Tag Archives: traceability

Steven Burton
Soapbox

Which Safety Standards Work Best for the Cannabis Industry?

By Steven Burton
No Comments
Steven Burton

Now that governments are legalizing cannabis around the world, the question looms for cannabis businesses seeking legitimacy in the new industry: what safety standards should apply? This question is more difficult as different jurisdictions grapple with defining and implementing legal requirements and struggle to keep up with the pace of growth.

For visionary cannabis business, it makes sense to anticipate requirements – not only from governments, but also from consumers and partners. Most regulations currently focus on security and basic health issues but, in the long-term, the industry that may offer the best model for cannabis businesses isn’t pharmaceuticals, but food. Cannabis (especially edibles) share similar hazards and traceability challenges with food products, so taking the lead from the food industry will be much more applicable and could offer greater benefits.

marijuana buds drying in racks biotrackthc
Dried cannabis curing with RFID tags as part of a traceability system.

Companies that achieve the highest and most flexible certification will enjoy a crucial competitive advantage when it comes to winning market share, popularity and consumer trust. Let’s take a quick look at the different options of food safety (and quality) certifications that cannabis businesses may consider. But first, let’s clarify two important definitions that are necessary to understand the food industry.

Basic Concepts from the Food Industry

The first acronym you should be aware of is GFSI, the Global Food Safety Initiative. GFSI is a food industry-driven global collaboration body created to advance food safety. When it comes to understanding GFSI, the important part to note is that certifications recognized by GFSI (like SQF, FSSC 22000, and BRC) are universally accepted. Companies operating under GFSI-recognized certifications open the most doors to the most markets, providing the highest potential for growth. For this reason, cannabis companies should be aware of and seriously consider seeking GFSI certifications

HACCPSecondly, many food safety programs are built around Hazard Analysis Critical Control Points, or HACCP. While many people may talk about HACCP like it’s a certification in and of itself, it is not actually a certification like the others on this list, but rather a methodology that helps companies systematically identify and control biological, chemical, and physical hazards that may arise during food production, handling, and distribution. Companies that adopt this methodology end up with a HACCP plan, which must then be followed at all times to avoid and address health and safety issues. It’s often required for food businesses and is generally required in most of the world, except where ISO 22000 is more common, primarily in Europe and countries whose primary export market is European. Since HACCP plans are also incorporated into most of the other achievable certifications, developing a HACCP program early will build a strong foundation for higher levels of certification.

Certifications for the Cannabis Industry

Now that we understand the basics of GFSI and HACCP, we can see how the certifications that have been developed by and for the food industry may apply to cannabis companies – and which you should consider necessary for your business.

GMP: Good Manufacturing Practice Certification

GMP (or sometimes cGMP) certification requires that companies abide by a set of good manufacturing processes for food and beverage products, pharmaceuticals, cosmetics, dietary supplements and medical devices. Since it really only covers basic sanitation and employee hygiene, it is considered the lowest level of certification in the industry. It is not recognized by GFSI, but GFSI does require all the standard benchmarks of a GMP be met before granting GFSI certification.

While GMP certification is often required, it is far below the standard that should be upheld by any serious businesses. It doesn’t cover many of the different types of hazards associated with food production – that I have argued will become increasingly relevant to cannabis producers – and doesn’t provide a systematic approach to identifying and controlling hazards like a HACCP program would. It’s really just about providing the basic procedures and checks to ensure that the facility is clean and that employees aren’t contaminating the products.GMP

Final Verdict: Recommended, but as the bare minimum. GMP is not sufficient on its own to adequately control the risk of recalls and foodborne illness outbreaks, and it limits a company’s market potential because it lacks the GFSI worldwide stamp of approval.

Some companies consider GMP certification a good place to start if you’re on a tight deadline for distribution in markets where only GMP is required by regulators. I would argue that striving for the minimum standards will be costly in the long run. Health, safety and quality standards are the foundations upon which winning companies are built. It’s critical to develop a corporate culture that will lead to GFSI-recognized programs without major organizational overhaul. Start on the right foot and set your sights higher – obtain a certification that will stand the test of time and avoid the pain and risks of trying to change entrenched behaviors.

