

The Center for Supply Chain Studies hosts and facilitates industry-wide Studies as a way to openly exchange ideas, share expertise and explore the complex regulatory and operational issues facing today’s supply chain. Additionally, the Center offers Incubator support with a structure similar to its industry-wide Studies to groups of collaborating companies that are in the early process of implementing industry benefiting processes, technologies, and initiatives. The purpose of an Incubator project is to provide enough support to allow the Incubator Members to launch an initiative into a more formal structure or establish relationships with other organizations to transfer the initiative’s artifacts, activities, and discussions.

Incubator sponsors and participants are able to remove administrative burdens by leveraging the Center’s resources – freeing them to pursue the explorative goals that brought them together in the first place. All members will conduct industry-wide studies, private studies, and other Incubator work in accordance and in compliance with all applicable anti-trust laws and provide an educational environment for the benefit of the industry at large.

Incubator Charter

The original “Incubator Charter” established the intial terms under which this project operates as an Incubator of the Center for Supply Chain Studies (the “Center”). The Center provides resources for the duration of the project as well as confirming that Incubator Participants conduct their activities in accordance with the Center’s corporate purpose and policies, such as its non-profit status, accounting, and regulatory guidelines. Incubators are otherwise independent. The Incubator Charter was entered into and made effective as of March 1, 2021 (“Effective Date”).

Membership

Membership Agreement

The Membership Agreement is a separate stand-alone document that is provided by OCI on the OCI website or on request. Organizations join OCI as official members upon signing the Membership Agreement.

Membership Levels

Each OCI Member company must assign a Steering Member from the organization that will participate on the Steering Committee. All other individuals from a Member company can participate at other membership levels.

Representations, Warranties and Disclaimers

OCI Members and the Center represent and warrant that they are legally entitled to grant the rights and promises set forth in the Membership Agreement . IN ALL OTHER RESPECTS THE CONTRIBUTIONS ARE PROVIDED "AS IS." The entire risk as to implementing or otherwise using an OCI Deliverable is assumed by the implementer and user. Except as stated herein, OCI Members expressly disclaims any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the material. IN NO EVENT WILL THE CENTER, ANY STEERING MEMBER, ASSOCIATE, OR CONTRIBUTOR BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Organization

Decision-making

Working Groups

Trusted Issuer Registry Governance

Overview

OCI maintains a Trusted Issuer Registry. To this end, it employs an Ethereum smart contract managed by so-called Statekeepers. They execute the Steering Committee’s decisions concerning the Trusted Issuer Registry and report to the Steering Committee.

OCI trusted issuer registry governance overview
OCI Trusted Issuer Registry Governance

Steering Committee Oversight

The Steering Committee SHALL be accountable and responsible for the Trusted Issuer Registry management. The voting on decisions concerning the Trusted Issuer Registry SHALL follow OCI’s Governance section Decision Making.

Following a decision, the Steering Committee SHALL request from the Trusted Issuer Registry Statekeepers to update the Trusted Issuer Registry.

The initial Statekeepers SHALL be assigned by the Steering Committee following the afore-mentioned OCI decision-making process. Any subsequent changes to the initial list of Statekeepers SHALL follow the process described in this chapter.

Trusted Issuer Registry Statekeeper

Statekeepers are OCI member organizations responsible for maintaining and updating the Trusted Issuer Registry on behalf of the Steering Committee. Statekeepers SHALL amend the Trusted Issuer Registry only upon approval by the Steering Committee. Statekeepers report to the Steering Committee.

Each Statekeeper SHALL have the permission and technical capability to sign Trusted Issuer Registry transactions. By signing, the Statekeeper exerts their voting power. Only when a transaction is signed in accordance with the respective governance parameters, will the smart contract be updated.

Each Statekeeper SHALL procure and employ a hardware wallet for storing and managing the Ethereum wallet that facilitates the Trusted Issuer Registry management. Statekeepers SHALL use the OCI-provided dApp to manage the Trusted Issuer Registry.

The executing Statekeeper MAY be a single assigned individual within the OCI member organization or represented by a multi-signature wallet. The latter is effectively a shared account, which can be managed by multiple individuals within the organization. Each Statekeeper has only 1 organizational vote regardless of the number of representing individuals.

