Documentum+Manager

Documentum Technical White Paper

Managing Controlled Content with Documentum Compliance Manager (DCM)

March 2004

Documentum Technical White Paper Documentum Compliance Manager

2

Contents

Overview: Meeting the Challenge of Controlled Content Management ......................................................... 3

Features and Capabilities of Document Compliance Manager ...................................................................... 6

DCM Architecture .......................................................................................................................................... 7

User Roles..................................................................................................................................................... 8

User Functionality .......................................................................................................................................... 9 DCM Consumer........................................................................................................................................................................... 9

Navigating the Repository .................................................................................................................................................... 10 Searching the Repository ..................................................................................................................................................... 10 Viewing Document Information ............................................................................................................................................ 10 Printing Documents .............................................................................................................................................................. 11 Issuing a Change Request ................................................................................................................................................... 11 Using the Inbox .................................................................................................................................................................... 11

DCM Contributor........................................................................................................................................................................ 11 Creating and Importing Controlled Documents .................................................................................................................... 12 Editing Documents ............................................................................................................................................................... 12 Starting Controlled Workflow................................................................................................................................................ 12 Approving Documents .......................................................................................................................................................... 13 Adding Approvers................................................................................................................................................................. 14

DCM Coordinator....................................................................................................................................................................... 15 Creating Reports .................................................................................................................................................................. 15 Sending �To Be Read� (TBR) Notifications .......................................................................................................................... 16 Defining Relationships.......................................................................................................................................................... 17 Change Notice Management................................................................................................................................................ 18 Document Lifecycle Management ........................................................................................................................................ 18

DCM Administrator � Application Administration and Configuration........................................................................................ 19 Business Applications and Document Classes .................................................................................................................... 19 Document Numbering .......................................................................................................................................................... 21 Lifecycle Configuration ......................................................................................................................................................... 21 Obsolete Documents............................................................................................................................................................ 24 Auto Agents.......................................................................................................................................................................... 24 Types of Document Relationships........................................................................................................................................ 24 Conditional Business Rules.................................................................................................................................................. 26 View and Print Control.......................................................................................................................................................... 27 Audit Trail, Authentication, and Electronic Signature � Trusted Content Services ............................................................. 28

Benefits of Documentum Compliance Manager........................................................................................... 29


3

Overview: Meeting the Challenge of Controlled Content Management Documentum Compliance Manager helps customers achieve compliance with external regulations and internal policies while maintaining high product and service quality standards. Users can create, review, revise, approve and distribute controlled content online within an audited environment. In place of elaborate manual or email-driven processes for review, approval and distribution, Documentum Compliance Manager (DCM) creates a Web-driven knowledge chain that links disconnected processes for collecting, sharing, and applying content to meet stringent quality goals and compliance requirements. DCM is applicable across many market segments where customers face controlled content challenges.

This technical white paper provides a detailed description of DCM, its features, capabilities, and customer benefits.

Controlled content such as standard operating procedures (SOPs), material safety data sheets, work instructions and test protocols, product and packaging specifications, and plant engineering drawings are essential to manufacturing operations � especially those in regulated industries. This content defines the business rules and procedures for everything from operating manufacturing equipment and mixing batches of chemicals to responding quickly in emergencies. Outside of manufacturing, controlled content spans a broad range of categories, from patient records in health care, maintenance documents in air transportation, and SOPs in banking and financial services. As you can see from the examples in Table 1, controlled content �touches� many employees in many industries.

Table 1: Controlled Content Requirements Across Industries and Businesses

Industry Segment Lines of Business Controlled Content and Process Examples

Life Sciences Research and Development

Manufacturing

Clinical Study Reports

Toxicology Reports

Standard Operating Procedures

Regulatory Submissions

Discrete Manufacturing Engineering

Plant Operations

Material Specifications

Engineering Change Orders

Operating Instructions

Engineering Drawings

Process Manufacturing Research and Development

Manufacturing

Material Safety Data Sheets

Regulatory Submissions

Utilities Construction

Plant Operations

Quality Assurance Procedures

Safety Analysis Policies

High Technology Product Development Marketing Requirements

Functional Specifications

Aerospace Manufacturing Technical Documentation

Maintenance Information

All Segments Finance

Human Resources

Internal Controls

Financial Reports

Training Procedures


4

Simply stated, appropriate control of mission critical content means that an organization can:

! Determine which individuals or groups of individuals have interacted with content, when, and for what reason

! Enforce signatures and proper approvals

! Assure authenticity and quality of content

! Detect attempts to alter or remove documents

! Ensure retention for required periods of time

! Make it easy to respond to external agencies or internal auditors when required to do so

Controlled content is often managed as a collection of paper documents in binders that are distributed manually to departments as well as to remote geographic locations, or as electronic content distributed using email. Because important documents can be frequently updated, binders quickly become outdated and unreliable and email attachments may exist in different versions across the organization. Such a lack of control can lead to poor operational performance and reduced worker productivity:

! Users do not have access to the most current, released documents that affect their activities

! Review, revision, and approval cycles are slow and resource-intensive

! Distribution of new and revised documents is slow and costly

! Document tracking is time-consuming and resource-intensive

! Current processes are not fully compliant with regulations and standards

When unreliable documents and their supporting business processes delay the sharing of critical controlled content, the consequences can be severe. Within a manufacturing environment, for example, these can lead to prolonged production cycle times, citations for non-compliance, or even the shutdown of operations. Several business challenges drive the general customer requirements for an automated content control system:

! Streamline the document review/approval process

! Improve the document distribution process

! Ensure that documents are always accurate

! Ensure the global consistency of documents

! Enable content control processes to meet regulatory requirements

As illustrated in Table 2 (below), DCM delivers numerous features and benefits relative to these requirements. These capabilities are described in greater detail elsewhere in this document.


5

Table 2: DCM Feature/Requirement Matrix

Customer Requirements for Managing Controlled Content

Streamline Review and Approval

Improve Distribution

Ensure Document Accuracy

Ensure Global Consistency

Enable Regulatory Compliance

Secure, Global Knowledge Base

All controlled documents in one location for review/ approval

Only allows access to released documents

MD5 checksums ensure approved documents remain accurate

All controlled documents in one location for global access

Intuitive Web Interface

Requires little or no user training

Requires little or no training, no specialized software

Controlled documents accessed using a common interface

Meets requirement that all workers have ready access to controlled documents

Proactive Notification and Tracking

Reviewers are notified when they have documents to approve

Workers must certify they have read and understood latest revisions

New/revised content is always �effective�

Satisfies user acknowledgement requirements of auditors and regulators

Automated Change Management

Minimize costs and time associated with changes

New documents automatically retire older versions

A single change management process applies globally

Meets requirements for controlled document system integrity

Print Control with Banner/ Watermark

Workers are made aware of document status

Document status and content is communicated

Watermarks exist wherever document resides

Effective dates and status on all printed documents

Document Sign-off with Enforced Justifications

Sign-off process built into the approval cycle

Signatures present on approved version of document

Satisfies 21CFR11 requirements, for example

Full Document and User Audit Trail

Can easily determine where a process or document is going and where it has been

�Read and Understood� certifications are stored in the audit trail

Sign-offs with content check-sums are stored in audit trail to ensure validity

Documents do not conflict from region to region

Satisfies regulatory audit requirements

Configurable Document Lifecycle

System adapts to customer�s business rules for document review and approval

System adapts to customer�s business rules for document distribution

System controls when to create �unchangeable� PDF distribution

DC

M H

ighl

ight

s

Rapid Search Capability

Workers can locate documents instantly

Searches produce only the most current document, not multiple versions

Searches produce the relevant document for any given location


6

Features and Capabilities of Document Compliance Manager Documentum Compliance Manager provides many features and capabilities, including:

! Interoperability with Other Documentum Products: Content from other Documentum applications can run side by side with DCM-based applications without the risk of compromising the control of regulated content.

! Documentum 5 Technology Stack: DCM leverages the lifecycles, workflows and architecture of Documentum 5 and the Webtop user interface.

! Server-Based Functionality: Several compliance features have been pushed into the core server, utilizing the Business Objects Framework (BOF) for maintaining compliant business logic. Control of content is maintained at as low an architectural level as possible.

! Role-Based Security Model: DCM provides expanded user roles to reflect unique capabilities and job functions; such roles can be explicitly called out on document access control lists (ACLs).

! Highly Configurable Lifecycle Model: Complex lifecycles can be defined that maintain control over approval and release of content but deviate from standard document lifecycles.