SQF: Safe Quality Food Program Certification

SQF is my number one recommendation as the best certification for the cannabis industry. One of the most common certifications in North America, SQF is a food safety management system recognized by retailers and consumers alike. It is administered by the Food Marketing Institute (FMI) and, importantly, recognized by GFSI, which gives companies a huge competitive edge. SQF focuses on the whole supply chain.

SQF was also the first to develop a cannabis program and is currently the leader in this market segment. It is also the scheme that best integrates food safety with quality. Since it is recognized worldwide, SQF provides the greatest leverage to accelerate a company’s growth. Once obtained, products with SQF certification can often jump the queue to enter different regulatory markets.

Final verdict: Highly recommended. A cannabis company with an SQF certification has the greatest advantage because it offers the broadest worldwide reach and keeps companies a step ahead of competitors. It’s also achievable – just this past April, Curaleaf Florida ostensibly became the first cannabis company to achieve SQF certification. It is tough, but fair and practical.

Other Certification Standards

SQF is the top certification that should be considered by cannabis companies, especially outside of Europe. However, the food industry has several other major types of standards that, at this time, have limited relevance to the cannabis industry today. Let’s take a quick look.

When considering GFSI-recognized programs, the main choice for food companies is between SQF, which we’ve covered, and BRC (the British Retail Consortium Certification). BRC has the most in common with SQF but, while SQF was originally developed for processed foods, BRC was developed in the UK for meat products. Today, they are quite similar, but BRC doesn’t focus quite as much on the quality component as SQF does. While BRC could be a good option, they don’t have a program for cannabis and, thus far, do not appear to be as friendly toward the cannabis industry.The food industry has a lot to offer cannabis companies that are anticipating future regulatory changes and market advantages 

Across the pond, there are a few other certification standards that are more common than SQF. One of these is ISO 22000, which is the certification for the food-related standard created by the International Organization for Standardization (ISO) in Europe. It is not recognized by GFSI but is the primary system used in Europe. If your market is exclusively in the EU, it might be a good choice for you in the future. However, to date, there is no indication that any cannabis company has achieved ISO 22000 certification. Some cannabis companies have attained certification for other ISO standards like ISO 9001:2015, which specifies requirements for quality control systems, and ISO/IEC 17025 for laboratory testing. These are generally more relevant for the pharmaceutical industry than food and beverage, but still apply to cannabis.

There is the perception that cannabis is more accepted in EU countries like the Netherlands, but the regulatory attitude to cannabis is complicated. In the Netherlands, for example, cannabis isn’t actually legal – “coffee shops” fall under a toleration policy that doesn’t include regulation. Medical cannabis in the Netherlands is all produced by one supplier and several countries in the EU allow for licensed distribution and import, but not domestic production. Various EU countries are trying to keep up with the legalization trend, however. The Czech Republic, Germany, and others all recently introduced legislation for domestic production of cannabis for medical use. For companies with their eye on the EU, it is crucial to watch which regulatory requirements will be implemented in each market and how.

The last certification standard to mention is the result of a compromise between ISO and the more HACCP oriented programs like SQF. FSSC 22000 (Food Safety System Certification) tries to address the gaps between ISO 22000 and GFSI-recognized certifications by introducing another component called PAS 220. Since it is recognized by GFSI, FSSC 22000 is starting to get more traction in the food industry because it makes products a bit easier to export to the EU. FSSC 22000 satisfies the EU ISO standards but isn’t as closely tied to HACCP. We will be keeping an eye on this one.

Final Takeaway

The food industry has a lot to offer cannabis companies that are anticipating future regulatory changes and market advantages – but it’s difficult for cannabis companies to understand all the options available and how each apply to their specific products. While markets adjust beyond the preliminary issue of legality, it’s crucial for companies to look forward and comply with safety and quality standards like SQF. Companies who strive for SQF certification (or other GFSI-recognized certifications as they become available) will find themselves far better prepared to seize market share as cannabis markets blossom.

