Prof. Dr. h.c. Hasso Plattner

Track & Trace in the Supply Chain, Winter Term 2010/2011



General Information


In this seminar, you shall improve your skills to get familiar with a specific research topic on your own. We will give a brief introduction into the topic and then coach you throughout the semester while you work on a specific topic. Several presentations ensure that your presentation skills are improved, too. Finally, you write a scientific paper that also prepares you for your master thesis.


Radio frequency identification (RFID) technology is supposed to radically change data processing in areas such as Supply Chain Management and consequently lead to "real-time enterprises" [1] and the "Internet of Things" [2] by e.g. introducing a unique identification number for each and every item which is called Electronic Product Code (EPC). Despite propagating these changes since many years, not much has happened related to the hype of the RFID technology. EPCglobal [3] is the leading institution which pushes the development of an interconnected network of data related to uniquely identified items. Therefore, the EPC network (see first figure) was proposed and standardized [4]. The figure shows the EPC network components related to one company.

In a Supply Chain, products move from one enterprise to another and are read by readers belonging to a specific company. Then, a middleware determines what to do with the read event using a rule engine. Finally, the read event is stored in a repository for read events (EPC Information System). If someone needs information about a specific product, the services "Object Name Service" and "EPC Discovery Services" come into play. They are responsible for collecting the product-specific data from the federated repositories. This interplay is shown in the next figure.

One reason for the low adoption rate of RFID technology is that current information systems are not able to handle the large-scale amount of data which is associated with the introduction of this technology. To give an order of magnitude: in the European pharmaceutical supply chain, more than 5,000 read events per second would appear and the data shall be stored for approximately five years. Furthermore, the set of proposed standards is not complete, e.g. the EPC Discovery Service (EPCDS) Standard is work in progress.


The final grading is determined by (each part must be passed)

  • seminar results & research article (40%),
  • mid-term and final presentation (20%), and
  • methodical research approach and individual commitment (40%)

The article must not exceed 10 pages (plus attachments) following the IEEE template. An introduction into design science in information systems research will be given.



This seminar focuses on two topics:

  1. Large-scale processing of data generated by RFID or data matrix technology in the EPC Network and
  2. Security in this supply chain network.

All topics have a theoretical part. A practical part is optional. If you have any questions, please do not hesitate to ask Dr. Jürgen Müller, Dr. Matthieu-P. Schapranow, or Martin Lorenz.

1. Distributed Discovery Services (Michael Leben)

Discovery Services are used to gather information from different independent resources in the EPCglobal Network. Large data volumes and separate business concerns demand the distribution of data among different Discovery Services, serving different interest groups. Keeping the idea of a global Discovery Service, raises the need for information interchange among different Discovery Service. This seminar topic investigates the idea of a dynamic P2P network of Discovery Services using existing P2P frameworks.

2. Re-design of an EPCIS server

The EPCIS is an application layer protocol for the storage of EPC scan events generated during the travel of objects through the supply chain. Depending on the size of the company and the number of handled items, performance can be a crucial part in the operation of an EPCIS. This topic discusses potential performance bottlenecks in the design of EPCIS servers, based on Fosstrak’s Open Source EPCIS implementation.

3. Performance Analysis of SAP Object Event Repository (OER)

The SAP Object Event Repository (OER) is SAP’s ECPglobal compliant version of an EPCIS. For this seminar we provide a pre-configured version of an OER for performance tests. The goal is to characterize the performance of the system under different load situations, analyze the reasons for the observed behavior and provide possible solutions. For this purpose, we provide test data from the simulation of a real world supply chain and a test framework, which can adapted to the specific needs of the OER.

4. Dynamic Trust Relationship

Real world supply chains consist of a number of independent business partners, who might not have established business relation with each other. In order to provide full supply chain visibility, as promised by RFID and EPC, supply chain participants need to be able to dynamically establish trust relations with each other. There have been trust establishment mechanisms such as those being developed for Web Services, e.g. Liberty Alliance and WSFederation. This topic investigates the usage of such technologies in the context of the EPCglobal Network.