! Configurable Relationship Model: Custom or application-specific relationships between document types can be defined. Business rules can be applied to those relationships to manage the way related documents are treated through approval and lifecycle promotions. This is useful for creating change packages and for intelligent aggregation of content.

! Conditional Business Rules: Business rules, such as who must approve content or who needs to be trained and certified on a document, can be defined for however many criteria a document may possess. Customers can define roles according to functional area or discipline as well as by document type or individual document.


7

DCM Architecture One of the major architectural imperatives of DCM is to utilize the most recent and advanced technologies and services, including the Documentum 5 platform, Documentum 5-based lifecycles and workflows, Trusted Content Services for audit trails and digital signatures, and the Documentum client development environment (Web Development Kit) and tools. DCM is Java-based and designed to fit in seamlessly with any J2EE-based Web development strategy.

With DCM, core compliance functionality moves from an application logic architecture into the API layer by utilizing the Documentum 5 Business Objects Framework (BOF). Moving compliant functionality out of client code ensures that compliant content is handled properly from any interface accessing the server. With DCM, the business rules that enforce compliance reside in the business objects themselves. Any client accessing a controlled object in the repository will do so through the BOF, ensuring that the compliant code is executed. If the user�s interface lacks the necessary controls to provide the required information to maintain compliance, the operation will be disallowed. This makes it easier to enable compliant access from other clients as only the necessary user interface controls must be added and validated, and not the underlying business logic.

DCM is delivered as a set of services and components that make it easy to assemble compliant applications, as illustrated in Figure 1. Services represent logical groupings of related compliant functionality that are developed as Business Objects and WDK components. DCM services utilize the built-in modularity of WDK and the extensibility of the Business Objects Framework to make it the perfect framework for the development of compliant content applications by systems integrators, technology partners and customers.

1

DFCContent Server

DCM Business Objects/BOF

WDK

App

licat

ion

Plat

form

DCTM Applications

DC

M C

onfig

urat

ion

GXP

harm

a

Oth

er C

onfig

urat

ions

Partner Applications

For E

ngin

eerin

g

For L

ife S

cien

ces

For O

ther

Are

as�

DCM Application Framework

Figure 1: DCM Architectural Overview


8

User Roles DCM supports an expanded number of user roles as compared to Document Control Manager, providing more flexibility in application administration and access. DCM inherits much of its expanded role capabilities from Documentum Webtop, through which a user�s role can control what user interface elements are visible on screen and what menu items are available.

Systems Administrator The administrator is the person responsible for installing, configuring, and maintaining DCM. The administrator can create and modify access control lists, users, groups, cabinets, object types, and system security settings

Business Process Owner The business process owner is responsible for one or more processes such as master batch records, change management system, manufacturing procedures, new product submission, safety policies, government policy creation, contracts management, and others. The business process owner creates document classes that apply to the business process. The business process owner can:

! Create and modify ACLs, users, groups, and cabinets ! Create and maintain DCM lifecycles ! Create and maintain DCM workflows ! Create and maintain document classes (includes document class owner abilities)

Document Class Owner The document class owner is responsible for one or more document classes such as SOPs, quality assurance manuals, and others. Document class owners can set preferences for document classes such as the members of class specific roles such as contributors, consumers, and approvers.

Functional Area Supervisor Functional area supervisors are concerned with an area of the business or a particular operation. They are responsible for maintaining lists of users for a functional area of the organization as a set of conditional business rules, based on the content on which they are working rather than the documents they must use. Documents are assigned to members of dynamic user lists by matching the attributes of the functional area to attributes on the documents themselves.

Document Owner The document owner is the main author of a document instance. He/she is responsible for creating, editing, signing, and responding to notification of changes.

Contributor Contributors author and review content and collaborate with the document owner.

Approver The approver is responsible for approving or rejecting a document. While an approver can author or modify a document, this role is mainly designed for those responsible for business operations.

Consumer The consumer is the content consumer, such as personnel in quality assurance, quality control, shop operations, training and manufacturing supervisors. Each of these might have a need to view a controlled document. Consumers view effective content and submit change requests against effective content.


