In a number of industries, particularly the pharmaceutical industry, problems result from products being sold or dispensed which are counterfeit, have been fraudulently obtained or are merely faulty or out of date.

Previously, industries have dealt with this problem by providing clearly marked packaging and controlling tightly the chains of distribution. More recently, supply chain industries have considered the use of radio frequency identification (RFID) and electronic product codes (EPC) for a replacement for standard bar codes. While standard bar codes, EPCs and/or RFID can include information that can be machine-read, for purposes of tracking, etc., the information used therein is not necessarily unique for the product. For example, a bar code carries general information about the product and/or the manufacturer, etc. , but the same bar code with identical information is affixed or otherwise provided to multiple containers for the same type of product.

Moreover, the information contained in RFID and/or EPC may not necessarily be unique to the product. See, generally, "RFID Changes Everything,"E- Business Ecosystems, September 19,2002. However, problems still arise and the present application recognises for the first time the possibility of implementing a system which provides authentication of individual products.

These products may be packaged individually or together in packs and authentication can then be provided for each product separately, for instance, each tablet, vial, blister strip, etc. In this specification, "authentication"can be<BR> used to refer to products which may be subject to, e. g. , recall, theft and/or expiration, etc.

According to the present invention, there is provided a method of authenticating products at a trusted location including: housing the products in respective containers having respective unique product identifiers associated with data identifying the respective housed products; storing in an authentication database data relating to the products; reading at a trusted location terminal the data from one of the product identifiers; communicating at least some of the data of the product identifier to the authentication database; comparing data of the product identifier with data of the authentication database so as to produce an authentication result; and communicating the authentication result from the authentication database to the trusted location terminal.

According to an embodiment of the present invention, there is also provided an authentication system for authenticating products at a trusted location, the products being held in respective containers, each container including a respective unique product identifier, the system including: at least one terminal located at a trusted location of the product and for reading data from the respective product identifier; an authentication database to store data relating to the product identifier and the respective products; and a communication channel by which data read by the at least one terminal can be compared with data stored in the authentication database so as to authenticate the corresponding product.

In this way, before a particular product, such as a pharmaceutical, is sold or dispensed, it is possible to authenticate that product. The trusted location will often be the point-of-release where the product is sold or dispensed. However, it could also be the point-of-receipt, for instance a trusted consumer or a retailer who will then sell or dispense the product.

The product identifier can include merely data uniquely identifying the individual product, with data about the product identifier being stored in the authentication database. However, the container can be provided with data about the product itself. The product identifier can be incorporated into the container for example by embedding an identification device (carrying the product identifier) into a carton or foil blister pack or adhesion of the device or a label (such as bar code) to cartons, bottle labels or caps. The appropriate comparison of data can take place either at the authentication database or at the terminal.

841306 In this way, the system can determine whether or not the product is a genuine product or is a counterfeit. Similarly, if the product is out of date, faulty, intended for a different market or subject to recall, this can also be identified.

As a result, if the product is not correctly authenticated, the sale or dispensing of the product can be inhibited.

Accordingly, it is possible to provide increased availability of products at points-of dispensing/sale for the pharmaceutical industry, it is also possible to guarantee patients'safety with regard to counterfeit drugs and dispensing errors. Similarly, additional checks can be made at point-of-receipt.

Because details of dispensing/sale of products can be provided back to the authentication database, it is also possible to achieve improved distribution control and management information. In particular, it is possible to provide improved forecasting (profit projection and stock control unit demand), reduced inventory along the distribution channel, more cost effective supply management and determining the length of time a product has been in the supply chain.

As part of the system, according to an embodiment of the present invention, there is also provided a container for housing a product for distribution and release, the container including a unique product identifier associated with data relating to the housed product and providing said data for reading by an external device.

In one embodiment, the product identifier may be in the form of a number, e. g. , a randomly generated number, a code, e. g. , one or more bar codes that 841306 can be read/scanned by a scanner or other reading device at the point of-sale terminal. The product identifier, e. g. , may take the form of an RFID, unique<BR> ink (e. g. , having a unique frequency, e. g. , UV), magnetics, etc.