5. Authentication and Authorization in the EPC Network

Authentication and Authorization are indispensable for the interchange of sensitive business data, such as EPC scan events. Using Discovery Services for the look-up of EPC related information, shifts the responsibility to protect the usage of information from the resources, e.g. EPCISes, to the Discovery Service. This seminar topic investigates possibilities for resources to define access rights at the Discovery Service level and the propagation/mapping of user authentication information to other Discovery Services or EPCIS servers.

6. EPCIS Server in the Cloud

As companies grow, production volumes increase. Greater lot sizes result in an increasing number of scan events and ultimately in a higher request load on EPCIS servers. An appropriate way to scale with the changing system demands is to adapt the IT infrastructure the system is hosted at. This topic focuses on cloud computing and its features, regarding dynamic allocation of infrastructure in the context of EPCIS servers. The idea is to evaluate existing cloud implementations and their suitability, to host information systems dealing with strategic sensitive company data, e.g. EPCIS. Beyond that, we would like to evaluate the possibility to provide EPCIS servers as SaaS, to be purchased by companies on demand.

7. Discovery Service Notification Concepts (Christoph Niepraschk)

The concept of a Discovery Service and its necessity to achieve full supply chain visibility and real time awareness is well accepted in the research community. However, until now there has not been complete a specification of an application layer protocol for Discovery Services. One crucial aspect within this specification is the way resources notify Discovery Services about incoming EPC scan events. This topic investigates different interaction scenarios, interface designs, and message formats involving resources and Discovery Services, with focus on the notification behavior needed to publish EPC scan event data to the Discovery Service.

8. Risk Assessment for RFID EPC usage in supply chains

RFID is a part of company's internal IT systems, but it is only rarely considered in context of risk assessment. This topic deals with comparing existing risk assessment techniques, e.g. IT Grundschutz by the BSI, and validate them for usage with RFID. Additionally, the following aspects should be considered to support the following aspects:

  • risk assessment is typically performed once before a new software/solution is expected to be bought, how can this be integrated in a continuous process?
  • based on the expertise of company-wide experts, single workshops are performed addressing this topic, how can you profit from knowledge of external experts w/o exposing your weaknesses?
  • identified threats are obtained and grouped in Excel sheets, how should an integrated software solution look like?
  • the probability of a certain threat's occurrence and the expected monetary impact are hard to estimate, how can a IT solution support this?

9. Business-level Security - How to Guarantee an Integer RFID Architecture

RFID-Enabled companies are confronted with the need to expose new interface. To make track and trace working they need to offer information to (untrusted) third-parties about products created or items processed within their company. This comes with the risk to expose business internals or sensitive secrets. Possible aspects of this topic are

  • the implementation of an secured end-to-end scenario,
  • definition of possible attacks / threats for the scenario,
  • design measures against found threats,
  • integration with existing authentication mechanisms, e.g. active directory, pluggable authentication module, etc., and
  • a tool for managing access rights.

10. PKI Infrastructures for EPC Networks

Public Key Infrastructures are a state-of-the-art standard for mutual trust in vulnerable environments. This topic deals with

  • its applicability in context of EPC networks,
  • the manageability, e.g. how to to revoke certificates,
  • the transfer of mutual trust to reduce complexity of mutual trusts, and
  • the level of granularity which is feasible to implement (per product, per wholesaler, per region, ...)


  • [1] Frédéric Thiesse, Christian Floerkemeier, Mark Harrison, Florian Michahelles, Christof Roduner, "Technology, Standards, and Real-World Deployments of the EPC Network," IEEE Internet Computing, vol. 13, no. 2, pp. 36-43, March/April, 2009. URL: http://www.computer.org/portal/web/csdl/doi/10.1109/MIC.2009.46