9

User Functionality DCM provides an intuitive, easy-to-use Web client interface requiring minimal installation, maintenance, and user training. Built on Documentum Webtop, which provides access to all Documentum end user functionality, DCM has extensions that expose controlled content capabilities for end users and administrators, including:

! Search or navigate the Documentum repository for documents and other content ! View only documents for which the individual is authorized, as enforced by Access Control Lists (ACLs) ! View only those versions of a document with a version label of �current� (Note: The current version of a

document applies to its "effective" state. Nomenclature that designates the effective state of a document varies by industry/company and includes alternative naming such as "released" and "as built.")

! Create and import new documents ! Edit existing documents ! Route documents on controlled workflows ! Annotate documents ! Process items from an Inbox ! Create change requests against effective documents ! Receive change request status messages such as �approved� and �rejected� ! View and edit document information ! Print documents, optionally with banner/watermark overlays ! Run reports ! Define relationships ! Create change notices and compound change requests ! Manage document approvals ! Manage document lifecycle actions ! Configure the DCM application

Figure 2: DCM Main Navigation Page

DCM Consumer

Individuals with the �consumer� role have access to the DCM functions listed in this section. Once a document has been located, it can be viewed in accordance with the viewing options described below in �Viewing Document Information.�


10

Navigating the Repository The Web interface enables users to traverse the Documentum repository cabinet and folder hierarchy to locate documents for which they have viewing privileges.

Searching the Repository DCM includes a simple one-box search interface and an advanced XML-driven search capability to ensure that relevant search terms are readily accessible as parameters on the screen or from pulldown menus. DCM also supports robust full-text searching.

The Advanced Search interface, portrayed in Figure 3, allows users to search the Documentum repository for effective documents based on complex criteria such as document title, name, author, creation date, format, or other attributes depending on the document type, and full-text search criteria.

Figure 3: DCM �Advanced Search� Page

Viewing Document Information The DCM Web interface provides several document viewing and editing options that are accessible when a document is selected from the Inbox or as a result of a search or navigation process, including:

! Document attributes ! Document history ! Associated workflow information ! Associated approval information ! Document content ! Document relationships ! Where documents are used ! Document check-in and check-out ! Document editing ! Document annotations

When the document is selected, it is displayed within the Web interface using the appropriate viewer assigned to that document type (e.g., Adobe Acrobat for PDFfile and AutoVue for CAD files). If the document type is in PDF format and a header and footer and/or watermark have been configured, these items are overlaid and displayed with the document.


11

Printing Documents Uncontrolled printing of documents is possible using the Adobe Acrobat Exchange standard print option. If the document is in a PDF format and a watermark has been configured for that document type, the watermark is printed along with any header and footer combination.

Controlled hardcopy printing of documents is accomplished using Documentum Print Control Services (PCS). A user or administrator must hold the publishing coordinator role to use this interface. With PCS, a user may request printing or a reprint if a hardcopy print of the document was previously requested. Printed output can be requested for a named user or a list of users and are enumerated to track the number of copies made. Justification codes can be enforced and all controlled printing activities are authenticated and audited. If the document is in a PDF format and a watermark has been configured for that document type, the watermark is printed along with any header and footer combination.

Issuing a Change Request Users with READ or higher privileges can submit a change request against an effective document. Effective documents can be located by searching the repository or by navigating through the cabinet and folder hierarchy. During creation of a change request, the user provides information that describes the nature of the change request. When the change request is submitted, it is automatically routed per a pre-configured workflow template.

Using the Inbox DCM provides an Inbox for processing notifications and workflow tasks such as routing documents for review and approval. The Inbox provides the user with several application-specific notifications. These notifications stay in the Inbox until the user processes them. The notifications are:

! To Be Read (TBR): Indicates that a document has been promoted to a state where the user is required to read it. By authenticating himself with a user ID and password, the user must acknowledge having read the document in order to remove the notification from the Inbox. Proof of the authentication is stored in the audit trail for non-repudiation and reporting.

! Change Request: Indicates a change in status for any change requests that the user originated. These

! Status: notifications are made when the change request is approved or rejected as a consequence of being routed through a workflow.

! Promotion: Indicates that a document is promoted to a state for which the user is a member of the distribution list assigned to that state.

! Review Period: Indicates that a document is due for periodic review. Notification is sent to the document owner.

! Approval: Indicates that a document requires the user�s approval.

DCM uses standard Documentum 5 workflow for review and approval routing. It adds controls on approval workflow tasks to disallow them from being forwarded until the document has been processed. Actual approval or rejection of content is handled from the �Document Approvals� pane on the document information screen. All actions can be captured in an audit trail.

