Next-generation document management

For companies operating in a tightly regulated industry, sophisticated document-management systems are essential. By Jörg Werner

Boehringer Ingelheim is one of the world’s 20 leading pharmaceutical companies. Headquartered in Ingelheim, Germany, it operates globally with 144 affiliates in 45 countries and has approximately 36,000 employees. Since it was founded in 1885, the family-owned company has been committed to researching, developing, manufacturing and marketing novel products of high therapeutic value for human and veterinary medicine.

It is essential that the company maintains clear documentation throughout all of the steps of its product-development process. This is a requirement that makes for easy information access, a controlled document lifecycle and a coherent data structure. Easy navigation and retrieval of this information is mandatory.

Cross-functional co-ordination

Throughout the corporation, all application areas of document management must follow common rules. In 1998, to achieve this goal, a project was approved to implement document management and publishing in medicine and to foster the organisation’s existing document-management installation as a global infrastructure system.

The main aspects of the project are:

Archiving concept;
Software deployment and installation procedure;
Document types and classes;
Hardware platforms;
Interface to other technologies and software tools.

The main goals of this initiative are:

Reducing time to registration dossier submission;
Controlling the process of dossier compilation and archiving of all submitted dossiers;
Creation and maintenance of the Clinical Trial Master Files;
Optimisation of the clinical-trial writing process.

In 2000, to fulfil the goals of the project, the first generation of IDEAforSUB (International Document Management and Electronic Archive for Submission) was launched to 1,500 users in 25 countries. In 2003, the next generations followed, each focused on re-modelling the paper-based processes of business units into a more electronic process. In the near future, the sixth generation of the system will be rolled-out, which will further streamline the Regulatory Affairs processes.

Today, approximately 4,000 users are using the system, which carries around two terabytes of data with an average growth of 100GB per month.

Another popular system is IDEA for General Business, which holds general information, and runs parallel to the IDEA for Submission’s initiative. Today, around 450GB of data is maintained in this system and the user community is estimated at around 5,000 active users, although the system is open to every Boehringer Ingelheim employee.

In April 2005, a third document-management system was launched, called IDEA for Controlled Documents. This system serves as a company-wide repository for standard operating procedures, working instructions, specifications, batch records, etc, targeting approximately 15,000 users in 30 countries.

The challenge: maintaining the authenticity of documents

When moving paper processes into an electronic-document-management process, harmonising the processes and making information more easily accessible, issues of document authenticity were never far away.

Boehringer Ingelheim uses a document-management system from EMC, which provides features that help ensure the authenticity of documents. Nevertheless, a prerequisite of being able to make use of these requires a careful analysis of the different business cases before they are implemented.

The response to the challenge of ensuring security and authenticity of documents within the company’s document-management system could be regarded as a kind of onion shell.

The first layer of this model is the Authentication process, which takes place against one of our three document-management systems. Next comes the Audit Trail, which is followed by the Authorisation process and then by the permissions of different Activities. Most of these activities are brought in by the needs of the various business processes. The next layer focuses on the so-called Meta Information, which is information that is stored in attributes of objects created in the system. These attributes store information about how objects are interrelated to each other and are stored in an Oracle database. The core of this onion is the content, which is the target of all these protection activities. The complete picture is outlined in figure 1.

The first layer is much more sophisticated than a simple authentication procedure, and is better described in terms of identity access and management. This process is twofold. The first part focuses on user administration, which is performed in the Active Directory and ensures user uniqueness. User uniqueness becomes extremely important when looking at signature authenticity in the electronic-signature process described below. Due to the fact that the Active Directory is an infrastructure component, user administration can be handled centrally.

User authentication is performed via Lightweight Directory Access Protocol (LDAP) against different domain controllers. During user authentication, a password travels from the user PC over the application servers to the document-management system (the so called repositories), before being routed to the domain controller. During this long journey across the network, the password is encrypted.

The second element of the process is group administration, which determines the permission levels of certain users, and is maintained in the document-management system.

The next layer is the Audit Trail, which interacts with all the other layers. When a user’s credentials are passing the docbase they leave a footprint in the form of an event name, such as log-on failure, and event source, such as log-on authentication, user name and audit date.

The third layer is Authorisation. The company’s document-management solution comes complete with a robust security scheme around the object repository, called Access Control Lists (ACL).

The major benefits of ACLs are:

Seven different levels of access can be assigned to the documents;
Assigning access to individual users or to groups of users;
Users can create their own private ACLs that only they can use;
System administrators can create system-wide ACLs that can be used by everyone;
Extended permissions dictate what a user can do to an object.