In another embodiment, the product identifier may be stored or otherwise available through a product identification device, e. g. , one or more tagging devices including unique product identity codes that can be read/scanned by and/or input into the terminals. The container may include additional identification devices and/or bar-codes, in which event the terminals can read/scan both the identification devices/bar-codes and the product identifiers.

Thus, preferably, besides the unique product identifier, the terminals are also capable of reading standard prior art bar codes on the container which convey general information about the product and/or manufacture, but are not unique to the specific product.

Information from the product identifier, e. g. , a number, bar-code, etc. , can be provided via the communication channel to enable manufacturers, suppliers and the like to be informed automatically of the particular product for which authentication was not possible. This relieves the operator of the point of- release, for instance a pharmacist, of the responsibility of informing the supplier. It will be appreciated that even counterfeit products are often provided with bar-codes and these codes will identify the type of product.

In this way, the product can be identified for authentication as part of the system.

The product identifier and/or identification device, etc. can be incorporated into the container for example by embedding it in a carton or foil blister pack or adhesion to cartons, bottle labels or caps.

Preferably the container is arranged to be opened in a predetermined manner and the product identifier and/or identification device, etc. is arranged to indicate that the container has been opened.

This prevents any tampering with the product, thereby further enhancing the authentication process.

The container, e. g. , by way of the identification device, may be provided with some form of sensor for detecting and recording that the container has been opened. However, preferably, the product identifier or identification device, etc. is formed in or on the container such that opening the container at least partly destroys such.

Partly destroying the product identifier or identification device, etc. , can be arranged to provide a signal that the container has been opened. Alternatively, the product identifier or identification device can be rendered completely inoperable such that the external reading device cannot detect the product identifier or identification device and, hence, cannot authenticate the housed product. In some embodiments, a partly destroyed product identifier or identification device could be reactivated by the manufacturer for investigation purposes.

Preferably, the product identifier includes data indicating a unique product identity code but no other information about the product. Optionally the 841306 identification device or label/bar code in which the product identifier is provided can additionally include one or more of the following types of exemplary information: the nature or type of product housed in the container; the date of manufacture of the product; the name of the manufacturer; the place of manufacture of the product; the date of housing the product in the container; the sell-by date; the use by date; and special instructions, e. g. contra indications or warnings.

Of course, the identification device could include other information.

This information can be used to determine whether or not the product is suitable for sale or dispensing, preferably in conjunction with information provided by the authentication database.

Alternatively or additionally, such data may be stored in the authentication database and accessed by reference to data associated with the product identifier and/or identification device identifying the corresponding respective product.

Optionally, the container, e. g. , by way of the identification device, includes at least one sensor for environmental conditions including one or more of temperature and humidity and stores data from which it can be determined if the product has been subjected to environmental conditions beyond a predetermined limit.

In this way, it can be determined at the point-of-sale whether or not, since leaving the manufacturer, the product has been subjected to any conditions which render it unsuitable for sale.

As part of the system, according to an embodiment of the present invention, there is also provided a terminal for use at a trusted location of products held in respective containers, each container including a respective unique product identifier, the terminal including: a reader for reading data relating to the product identifier; a communication port for communicating at least some of said data to a remote authentication database and for receiving data from the authentication database; a controller for providing authentication of a product on the basis of the data received from the authentication database.

In this way, the terminal is able to determine whether or not the product is suitable for sale or dispensing.

The communication port may merely transmit data identifying the product in question and, having received data from the authentication database relating to that product, conduct the comparison and authentication itself.

Alternatively, comparison and authentication may take place at the authentication database on the basis of data associated with the product identifier.

Optionally, the terminal is arranged to conduct transactions relating to sales or dispensing of said products and the controller inhibits such transactions without the authentication. In this way, sale and dispensing of products is controlled by the system.

The terminal preferably communicates to the remote authentication database data relating to the terminal itself, for instance an identification code. In this way, if the terminal is stolen, it is possible to prevent authentication of products read by that terminal. In addition, the terminal preferably communicates to the remote authentication database data relating to the date and time of reading.

The terminal may include a user interface, such that the controller can indicate authentication of a product with the user interface. Alternatively or additionally, the nature or type of the product can be confirmed on the user interface on the basis of the data received from the authentication database.