DCM Contributor

�Contributors� are the users who contribute to the creation, review, and approval of content and the change management process. Specific roles include authors and approvers. In addition to all functions provided to consumers, contributors have the capabilities described in this section.


12

Creating and Importing Controlled Documents Contributors can create controlled documents created using office productivity tools, from templates stored in the Documentum repository, or imported from the file system. In all cases, such documents are imported into an �in-progress� folder. The �Create/Import Document� option provides the following features:

! Support for virtually any document file format

! Support for Documentum �Create from Template� functionality (Sample templates are provided.)

! Document security, status, owner, location, and handling preferences based on user-selected document class and associated lifecycle

! Automatic document number generation upon check-in

Figure 4: DCM �Create Controlled Document� Page

Editing Documents Depending on access control permissions, contributors can edit in-progress versions of content. Editing of controlled content involves checking out the document and modifying the source file using the native authoring application for the specified file type. Once changes are made, the document must be checked in. Pre-specified versioning rules for the document�s business application or document class manage the check-in process for that document. (See �Versioning Rules� in the administrator section for more information.)

Starting Controlled Workflow Contributors can route documents and change notices for review and/or approval based on selected or pre-configured workflow templates. Available workflow templates are determined by the class of the document being routed or by the lifecycle state of the document. DCM �start controlled workflow� features include support for conditional business rules on dynamic performer tasks and the routing of documents and/or change notices for review, annotation, and approval.

Dynamic Performer Tasks. The initiator of a controlled workflow can empower selected approvers to perform specific tasks. The list of such approvers can be configured by document class, lifecycle state, and through the configuration of conditional business rules. Conditional business rules allow functional area supervisors to define approver lists by queries rather than by types of documents, allowing for automated yet dynamic approval enforcement. (Refer to �Conditional Business Rules� in the administrator section of this document for more information.)


13

Review and Annotation Processing. As part of the authoring process, documents are often routed to selected individuals for review. Sometimes they are attached to a specific change notice. The materials are reviewed, annotated and forwarded to another reviewer or returned to the originator. With DCM, users can store, change, and retrieve controlled annotations without jeopardizing the integrity of the original document. DCM also enables the capture and audit of user activity such as date, time, and annotation action performed.

Approving Documents Document approval actions can be configured for document sign-off using capabilities of Documentum Trusted Content Services (TCS), an optional add-on to the Documentum Content Server. The sign-off process is seamlessly integrated into the DCM approval procedure and provides enforced sign-off authentication, justification codes, and visible signature stamps needed for 21CFR11 compliance. (For more details, refer to the �Auditing, Authentication, and Electronic Signature� section of this document.)

Approvers can be notified of pending approvals via DCM workflow, or automatically when the document enters a configured approval lifecycle state. Notification about pending approvals is made upon login to the system through a message in the Documentum Webtop message bar along the bottom left of the screen. All documents requiring approval can be accessed through the DCM-specific approvals node in the Webtop tree along the left of the application window.

Document approvals are carried out from the approvals pane of the document information screen, where information on all pending approvals is listed for the user. (See Figures 5, 6, and 7.) DCM supports the following approval actions:

! Approve is generally associated with a document sign-off. This action indicates that the approver has reviewed the changes to a document and agrees that the document is in its final state for release. The processing of all approvals on a document can be configured to promote the document to its next lifecycle state automatically.

! Reject indicates that the approver has problems with a document and has made comments and annotations. A document cannot be promoted with rejections.

! Cancel Reject indicates that the approver has consulted with the author and has decided to remove a previous rejection of the document. This option is valid if the content of the document has not changed since the previous rejection.

Figure 5: DCM �Pending Approvals� Page


14

Figure 6: DCM �Approvals� Page

Figure 7: DCM �Document Sign-Off� Page

Adding Approvers Authorized users can add additional approvers to a document. The list of available approvers can be configured by document class, by lifecycle state, and through the configuration of conditional business rules. Conditional business rules allow functional area supervisors to define lists of approvers to attributes that a document may possess at approval time, thus allowing for automated yet dynamic approval enforcement. Refer to the �Conditional Business Rules� section of this document for details.