Top 10 Common Findings Detected During Cannabis Laboratory Assessments: A Guide to Assist with Accreditation

By Tracy Szerszen
No Comments

With the cannabis industry growing rapidly, laboratories are adapting to the new market demand for medical cannabis testing in accordance to ISO/IEC 17025. Third-party accreditation bodies, such as Perry Johnson Laboratory Accreditation, Inc. (PJLA), conduct these assessments to determine that laboratories are following relevant medical cannabis testing standard protocols in order to detect potency and contaminant levels in cannabis. Additionally, laboratories are required to implement and maintain a quality management system throughout their facility. Obtaining accreditation is a challenge for laboratories initially going through the process. There are many requirements outlined in the standard that laboratories must adhere to in order to obtain a final certificate of accreditation. Laboratories should evaluate the ISO 17025 standard thoroughly, receive adequate training, implement the standard within their facility and conduct an internal audit in order to prepare for a third-party assessment. Being prepared will ultimately reduce the number of findings detected during the on-site assessment. Listed below is research and evidence gathered by PJLA to determine the top ten findings by clause specifically in relation to cannabis testing laboratories.

PJLA chart
The top 10 findings by clause

4.2: Management System

  • Defined roles and responsibilities of management system and its quality policies, including a structured outline of supporting procedures, requirements of the policy statement and establishment of objectives.
  • Providing evidence of establishing the development, implementation and maintenance of the management system appropriate to the scope of activities and the continuous improvement of its effectiveness.
  • Ensuring the integrity of the management system during planned and implemented changes.
  • Communication from management of the importance of meeting customer, statutory and regulatory requirements

4.3: Document Control

  • Establishing and maintaining procedures to control all documents that form the management system.
  • The review of document approvals, issuance and changes.

4.6: Purchasing Services and Supplies

  • Policies and procedures for the selection and purchasing of services and supplies, inspection and verification of services and supplies
  • Review and approval of purchasing documents containing data describing the services and supplies ordered
  • Maintaining records for the evaluation of suppliers of critical consumables, supplies and services, which affect the quality of laboratory outputs.

4.13: Control of Records

  • Establishing and maintaining procedures for identification, collection, indexing, access, filing, storage and disposal of quality and technical records.
  • Providing procedures to protect and back-up records stored electronically and to prevent unauthorized access.

4.14: Internal Audits

  • Having a predetermined schedule and procedure for conducting internal audits of its activities and that addresses all elements that verify its compliance of its established management system and ISO/IEC 17025
  • Completing and recording corrective actions arising from internal audits in a timely manner, follow-up activities of implementation and verification of effectiveness of corrective actions taken.

5.2: Personnel

  • Laboratory management not ensuring the competence and qualifications of all personnel who operate specific equipment, perform tests, evaluate test results and sign test reports. Lack of personnel undergoing training and providing appropriate supervision
  • Providing a training program policies and procedures for an effective training program that is appropriate; identification and review of training needs and the program’s effectiveness to demonstrate competence.
  • Lack of maintaining records of training actions taken, current job descriptions for managerial, technical and key support personnel involved in testing

5.4: Test and Calibration Methods and Method Validation

  • Utilization of appropriate laboratory methods and procedures for all testing within the labs scope; including sampling, handling, transport, storage and preparation of items being tested, and where appropriate, a procedure for an estimation of the measurement of uncertainty and statistical techniques for analysis
  • Up-to-date instructions on the use and operation of all relevant equipment, and on the handling and preparation of items for testing
  • Introduction laboratory-developed and non-standard methods and developing procedures prior to implementation.
  • Validating non-standard methods in accordance with the standard
  • Not completing appropriate checks in a systematic manner for calculations and data transfers

5.6: Measurement Traceability

  • Ensuring that equipment used has the associated measurement uncertainty needed for traceability of measurements to SI units or certified reference materials and completing intermediate checks needed according to a defined procedure and schedules.
  • Not having procedures for safe handling, transport, storage and use of reference standards and materials that prevent contamination or deterioration of its integrity.