The seven layers of ACLs are:

NONE: A user with NONE access will never know that the document exists. They won’t see it in a folder, and if they query for it, it will not be returned in the result list.
BROWSE: A user with BROWSE access will be able to see the attributes of a document, but cannot view the content. The user will see the document within the folder in which it lives, and the user can query for it.
READ: A user with READ access can view the attributes and content of a document, but cannot annotate it, version it or edit it.
RELATE: A user with RELATE access can view the attributes and content and can annotate the content.
VERSION: A user with VERSION access can read, annotate and create new versions of a document, but cannot overwrite the current version of the document. If a user with VERSION access wants to modify the attributes of a document, he must check it out, modify the attributes, then check it in, creating a new version of the document.
WRITE: A user with WRITE access can read, annotate, version and overwrite the current document, but cannot delete it. A user with WRITE access can modify the attributes of a document without checking it out.
DELETE: A user with DELETE permission can do all the above things, plus delete the document.

Once it is decided which information must be accessed, to what degree and by whom, the authorisation can be tuned with the help of the ACLs.

A good example that illustrates the authorisation concept is the electronic-signature process that is implemented in our submission system. In this case, the document is driven through different lifecycle states as shown in figure 2.

During each of these steps, access control to the document is modified to ensure content is effectively protected. In addition, the lifecycle steps are audited, which means information is kept about when and by whom a specific document was moved from one state to another.

This example leads to the next layer of the security onion, called Activities. The e-signature process above is a good example of how security processes and the audit trail work together.

During this process the user passes through all the steps, beginning with authentication, in order to start the signing process (indicated by ‘Ready for Signature’ in figure 2), and is checked to see if he/she is allowed to sign the document. This audit trail keeps track of who signed which document in which role, and at which moment. As an additional security measure, a hash, calculated from the signed document, is stored together with each new signature. A change of the content between two signatures will alter the hash value and trigger an error message, telling the signatory that the content was altered since the last signature. In such a case the document is no longer trustworthy.

Another important activity is secured printing, especially within our controlled documents area where it is essential to keep tight control over what document and which version was printed by whom, when, how often, for what reason and on which printer. Ensuring document authenticity across a couple of thousand printers distributed all over the world is another challenge. At Boehringer Ingelheim only certified printers are made available to users.

An important feature that can help ensure document authenticity is a watermark, which can provide parameters such as ‘Draft’, “Only Valid at…” and so on. It is worth mentioning that the list of activities and their impact on content security and authenticity is almost endless in such a system.

The sixth layer is described with Meta Information. Here, all information about a document is tracked, including the above mentioned audit trail, where and how many places a specific document is linked, which rendition exists for a specific document, and so on. The attributes of the document types are also stored, including title, creation date, author and owner. All of this information is stored in an Oracle database and is tightly controlled. Falsifying these values would destroy the authenticity of the information belonging to a certain document, rendering it useless.

The last, and some would argue the most important, layer is the content itself. There are several areas worth mentioning when it comes to protecting content.

Sustainable documents

The challenge here is to ensure that document layout, format and reusability are maintained over time. As briefly discussed earlier, it’s important to ensure that a document’s layout and format can be printed correctly to a certified printer. However, this is a real challenge when dealing with electronic information.

It’s important to remember that it takes several years’ of effort to collect all of the necessary documents for a drug submission, so it’s business critical that electronic documents are checked to ensure they meet quality criteria before they are passed for long-term storage.

Data encryption

Due to the fact that documents are often transported over the network, there are a lot of opportunities to ‘sniff’ the content. Fortunately, there are several, effective encryption methods to prevent this. The main disadvantage of most of these, however, is that they delay the time it takes to represent data to the user.

Digital-rights management

The purpose of digital-rights management is to protect content that has left the onion shell. It is obvious that content is carried around on laptops or sent to third parties, partners, suppliers etc. In order to prevent content from being altered or the uncontrolled distribution of proprietary knowledge, the content itself must be protected. The aim here is not to deny access to content, but control it in a similar way to that of the onion shell.

Lessons learnt

The design of the security concept must be in place when starting the setup of a corporate-wide document-management system. In this project, it was extremely helpful that the securities for the lifecycle steps and for the archiving process were already in place.

Each new business process creates new security challenges and must be analysed carefully to ensure it fits in with existing protection layers. It is important that any new concept does not jeopardise the content of other user groups.

When implementing audit trails, keeping the balance between storing too much information and missing important records is a difficult challenge and needs careful analysis. It is important to ascertain what part of an audit trail’s entry can be overwritten after a certain period (ie, unsuccessful user logins) and what has to be stored for a long period (ie, user creation, which must be unique in the system and therefore preserved for the long term).

Summary

Electronic document management has several obvious advantages and allows Boehringer Ingelheim to share and access information globally, to re-use content and dramatically shorten the signature-cycle process. However, even with an EDM system, maintaining document authenticity is an ongoing challenge and process. And while technical solutions to solve these problems exist today, a lack of trust in these solutions, not to mention the difficulties of integrating them with day-to-day business processes, have slowed their adoption by corporate users.