Audio and/or video methods can be used to signal authentication, or lack thereof.

As part of the system, according to an embodiment of the present invention, there is also provided an authentication database for authenticating products housed in respective containers, each container including a respective unique product identifier, the database including: a communication port for receiving from a remote terminal data relating to the product identifier and for communicating to the terminal data for authenticating the product; and a memory for storing for each product at least the respective product identifier, and optionally one or more of : 841306 the nature or type of product housed in the container; the date of manufacture of the product; the name of the manufacturer; the place of manufacture of the product; the date of housing the product in the container; the sell-by date; the use-by date; special instructions, e. g. contra-indications or warnings; and data regarding unauthorized terminals.

The authentication database may be provided directly by the original manufacturer or may be provided by a third party on the basis of information provided by the manufacturer.

For the pharmaceutical industry, it is possible to provide improved patient safety, for instance with reduced occurrences of incorrect dispensing against prescription (especially at hospitals). There can be a reduction in loss of revenue and profit resulting from fraudulent products (together with a reduction in the estimated loss of jobs). Due to the improved control that is available, it is possible to provide improved availability of products at the point of dispensing, improved forecasting of consumption/demand and reduced inventory throughout the distribution channel.

It is also possible to provide confirmed compliance with relevant storage and shelf life specifications.

Aspects of invention will be more clearly understood from the following description, given by way of example only, with reference to the accompanying drawings, in which: Fig. 1 illustrates schematically a system according to an embodiment of the present invention; Fig. 2 illustrates schematically a container including a unique machine- readable identifier according to an embodiment of the present invention; Fig. 3 illustrates schematically a terminal according to an embodiment of the present invention; Fig. 4 illustrates schematically an authentication database according to an embodiment of the present invention; and Figs. 5-7 are exemplary flow charts according to embodiments of the present invention.

A system embodying an embodiment of the present invention is illustrated schematically in Figure 1.

A central authentication database 2 is provided to store data on a plurality of individual products. The database 2 may be provided directly by a manufacturer of those products or may be provided by a third party with the relevant information being obtained from the manufacturer.

A communication channel 4 allows communication between the authentication database 2 and the plurality of terminals 6. The communication channel may be embodied in any suitable manner, for instance wireless or land telecom line.

Channel 4 can be any known or later developed device or system for connecting the terminal 6 to the authentication database 2, including a direct cable connection, a connection over a wide area network or a local area network, a connection over an intranet, a connection over the Internet, or a connection over any other distributed processing network or system. In general, the channel 4 can be any known or later developed connection system or structure usable to connect the terminal 6 to the authentication database.

The terminals 6 are provided at locations where the products in question are finally released to the consumers, either by way of sale of the products or merely dispensing them.

Each of the products is provided in a container 8 having a unique product identifier 10, e. g. , a number or code that is associated with the particular product placed in the container. The product identifier can be machine- readable, or it can simply be a code that is manually input at terminal 6. The product identifier may be in the form of one or more bar codes or an identification device programmed with or otherwise associated with the product identifier. Preferably, the product identifier includes only a number or bar code placed on or in the container. Of course, other machine-readable media that can convey or carry the product identifier are contemplated, e. g., RFIDs, EPCs, magnetics, unique inks, etc.

Moreover, it is preferred that the product identifier 10 simply includes a unique identification for the container and/or the contained product without any additional information. For example, the product identifier may not include information about the product housed in the container. However, information about the product may be associated with the product identifier, for instance 841306 contained in the same bar-code or identification device or provided in a separate bar-code or identification device.

The terminals 6 are each able to read or scan data from the product identifier 10 so as to validate the authenticity of the housed product.

At the point where the product is being dispensed or sold to the consumer, the product identifier 10 is read by the terminal 6. By means of the communication channel 4, the terminal 6 can communicate with the authentication database 2 so as to confirm, or not, the authenticity of the container 8 and housed product. Dispensing/sale can be authorised or not.

Having obtained authentication and authorisation, the product can then be dispensed or sold.

The system may also be arranged such that, upon dispensing, the authentication database 2 communicates with the manufacturers, distributors, retailers, etc. to arrange billing and replenishment of the product.