5.10: Reporting the Results

  • Test reports not meeting the standard requirements, statements of compliance with accounting for uncertainty, not providing evidence for measurement traceability, inaccurately amending reports.

SOP-3: Use of the Logo

  • Inappropriate use of PJLA’s logo on the laboratories test reports and/or website.
  • Using the incorrect logo for the testing laboratory or using the logo without prior approval from PJLA.
Steven Burton
Soapbox

Why Traceability Is Crucial for the Cannabis Industry

By Steven Burton
No Comments
Steven Burton

The stage is set: cannabis legalization is rolling out around the world. With legalization comes regulations and smart companies will adapt to make new requirements work for them. In the end, our shared goal (as industry, consumers and government) is the same: provide safe, high-quality, reliable products. This is where traceability comes in.

If a cannabis product isn’t safe (cannabis is vulnerable to the same kinds of hazards as most food products), the reputation of the entire industry suffers. Earning public trust is the first step toward favorable government regulations. With upcoming decisions that will decide taxation and distribution, it’s more important than ever that cannabis producers can react quickly if recalls should occur – and that means taking traceability seriously.

Comprehensive Traceability for Cannabis Means More Than Legality

A crucial key to producing safe and high-quality cannabis products is detailed traceability. Many states require cannabis businesses to use systems like Metrc, a technology that uses RFID tags to track cannabis from seed to sale to ensure nothing is diverted to the black market. However, Metrc focuses only on the chain of custody, not on the safety or quality of the product.METRC logo

Ensuring a secure supply chain is only one piece of the cannabis puzzle. Public health hazards like toxic chemical contamination, mold growth and pathogenic contamination introduced by pests or improper employee handling need to be controlled in order to earn public trust and comply with regulations. State-mandated traceability systems don’t address these imperatives, so an effective safety technology that includes traceability, in addition to mandated systems like Metrc, is absolutely necessary to complete the cannabis picture.

Automation Technology Supports Cannabis Companies’ Growth and Helps With Audits

Cannabis professionals are aware of the regulatory scrutiny the industry is under and many have turned to automation technology to help stand up to this scrutiny, as well as collect and manage all the data necessary for compliance. Automating data collection pays off in several ways. For one, interconnected, real-time IoT technologies that are accessible to the entire facility 24/7 are giving cannabis businesses the tools they need to create the best possible products now, as well as providing them with the data they need to make their products even better. Since frequent audits are a part of the legalization transition, automation also makes preparing for audits and inspections a matter of minutes instead of days.

Ron Sigman, chief executive officer of marijuana compliance consulting firm Adherence Corp. and former investigator for the Marijuana Enforcement Division (MED) in Colorado, lists the most common violations for cannabis businesses that he found during more than 200 audits in an interview for Marijuana Business Daily. These violations include:

  • Metrc issues, especially accounting not matching inventory (too many plants or ounces of marijuana on the premises);
  • Security issues like lack of sufficient camera coverage;
  • Failure to upgrade licenses;
  • Improper or incomplete training of new employees.

Adopting safety and traceability concepts that the food industry developed over many decades can yield huge benefits for cannabis businessesA proper cannabis traceability technology mitigates these problems by providing notifications of inventory inconsistencies, certification expirations and more. Traceability for cannabis must be able to handle the complexities of procedures like terpene extraction and injection. With the rapid growth of the industry, it must be able to set targets and track actuals. It should track, not just cannabis plants and related derivatives, but also every other ingredient, material and packaging material used during production. There must be monitoring at each stage of production and a system in place to ensure all employee training is up to date. Preventative maintenance must be scheduled and tracked and hazards must be identified and controlled. In the event of an audit or recall, precise mass-balance calculations must be available to account for every gram of product, including non-cannabis ingredients like coconut oil and packaging materials like pouches and labels.

GMPDetailed traceability can make the difference between a cannabis business keeping their license or being shut down. “You have to make a diligent effort to stay compliant 365 days out of the year, because you never know when a regulatory agency is going to come knocking on your door,” says Sigman. Knowing exactly what went wrong when and where allows a company to make changes so failures don’t happen again.