Trusted Issuer Registry Parameters

The scope of registry management and corresponding voting thresholds are as follows:

Registry Management Voting
Add a new Statekeeper to the Trusted Issuer Registry smart contract at least 60% of all Statekeepers SHALL vote in favor
Remove a Statekeeper from the Trusted Issuer Registry smart contract at least 60% of all Statekeepers SHALL vote in favor
Add a Trusted Issuer to the Trusted Issuer Registry (see Note 1, 2) at least 60% of all Statekeepers SHALL vote in favor
Remove a Trusted Issuer from the Trusted Issuer Registry (see Note 1, 2) at least 60% of all Statekeepers SHALL vote in favor
Change a governance parameter concerning the Trusted Issuer Registry at least 60% of all Statekeepers SHALL vote in favor
Retire the Trusted Issuer Registry smart contract at least 60% of all Statekeepers SHALL vote in favor

Note 1
The Trusted Issuer Registry captures Credential Issuers in the form of their unique identifier (DID). A Credential Issuer MAY be associated with more than one DID. However, a single DID SHALL only ever be associated with one Credential Issuer. As far as Trusted Issuer Registry management is concerned, each DID is regarded as a single Credential Issuer. Thus, the addition or removal of each DID SHALL be subject to approval by the Steering Committee.

Note 2
A Credential Issuer SHALL be assigned per credential type (refer to Digital Wallet Conformance Criteria) to delineate which credential types each Credential Issuer MAY manage. A Credential Issuer MAY be associated with more than one credential type.

Reference Set-up for Performance Testing

Purpose

To enable standardized performance testing of service providers’ systems that yields comparable results, OCI provides an openly accessible test set-up intended for:

OCI encourages any interested party to vet and comment on any of the open-sourced material.

Scope

While OCI makes the reference material for performance testing publicly available and encourages service providers to use it, OCI does not intend to coordinate test runs unless tasked to do so. Testing efforts are assumed to be driven and managed by service providers.

Data Ownership

Any service provider who uses OCI’s reference material to generate test data remains the owner of that data. OCI encourages service providers to submit data to OCI for publication in its GitHub repository and processing by OCI. The following terms apply to such shared data (see also Figure 1 below).

OCI Reference Set-up for Performance Testing
Illustration of the Current Process

Boundaries of Transparency

OCI will replace company names with anonymous OCI identifiers before processing and publishing any shared data. OCI will maintain a confidential file containing mapping actual company names with OCI identifiers. Access to this file will be limited to the OCI admin(s) overseeing the performance test.

For any coherent test runs, OCI will maintain the same public OCI identifier for the same solution provider across all test conditions so that data can be directly compared. The OCI identifier will be changed haphazardly between test runs that do not belong together, so a correlation of individual service provider performance across time is impossible. Each service provider may know their own OCI identifier.

As part of the data anonymization, the solution provider is expected to remove any details from the raw data considered confidential by the service provider before sharing any data with OCI. For each test flight, the essential data required for analysis are:

Service providers may retract consent for publication of their raw or OCI-processed data.

Data Processing

Any service provider who makes data available to OCI for publication agrees that OCI processes that data in line with the reference guide for data processing, which itself is publicly available in OCI’s dedicated GitHub repository.

In general, OCI’s data processing involves basic mathematical calculations without interpretation in any applied industry context and without concluding recommendations to solution providers. OCI may evaluate calculated performance results with reference to its own approved Conformance Criteria.

Processed data will be published for scrutiny by independent external parties.

Contributions

Any OCI Member or external party makes Contributions to OCI in agreement with the Apache License, Version 2.0 (the “License”). All published OCI material is licensed under this License; OCI material may not be used except in compliance with the License. A copy of the License may be obtained at apache.org. Unless required by applicable law or agreed to in writing, OCI-published material distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

OCI Architecture Contribution and Change Process

The OCI Steering Committee has approved authors (Document Authors, Code Authors, etc.) within the OCI Policy and Architecture Committee who are responsible for managing Contributions and communicating with contributors. The Policy and Architecture Committee has a process to vet document and code changes resulting from Contributions against requirements provided by industry trading partners and other stakeholders.

OCI Architecture Contribution and Change Process
OCI Architecture Contribution and Change Process
  1. A Contribution or Change Request SHALL be submitted via the afore-mentioned dedicated communication paths provided by OCI.
  2. The Policy and Architecture (P&A) Committee performs a detailed assessment and impact analysis to derive an initial decision about the validity and extent of the proposal. Where further consultations with other organizations or experts are required, these will be carried out as appropriate. The Policy and Architecture Committee also keeps the Steering Committee informed regularly about received change requests and their evaluation.
  3. If the proposal is not deemed worthy of any further consideration, the Policy and Architecture Committee will inform the Contributor.
  4. Should the Policy and Architecture Committee approve the change request and it does not constitute a substantive change to existing OCI rules or requirements, it will be scheduled for implementation. The result will be published and the Contributor informed.
  5. Should the Policy and Architecture Committee approve the change request and it constitutes a substantive change to existing OCI rules or requirements, it will be proposed to the Steering Committee.
  6. The Steering Committee assesses whether further consultations with industry professionals are needed to ensure alignment with industry needs.
  7. If the Steering Committee does not see any need for further enquiry with industry professionals, the proposal will not be taken to an Industry Alignment Session. The Steering Committee will decide whether to approve the Request. If it is rejected, the Contributor will be informed by the Steering Committee. If the change request is approved, it will be scheduled for implementation. The result will be published and the Contributor informed.
  8. If the Steering Committee deems it necessary to enquire with industry professionals, the change request will be proposed at the next possible Industry Alignment Session. The Contributor may participate at this open meeting. If the group present at that meeting deems it necessary to perform further detailed impact analysis on behalf of the industry, a special Industry Alignment Session will be scheduled to focus on the change request. The Contributor may also participate at this discussion.
  9. If the change request obtains final approval by the Steering Committee after the held Industry Alignment Session, it will be scheduled for implementation. The result will be published and the Contributor informed.
  10. If the change request does not obtain final approval after the held Industry Alignment Session, it will be rejected and the Contributor informed by the Steering Committee.
  11. The Contributor may then launch the OCI Architecture Appeal Process described in the following Section to justify their re-submission of the proposal for further consideration.