15

Figure 8: DCM �Add Approver� Page

DCM Coordinator

�Coordinators� control content lifecycle events and the change management process. Specific user roles include document owners, document class owners, and some authors. All capabilities provided to consumers and contributors as well as the functions described in this section are available to coordinators.

Creating Reports Using the DCM Report Wizard, coordinators configure reports against controlled documents and change management processes. Pre-configured options can be selected to create standard DCM reports. Each report can be optionally restricted to a specific user, document or class of documents, and/or a date range. Report results are displayed on the screen and can be directed to a printer. Column headings for each report are specific to the nature of the report being generated. Possible reports include:

! Approval Status ! Average Approval Time ! Controlled Documents ! Documents Not Accessed ! To-Be-Read Notification Status


16

Figure 9: DCM Report Wizard

Sending �To Be Read� (TBR) Notifications Document coordinators can issue To Be Read notifications to any user. This can be especially useful when training individuals on new processes.

Figure 10: DCM �Send To-Be-Read Notification� Page


17

Defining Relationships Relationships are used both to associate related controlled documents together in the system and to implement change management functionality for documents, change notices, and change requests. Contributors and coordinators can define parent-child relationships between documents, change notices, and change requests. Table 3 lists the types of relationships possible with their parent and child types.

Table 3: Relationships and Parent-Child Content Types

Relation Type:

Parent Child

Affects Change Notice Controlled Document

Against Change Request �Effective� Document

Closes Change Notice Change Request

Reference �Effective� Document �Effective� Document

Supports Change Notice Supporting Document

Custom Configurable Configurable

DCM supports the following relationship types:

! Affects relationships from a change notice to a document that has changed or requires changes. When the change notice is routed for review the documents it affects are routed with it for approval. Affects relationships define that the child (affected) document should be processed as the parent (change notice) with regards to approvals and promotions, thus allowing a change packet created with a change notice to be treated as a whole. Affects relationships point to only one specific version of a document.

! Against relationships are from a change request to a document that may require changes. When the change request is routed for review the documents it is against are routed with it. Against relationships point to a specific version of a document only.

! Closes relationships are from a change notice to a change request that initiated the changes to a document with which the change notice has an affects relationship.

! Reference relationships are from one controlled document to another. Such relationships specify that the document references or is related to the other document in some way. Reference relationships are carried forward to successive versions of the documents.

! Supports relationships are from a change notice to an uncontrolled document that supports the change process in some way.

! Custom relationships are customer-defined relationships that can be configured similarly to any of the types described above as defined through the relationship type editor. (See �Document Relationship Types� in the administration section of this document for more information.)


18

Figure 11: DCM �Related Documents� Page

Change Notice Management DCM provides for the creation and handling of change notices that link one or more documents to an official notice of change. This information is essential for managing which individual initiated a document change and why the change was requested. This notice of change is typically a document in itself and records any information relevant to the change that is requested.

Contributors and coordinators can create change notices and compound change requests. Using the relationship models described in the previous section, multiple documents may be �attached� to either a change notice or a change request before it is routed. As well, coordinators can route change requests using workflow configurations other than the pre-configured template available as part of the �issue change request� feature.

Change notices can also be used to �close� a change request. When a document is attached to a change notice, the coordinator may attach the change request associated with the document that initiated the change. Approval of the change notice with an associated closes relationship shows that the loop has been closed on this change request.

The �Create Change Notice� option has the following features:

! Support for multiple documents per change notice ! Support for attaching and closing �approved� change requests ! User-definable unique change notice numbering ! Pre-configured change notice attributes (e.g., title, date sent, owner, date due, status, action, notes, type, reason,

description, proposed effective date) ! Route for review/annotation and approval options ! Support for documentation of the change notice

Document Lifecycle Management Document owners are responsible for controlling the progress of documents through their lifecycles and change management processes. The owner is responsible for controlling lifecycle settings and events such as:

! Setting effective dates: Defining when a document will automatically be promoted into the effective state


19

! Setting end effective dates: Defining when an effective document will be automatically retired (If the effective document is designated as �temporary,� then the previous effective or suspended document will be re-instated to the effective state.)

! Routing documents for periodic review and updating the next review date: After receiving notification of the need to review a document, orchestrating the review process and resetting the next review date

! Designating temporary and permanent status for effective documents: Determining whether the document being replaced by a new effective document should be retired or temporarily suspended

! Manual lifecycle promotion: An explicit event accessed form a menu option provided only to those with sufficient privileges to perform the action

All items listed above, except for manual lifecycle promotion, are controlled by document attributes which are managed from the document properties screen and are restricted to authorized users.