Higher Standards Will Be Demanded

The standard sought by most in the cannabis industry is only GMP (Good Manufacturing Practice) certification, which is actually the lowest level of certification possible in food production. With the public demand for edibles and concentrates on the rise and major retailers scrambling for seats at the table, the demand for transparency from growers and manufacturers will increase. Cannabis companies will soon find that GMP compliance simply won’t be enough to earn trust and expand their market share, especially when it comes to edibles and concentrates.

SQF-Certified“Every day, patients express interest and assurance of wanting to know that the foods and medicines they consume are safe and of the best quality available,” says Lindsay Jones, president of Curaleaf Florida, the first medical cannabis company in Florida to achieve SQF Certification. Safe Quality Food (SQF) certification ensures a company meets the highest levels of safety and quality on a reliable basis. Curaleaf has set a new bar in the industry that others will be compelled to follow and they should be congratulated for their proactive vision.

Adopting safety and traceability concepts that the food industry developed over many decades can yield huge benefits for cannabis businesses, but it will be interesting to watch the technology evolve to accommodate the specific needs of retailers and consumers. Imagine a traceability system that ensures safety and quality while also tracking consistency and potency.

The Future of Cannabis Is Bright

The emerging cannabis industry is facing challenging hurdles on its path to widespread legalization and acceptance but the forecast is sunny – for companies who are prepared.

New Frontier Data CEO Giadha Aguirre De Carcer, explains that California’s “legal (cannabis) industry is forecast to grow from $2.8 billion in 2017 to $5.6 billion in 2020. That spending will be increasingly directed at products and retailers who understand and serve the market’s evolving tastes and preferences.” That includes implementing comprehensive traceability systems to deliver safe, quality product.

Washington Lab Conducts Transparency Study

By Aaron G. Biros
2 Comments

Earlier this week Capitol Analysis Group, a cannabis-testing laboratory based in Lacey, Washington, announced they are conducting a “data-driven Lab Transparency Project, an effort to improve accuracy of cannabis testing results in the state through transparency and a new third-party auditing process,” according to a press release. They plan to look through the state’s traceability data to find patterns of deviations and possible foul play.

The project launch comes after Straightline Analytics, a Washington cannabis industry data company, released a report indicating they found rampant laboratory shopping to be present in the state. Lab shopping is a less-than-ethical business practice where cannabis producers look for the lab that will give them the most favorable results, particularly with respect to higher potency figures and lower contamination fail rates.“Lab shopping shouldn’t exist, because it is a symptom of lab variability,”

According to the press release, their report “shows that businesses that pay for the highest number of lab tests achieve, on average, reported potency levels 2.71% higher than do those that pay for the lowest number of lab tests.” They also found labs that provide higher potency figures tend to have the largest market share.

The Lab Transparency Project logo
The Lab Transparency Project logo

The goal of The Lab Transparency Project is to provide summaries of lab data across the state, shining a light in particular on which labs provide the highest potency results. “Lab shopping shouldn’t exist, because it is a symptom of lab variability,” says Jeff Doughty, president of Capitol Analysis. “We already have standards that should prevent variations in lab results and proficiency testing that shows that the labs are capable of doing the testing.” The other piece to this project is independent third party auditing, where they hope other labs will collaborate in the name of transparency and honesty. “Problems arise when the auditors aren’t looking,” says Doughty. “Therefore, we’re creating the Lab Transparency Project to contribute to honesty and transparency in the testing industry.”

Dr. Jim McRae, founder of Straightline Analytics, and the author of that inflammatory report, has been a vocal critic of the Washington cannabis testing industry for years now. “I applaud Capitol Analysis for committing to this effort,” says McRae. “With the state’s new traceability system up and running following a 4-month breakdown, the time for openness and transparency is now.” Dr. McRae will be contributing to the summaries of lab data as part of the project.

According to Doughty, the project is designed to be a largely collaborative effort with other labs, dedicated to improving lab standards and transparency in the industry.