Changes to OCI documents and code are bundled together into interoperability profiles that define the document and code sets that must be implemented together to maintain interoperability across the industry. OCI, through the Policy and Architecture Committee and approved by the Steering Committee, will maintain an industry implementation roadmap including sunrise and sunset dates for interoperability profile versions.

OCI Architecture Appeal Process

It may be the case that a particular Contribution is rejected by the OCI committees. OCI has instituted this appeal process to allow the contributor to defend their case.

OCI Architecture Appeal Process
OCI Architecture Appeal Process
  1. The Contributor SHALL use the afore-mentioned dedicated communication paths for Contribution to launch the OCI Architecture Appeal Process. This will require a justification for the re-submission.
  2. The Policy & Architecture (P&A) and Steering Committees will evaluate the justification for the appeal, including any newly provided information. If the justification raises arguments that convince both committees to re-consider the proposal, they will engage in activities to consider the new information and determine how to handle the proposal. This may involve the examination of modifications or alternatives.
  3. The Steering Committee assesses whether further consultations with industry professionals are needed to ensure alignment with industry needs.
  4. If the Steering Committee does not see any need for further enquiry with industry professionals, the proposal will not be taken to an Industry Alignment Session. The Steering Committee will decide whether to approve the appeal. If it is rejected, the Contributor will be informed by the Steering Committee. If the appeal is approved, it will be subjected to the OCI Architecture Contribution and Change Process described in the previous Section.
  5. If the Steering Committee deems it necessary to enquire with industry professionals, the appeal will be proposed at the next possible Industry Alignment Session. The Contributor may participate at this open meeting. If the group present at that meeting deems it necessary to perform further detailed impact analysis on behalf of the industry, a special Industry Alignment Session will be scheduled to focus on the appeal. The Contributor may also participate at this discussion.
  6. If the appeal obtains final approval by the Steering Committee after the held Industry Alignment Session, it will be subjected to the OCI Architecture Contribution and Change Process described in the previous Section.
  7. If the appeal does not obtain final approval after the held Industry Alignment Session, it will be rejected and the Contributor informed by the Steering Committee.
  8. The Contributor MAY NOT open another appeal process on the same proposal. Any such attempt will be disregarded.
  9. If the appeal process reveals suggestions for improvement that the Contributor is willing to accept, they are encouraged to submit an amended proposal by starting a new request for change process.

Submissions to Standards Bodies

No OCI Deliverable may be submitted to a standards development organization without approval by the Steering Members. Upon approval by the Steering Members, the Facilitator will coordinate the submission of the applicable Deliverable to a standards development organization with Center for Supply Chain Studies. Working Group Participants that developed that Deliverable agree to grant the copyright rights necessary to make those submissions.

Withdrawal and Termination

Use of Name or Marks

Non-Confidential, Restricted Disclosure

OCI Members may not make any public disclosures of information disclosed in connection with the Incubator and any Working Group activity, including but not limited to meetings, Contributions, and submissions without the Approval of the Steering Members or Working Group, as applicable, authorizing that disclosure. Any distributions of technical information to third parties must include a notice materially similar to the following: THESE MATERIALS ARE PROVIDED “AS IS.” The owners and contributors expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE OWNERS AND CONTRIBUTORS BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Antitrust

OCI Members acknowledge that they may compete with one another in various lines of business and that it is therefore imperative that they and their respective representatives act in a manner that does not violate any applicable antitrust laws and regulations. Each Steering Member and Associate may have similar agreements with others. Each Steering Member and Associate may design, develop, manufacture, acquire or market competitive deliverables, products, and services, and conduct its business, in whatever way it chooses. No Steering Member or Associate is obligated to announce or market any products or services. Without limiting the generality of the foregoing, the OCI Members agree not to have any discussion relating to any product pricing, methods or channels of product distribution, division of markets, allocation of customers or any other topic that should not be discussed among competitors.