The containers for the product may be embodied in a number of different ways.

Figure 2 illustrates schematically a pot of the type used for housing pharmaceutical tablets. In particular, a cap 8a is attached to a base 8b by means of a screw thread. In the illustrated embodiment, the cap 8a and base 8b are formed from moulded plastic. Figure 2 also shows that the pot may include an information tag, e. g. , a standard bar code 5, which may include general information about the product or manufacturer, but not unique data regarding the security of the product or container.

Thus, in accordance with a preferred embodiment, the product identifier may include only security information without any product information, while the standard bar code 5 or some other identification device provides information about the product, e. g. , manufacturer, dosage, expiration, recalls, etc.

In one embodiment, the unique product identifier 10 includes a number or a bar code 9 provided on a label or tag. If the product identifier is a number, the number may be machine-readable, or it may be simply input into point-of- release terminal 6. In another embodiment, the unique product identifier 10 is in the form of an identification device, e. g. , a tagging device 11. In still another embodiment, shown in Figure 2, the identification device includes both a bar code 9 and/or a tagging device 11. Terminals 6 can scan/read either the bar code 9 and/or the tagging device 11.

The identification device 11 includes a memory for storing, in a preferred mode, only the product identifier, to uniquely identify the housed product.

However, it is contemplated that the identification device 11 can store or have access to additional information about the product and container. This data can be read by an external device, e. g. , terminal 6.

As illustrated in Figure 2, the identification device 11 includes a portion 11 la which extends from the base 8b into the cap 8a. Thus, when the cap 8a is rotated relative to the base 8b to open the container 8, the extension I I a of the identification device 11 is sheared and broken from the identification device 11. Alternatively, or in addition, bar code 9'can be positioned on containers such that twisting of cap 8a shears bar code 9'.

841306 The identification device 11 can be configured such that shearing of the extension 11 a changes data within the identification device 11 or at least changes the nature of the signal which will be read by an external reader. In this way, the external reader can determine that the container 8 has been opened. Usually, this will result in the system failing to authenticate and authorise the product for sale or dispensing. In the simplest embodiment, shearing of the extension 11 a or bar code 9'will merely destroy the product identifier 10, such that no authentication can be achieved.

There are a variety of reasons why a unique product identifier approach is preferable to using the EPC coding format.

1. The EPC format has within it information regarding the product and a person reading the tag can infer information about the product. This is regarded as a privacy issue, particularly when associated with pharmaceuticals.

For example, during a job interview the potential employer notices that the potential employee has anti-cancer drugs in his pocket and therefore an offer is not extended to the applicant, etc. A unique product identifier has no value without the database which associates the number, e. g. , to some information.

2. Although the EPC format has a serial number element, it is much shorter than if a unique product identifier approach is used. This means that for very large volumes there is added complexity in managing the data.

Moreover, the EPC is not necessarily unique to the product.

3. Unique product identifiers are made unique at time of manufacture, whereas EPC relies on the manufacturer of the products to program them uniquely. This presents a weakness when they are used for security scenarios.

841306 4. EPC tags will by their definition allow counterfeiters to anticipate to some degree what valid serial numbers will be and program tags with those numbers. Unique product identifiers could be used in a"random"order to prevent the prediction of valid codes. Also they cannot be soft programmed.

This means that in order to make valid copies a counterfeiter would have to buy one product for everyone he wanted to copy in order to obtain another valid identifier. This severely reduces the value of counterfeiting the products.

In one preferred embodiment, a pharmaceutical company incorporates a <BR> <BR> product identifier, e. g. , a unique identification number or code, into each pack or individual blisters within each pack on the manufacturing line. This number, along with any other relevant instructions such as expiry dates, is transferred electronically into a third party secure database.

At the point of dispensing, e. g. , at terminals 6, products are placed on a scanner which connects securely to the database to verify the unique product <BR> <BR> identifier, e. g. , number, stored in the database. An electronic response is sent to the pharmacist confirming or rejecting the authenticity of product. Other relevant information may be supplied such as reason for authenticity failure, e. g. , product recall. Moreover, the manufacturer may post supplemental information to the authentication database, even after the product has been shipped. For example, the authentication database can periodically or on demand (via a prompt from the terminal) send late-supplied information to terminals, thereby avoiding the need for the manufacturer to send individual notice to each distributor in the supply chain. The pharmacist then decides whether to dispense or not taking into account the feedback received.