Washington Security Breach Delays Traceability System Rollout

By Aaron G. Biros
No Comments

On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.

“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”WSLCB

The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.

That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.

WSLCB emailThis is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.

In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.

At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?

Open For Business: California Market Launches

By Aaron G. Biros
No Comments

California’s full legal cannabis market officially opened its doors for business on January 1st, 2018. Following a relatively short time frame when they announced the first licenses awarded less than a month ago, retail stores were open for business in counties throughout California. Customers came out in full force, with long lines on the opening day, with some hundreds deep stretching around blocks.

For the quick turn around time between implementing regulations and awarding temporary licenses, the grand opening of the cannabis market in the nation’s most populous state proceeded smoothly. Only a handful of minor hiccups associated with the launch were reported throughout the state. In the grand scheme of things, that’s a pretty good job for a new regulatory agency (The Bureau) tasked with regulating such a massive fledgling market.

One major and definitely foreseeable hiccup in the launch of California’s new medical and adult use markets was the failure to implement tracking software. According to Michael Blood with The Associated Press, licensed businesses are being asked by the California Department of Food and Agriculture to manually document sales and transfers of cannabis with paper invoices.

Los Angeles
Image: Kevin Stanchfield, Flickr

While the Department said the traceability system was implemented Tuesday, Blood says, cannabis businesses are not required to use it and will be trained on how to operate it before it becomes required to use later in 2018.

Local control regulations in California means that businesses must first seek approval from local authorities before attaining a temporary license from the state to operate. That coupled with the rolling process of awarding licenses meant that only some cannabis businesses could officially open their doors. Municipalities throughout California handle regulating cannabis differently.

The handful of adult use dispensaries with temporary licenses in the Los Angeles area received a massive influx of customers on opening day. Residents of LA came in droves to the four West Hollywood dispensaries open for adult use business.

BioTrackTHC To The Rescue: Contingency Plan for Washington

By Aaron G. Biros
1 Comment

According to a press release published this morning, BioTrackTHC successfully implemented their Universal Cannabis System (UCS) in Washington State, a temporary solution for the state’s seed-to-sale cannabis tracking system, while the new system is yet to be deployed.

BioTrackTHC had a contract with Washington State for four years, which expired just weeks ago at the beginning of November. Back in June, after a few minor hiccups, the state announced that MJ Freeway would be the successive software platform used for the state’s seed-to-sale traceability system.

The deadline for the new software to be ready for deployment was set for November 1st, when the BioTrackTHC contract would expire and the MJ Freeway contract would begin. Between when the contract was awarded and the deadline for implementation, MJ Freeway made headlines for a series of security hacks and systems failures. Subsequently, MJ Freeway said they could not deliver the software platform until January of 2018, leaving a two-month gap where businesses have no state-mandated software to use for the tracking system.

The contingency plan that the state laid out consisted of business owners manually inputting data in excel spreadsheets. When first pressed for a Band-Aid solution, representatives of BioTrackTHC cited security concerns related to MJ Freeway’s hacks as reason for being hesitant to extend their contract through the interim period.

In an open letter to the Washington cannabis industry back in October before the end of their contract, Patrick Vo, president and chief executive officer of BioTrackTHC, laid out an explanation for what went wrong and provided an alternative solution, essentially a private sector version of their government-mandated traceability software system.

The open letter to the Washington cannabis industry, written by Patrick Vo

Announced this morning, the new system, UCS, is being used by over 1,600 of the 1,700 cannabis licensees in Washington. The UCS has so far submitted 39,000 individual excel spreadsheets to the Washington State Liquor and Cannabis Board (WSLCB). “After the WSLCB announced that their replacement system would not be ready in time and that the only other option was for all 1,700 licensees to submit their seed-to-sale data via manual spreadsheets, BioTrackTHC created the UCS—a privatized clone of the government system—within a few days and deployed it minutes after the termination of the old system to minimize the impact on all licensees,” reads the press release.