841306 The service does not change or rely on the current distribution chain for successful operation and the service is independent of the scanners used at terminals, i. e. , scanners are able to cope with a variety of tag types (including RFID or EPC). This leaves pharmaceutical companies the choice of the most appropriate technology and distribution solution for their products. Also, the manufacturer gains influence over the supply of the product.

It should be appreciated that similar product identifiers can be included in containers of any suitable form.

The container preferably only includes the product identifier. However, the container, by way of a bar-code and/or identification device, can include data indicating the nature or type of product within the container, the date of manufacture of the product, the name of the manufacturer, the place of manufacture of the product, the date of housing the product in the container, the sell-by date and the use-by date. It is also possible to store any other data of relevance or use in the distribution of the product in question.

In one embodiment, the container, e. g. by way of an identification device, can include one or more sensors to detect environmental conditions such as temperature and humidity.

The identification device can record the environmental conditions as an on- going profile. Alternatively, the identification device could merely record when the environmental conditions exceed a predetermined limit.

In this way an external reader is able to determine the conditions to which the product has been subjected between manufacture and sale or dispensing. If the 841306 product has been subjected to conditions beyond predetermined limits, authentication may be refused.

As illustrated in Figure 3, each terminal 6 is provided with a scanner or reader 12 by which the product identifier 10 can be read. Reader 12 can read/scan data from the product identifier, e. g. , from the bar code 9 or identification device 11, and preferably the reader 12 can read/scan data from both the bar code 9 and the identification device 11. A controller 14 may then communicate some or all of this data to the authentication database 2 by means of a communication port 16.

In one embodiment, it may be sufficient for the controller 14 to transmit to the authentication database 2 only data sufficient to identify the product in question. The authentication database 2 could then communicate back to the controller 14 any information stored by the authentication database relating to that product. The controller 14 could then make any necessary comparisons to determine whether or not the product can be authenticated and authorised for sale or dispensing. A user interface 18 may be provided to indicate to the user information regarding the product. Also, a memory 20 may be provided to store data from the product identifier 10 and/or authentication database 2 or merely to assist in the processing of the controller 14. <BR> <BR> <P>In another embodiment, a range of scanning devices, e. g. , 27,28, etc. , may be<BR> connected which employ various scanning methods, e. g. , RFID, EPC, imaging devices, magnetic materials, unique inks, etc.

In a preferred embodiment, controller 14 sends to the authentication database 2 other data obtained or read from the bar-code 9 and/or identification device 841306 11. The authentication database 2 can then carry out the necessary comparisons and authentication. In this case, the controller 14 may merely receive from the authentication database 2 information regarding authentication.

As indicated above, by communicating data in this way, the system may give rise to other advantages with regard to monitoring where and when products are being sold and/or dispensed.

In one embodiment, at least some of the information read from the bar-codes 5 can be transmitted with data from the product identifier 10. In this way, even if authentication cannot be achieved, for instance where the product is counterfeit or repackaged in a container without a product identifier, the system can still automatically identify from the bar-code 5, the nature of the product.

An embodiment of an authentication database 2 is illustrated schematically in Figure 4.

A communication port 22 allows communication with a plurality of terminals 6. It may also allow communication with manufacturers for receiving data regarding their products.

A controller 24 interfaces with a memory 26. Having received data from a terminal 6 identifying a particular product, the controller 24 could merely retrieve the corresponding data for that product from the memory 26 and transmit it back to the terminal 6 via the communication port 22. However, in a preferred embodiment, the controller 24 makes use of additional data read 841306 from the container of the product (for instance from a bar code or identification device) and communicated by the terminals 6 so as to conduct the authentication process. The controller 24 can then transmit authentication information to the relevant terminal 6 by means of the communication port 22.

As mentioned above, the controller 24 may also make use of the data so as to provide additional information regarding the sale or dispensing of the products.

As described above, a comparison between data from the authentication database and the data from the scanned, read and/or input unique product identifier are compared to determine authentication of the product.

In yet another embodiment, the terminal and/or the authentication database can have access to data from yet another source, e. g. , a third party such as a database of the Food and Drug Administration (FDA), EMEA or NPSA.

Other examples of third parties include other entities within the supply chain.

For example, if a container with drugs is scanned at a point of-release terminal, the data channel 4 and/or the authentication database 2 can have access to data from a third party which may indicate that the product is defective or not fit for consumption. For example, the third party data could indicate that the product should have been maintained at a set temperature, but that the refrigerator malfunctioned and there is a possibility that the set temperature was exceeded. In this case, it might be appropriate to not authenticate the product. As another example, the third party data may indicate that the product is restricted for sale in a certain geographical location, e. g. , sample stock not intended for resale.

841306 The memory 26 may store for each product data indicating the nature or type of the product housed in the container, the date of manufacture of the product, place of manufacture of the product, the date of housing the product in the container, the sell-by date and the use-by date.

Figure 5 illustrates a flow chart with one exemplary process for product authentication. Step 502 includes placing the product in a container. Step 504 includes providing the container with a unique identifier with data identifying the respective products. Such data may include the product manufacturer, the date and time of manufacture, or other traceability data.

Preferably, the product identifier is placed in or on the container by the manufacturer when the product is placed therein. Application of the unique product identifiers should be performed in a trusted location, under the control of the manufacturers. Step 506 includes storing in an authentication database data related to the product identifiers. The storing of the unique product identifiers should be performed in a similar trusted location within the manufacturer's control. Step 508 includes scanning/reading at a point of release terminal the stored data relating to the product identifier. Step 510 includes communicating at least some of the data relating to the product identifier to the authentication database. Step 512 includes comparing data of the product identifier with data from the authentication device to produce an authentication result or signal. Step 512 may be performed at central authentication database 2 or any one of terminals 6, as shown in Figure 1.

Step 514 includes communicating the authentication signal or result to the point-of-release terminal. The authentication signal or result may be in the form of an audio or visual signal to the operator of the terminal 6.

Figure 6 illustrates a flow chart of an exemplary form of operation for a point of release terminal. Step 602 includes reading data from a container's unique product identifier. In step 604, at least some of the data from the product identifier is communicated to a remote authentication database. In step 606, authentication of a product is provided on the basis of a comparison of data from the authentication database and data from the product identifier. The comparison step can take place either at the remote authentication database, or at the point-of release terminal 6.

Figure 7 is a flow chart illustrating an exemplary form of operation of the authentication database. In step 702, the authentication database receives data relating to a unique product identifier from a remote terminal 6.

Alternatively, the authentication database in step 702 can merely receive a request from a point-of-release terminal that information regarding the unique product identifier be sent back to point of-release terminal 6. In this event, the authentication database would simply provide the requested information back to point-of-release terminal 6, without conducting the comparison, which will be performed at point-of-release terminal 6.

In step 704, data relating to the product identifier is stored for each respective product.

As shown in Figure 1, the authentication system is preferably implemented on a programmed general purpose computer. However, the authentication system (or its subcomponents) can also be implemented on a special purpose computer, a programmed microprocessor or microcontroller and peripheral integrated circuit elements, an ASIC or other integrated circuit, a digital signal processor, a hardwired electronic or logic circuit such as a discrete element 841306 circuit, a programmable logic device such as a PLD, PLA, FPGA or PAL, or the like. In general, any device, capable of implementing a finite state machine that is in turn capable of implementing the described systems, methods and the flowcharts shown in Figures 5-7, can be used to implement the authentication system.

The flow charts of Figures 5-7, or portions thereof, can be programmed onto a machine-readable recording medium, e. g. , compact or floppy disks, etc. that<BR> includes a control program for controlling a data processor, e. g. , controllers 14 (Figure 3) or 24 (Figure 4). Moreover, upgrades at terminals 6 may be initiated by sending such recording medium to the terminals. Alternatively, or in addition, upgrades to the control program can be sent electronically to the terminals.

Aspects of the invention have been described in relation to preferred embodiments thereof, which are intended to be illustrative, and not limiting.

Variations and/or modifications all within the scope of the invention will be apparent to those of ordinary skill in the art.