The UCS allows business owners to streamline data recording, instead of manually entering information into spreadsheets. It is also integrating with 3rd party software competitors such as WeedTraQR, GrowFlow, Mr. Kraken, TraceWeed, GreenBits, S2Solutions and DopePlow. “After the WSLCB’s announcement, we knew that we had only a few days to provide a universal system to which the whole industry could submit compliance data and enable communication across the supply chain between licensees and their seed-to-sale system,” says Vo. “Our priority was to ensure that licensees could continue to operate in the absence of a government seed-to-sale system. Not having that system in place could have left Washington licensees vulnerable to noncompliance in a variety of ways, not to mention the potentially crippling volume of extra work needed to manually track a business’ entire inventory.”

Washington State’s new traceability software system by MJ Freeway is expected to deploy in January of 2018.

Using Cloud-Based LIMS To Improve Efficiency In Cannabis Labs

By Shonali Paul
No Comments

Cannabis testing laboratories around the country are expanding quickly, taking on new clients and growing their business incrementally. Many of these labs are receiving a large number of test requests from growers for potency testing, terpene profiling, pesticide screening, residual solvent screening, heavy metal testing, microbial analysis and even genetic testing. To keep pace with the number of test requests received, efficient data, sample and test management is imperative.

Considering the magnitude of cannabis testing, data management using spreadsheets is a serious impediment to quality assurance. Data being recorded in spreadsheets is error-prone and difficult to manage. Furthermore, using spreadsheets does not allow labs to adhere to regulatory guidelines that demand strict accounting for every gram of the sample, right from reception, consumption for testing, to disposal.

Log samples, keep track of Chain of Custody(CoC), track samples from initial location in the lab through disposal by recording location, custodians and other metadata

To overcome such data management challenges and improve the operational efficiency of cannabis testing laboratories, a Laboratory Information Management System (LIMS) plays a significant role. LIMS are much more capable than spreadsheets and paper-based tools for managing analytical and operational activities. LIMS enhances the productivity and quality by eliminating the manual data entry. With its built-in audit trail capability, LIMS helps labs adhere to regulatory standards.

LIMS can provide companies with a method to manage samples, records and test results, and ensures regulatory compliance by increasing traceability. LIMS can also be integrated with other lab instrumentation and enterprise systems, enabling easier transmission of information across the lab and the organization, reducing manual efforts and improving decision-making.

Account for the entire quantity of sample received, used and disposed

Multiple resources are also available to assist labs in preparing for quality assurance and accreditation, LIMS being one of them. LIMS can help cannabis labs with instrument integration, and automate reporting to help improve efficiencies and reduce errors. LIMS, such as CloudLIMS Lite, a cloud-based LIMS, automates cannabis-testing workflows right from sample collection, data recording, managing test chain of custody, sample weight accounting to report generation. With data security and audit trails, a LIMS provides traceable documentary evidence required to achieve ISO 17025 accreditation for highly regulated labs. Above all, cloud-enabled systems are often low in the total cost of acquisition, have maintenance outsourced, and are scalable to help meet the ever-changing business and regulatory compliance needs.

Incorporate all tests, instruments, sample information and result data (etc.) in one place

Cloud-based products are secure, easy to deploy and scalable. A cloud product is typically hosted on a server with a guaranteed uptime of 99.5%, allowing for a reliable system, accessible 24×7. Cloud-based LIMS have automatic data backup mechanism that allow for quick turnarounds in case of a server failure or in the eventuality of a natural disaster.

With LIMS in place, cannabis labs can manage sample and requisition-centric records, track sample quantity and location, integrate the test data, and provide online reports to clients. This in turn, reduces the turnaround time for testing and improves the operational efficiency. Besides, audit trail of each and every activity performed by the lab personnel is recorded in the system to ensure that the lab follows regulatory compliance.


Editor’s Note: This is a condensed version of a poster that was submitted and displayed at this year’s Cannabis Science Conference in Portland, Oregon. The authors of the original poster are Arun Apte, Stephen Goldman, Aditi Gade and Shonali Paul.

MJ Freeway Hardships Linger

By Aaron G. Biros
No Comments

MJ Freeway, a seed-to-sale traceability software company with a number of government contracts, has been making headlines this year for all the wrong reasons. A series of security breaches, website crashes and implementation delays have beleaguered the software company throughout 2017.

Just this morning, the Philadelphia Inquirer reported the company’s services crashed Saturday night and Monday afternoon. That article also mentions an anonymous hacker tried to sell sensitive information from the Washington and Nevada hacks in September. Back in April, when Pennsylvania awarded the state’s contract to MJ Freeway for its tracking system, Amy Poinsett, co-founder and chief executive officer of MJ Freeway told reporters “I think I can confidently say we are the most secure cannabis company in this particular industry.” It is safe to say this is now being called into question.

Earlier this week, New Cannabis Venture’s Alan Brochstein reported that MJ Freeway is unable to meet Washington’s October 31st deadline to integrate their software with the state, forcing customers to manually report data.

Roughly a month ago, Nevada suddenly cancelled their contract with MJ Freeway, just two years into their five-year deal. Back in June, the company’s source code was stolen and published online. And back in January of this year, the company’s sales and inventory system was the target of a cyber attack.

According to an email we obtained, all of MJFreeway’s clients in Spain experienced an online outage, but that services were restored within 24 hours. In an email sent to clients in Spain, the company told customers that the problems were the result of a system failure. “Our initial analysis indicates that this was a system failure and unfortunately none of the data was able to be successfully retrieved from the backup archive due to an error but we can assure you that none of your data was extracted or viewed at any moment,” reads the email. “We are extremely distressed regarding the event that occurred with the system and the service interruption that occurred yesterday. We recognize that this is a situation that is very serious and negatively impacts your club.” The email says that MJ Freeway is addressing those problems in a few ways, one of which being ongoing audits of their data backups. “The event has led us to reconstruct our “hosting environment” in Europe to use the latest technology from Amazon Web Services with the best redundancy, flexibility and security, using the highest stability measures in the AWS environment,” reads the email. While the site will be restored fully, according the email, historical data is lost. The company is working with their clients to help them get data back into the system. 

MJ Freeway’s Source Code Stolen & Published Online

By Aaron G. Biros
9 Comments

Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down. Source code is essentially a list of commands of a program, the basis for making improvements and modifications to a software system. Source code can sometimes contain sensitive information. To be clear, MJ Freeway does not use an open source model; their source code is the basis of their traceability software. Open source is a tool that fosters public collaboration on software development, helping identify weaknesses or areas for improvement.

When asked to comment on the matter, MJ Freeway issued the following statement:

“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.

Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.

We follow or exceed all relevant industry security standards and are confident that we have the most robust security measures in our industry. None of our peers come close. However, we live in a world of determined cyber-criminals and we operate in a competitive environment. Success and size makes a company a bigger target for malicious actors, as other large companies also know. We will continue to investigate and take follow-up action as we learn more about this incident.”

On Sunday, June 18th, a user by the name of ‘techdudes420’ posted in the subreddit, r/weedbiz, a thread titled “MJFreeway goes open source.” The link for that post was the Gitlab.com page where MJ Freeway’s source code was published briefly. The same user then published a second reddit post the following day with the same link to the stolen code, but this time in the r/COents, a subreddit for the Colorado cannabis community. MJ Freeway is based in Denver. That post claimed the user found the stolen source code with a quick search and that the user was banned because of that. The moderator of the thread chimed in, saying they banned the user for posting the stolen code. “We received a takedown request from the software owner stating the code had been stolen and released without permission,” says the moderator. “After investigating the matter I reached the same conclusion and removed the thread.” The moderator then updated the comment shortly after: “Edit: As for OP [original poster] ‘finding’ the code, if that were true I don’t know why he or she would have created a new Reddit account just to post the link.”

In addition to their own cybersecurity analysis, a spokeswoman for MJ Freeway says they will be performing a third party audit and analysis this week as well. When that information becomes available, we will update this article.


Update: Multiple sources have reported that portions of MJ Freeway’s source code are still available online on torrent sites like PirateBay.