DCM Administrator � Application Administration and Configuration

Documentum Compliance Manager can address a variety of compliance-related controlled content application scenarios through document type configuration, lifecycle configuration, workflow configuration, DCM roles, document relationships, change management, conditional business rules, and audit trail configuration. DCM provides the following document administration features and utilities from within the Documentum Webtop interface:

! Configure business applications and document classes ! Configure lifecycles ! Configure auto-name profiles ! Configure periodic review profiles ! Configure relationships ! Configure approval and distribution business rules ! Run jobs and agents ! Configure audit trail and document sign-off policies ! Configure users, groups, roles, and access control lists

Business Applications and Document Classes In DCM, application and document type settings can be configured with maximum flexibility. DCM utilizes a top-down configuration model that enables administrators to specify application defaults as well as designate overrides or exceptions for specific types of documents. Such flexibility is accomplished through the use of document classes and business applications:

! A document class is a business type of document that is characterized by configurable preferences. With DCM, most application and document type handling preferences can be configured on a per document class basis.

! A business application represents a specific controlled content business process such as the management of manufacturing standard operating procedures (SOPs) or submissions documents. Each business application can contain one or more document classes that define the types of controlled content in use by the application. The same items can be configured at both the business application level and at the document class level. If a class-specific setting exists, the application always uses that setting.


20

The following items can be configured per business application or document class:

! Valid object type ! Template ! Lifecycle ! Workflows ! Versioning and in-progress handling preferences ! Naming profile ! Authors ! Approvers ! Consumers ! Review periods

Figure 12: DCM �Configure Business Applications� Page

Object Types. Change requests and change notices are pre-configured change management classes that use special attributes to track descriptions of changes and reasons for changes. DCM provides specific object types for change requests and change notices. All DCM application configuration objects are custom object types based on the Documentum system object type, allowing users to assign versions and apply security.

DCM can control any type of document object type, not just the Documentum system object type. In addition, DCM does not require specification of a default document object type. It uses an �extended attributes� object that is linked to the document object to provide necessary attributes for application operation.

Versioning Rules. DCM provides robust capabilities for version handling, version creation and document check-in. Best practice for configuring versioning rules is to force users to create a �point� version (e.g., version 2.1, 2.2, 2.3, etc.) when they check in content and to reserve major versions for lifecycle promotions to an approved or effective state. Versioning rules already available in DCM include:

! Always create new content at 0.1 vs. 1.0 ! Restrict major version check-in ! Restrict same version check-in

In-Progress Version Handling Preferences. Many customers must keep tight control over the number of in-progress versions a document may have at any time. Two in-progress version pruning options provided in DCM can help:


21

! Delete previous in-progress version immediately when a new one is created. Using this feature an organization can enforce that only one in-progress version of a document exist at any point in time

! Delete all remaining in-progress versions when one is promoted to the next state. Through this feature an organization can enable more flexible authoring of content while ensuring that no extraneous in-progress versions exist upon entering the approval phase of a document lifecycle.

Document Numbering DCM provides a mechanism to generate and number a document automatically. The number is typically generated when a new document is checked in but can also be configured for application at a later lifecycle state to allow numbers to be applied only to approved content or processes. The numbering profiles are defined using the auto-naming configuration editor. Auto-name configurations are specified per document class.

Figure 13: DCM �Auto Number Profile� Page

Lifecycle Configuration DCM uses a state promotion model to control document lifecycles. Each time a document is promoted, its status, location, owner, and security attribute values change to those profiled for the next state in the sequence of lifecycle states. Using the lifecycle editor in the Documentum Application Builder, coordinators can define a variable number and sequence of states through which a document can be promoted.

Types of States. DCM lifecycle processing supports specific pre-configured lifecycle state types to accurately model real-world document content control processes. State types are tracked independently from state names so that users can display lifecycle information that makes sense to their organization. DCM also provides support for customer defined state types to model customer-specific business processes. The pre-configured state types are:

! Standard (or In-Progress) state types are the authoring, review, and approval states. Approval states usually require a PDF rendition to enable the viewable approval signature functionality of DCM that is crucial for 21CFR11 compliance.

! Review is the explicit lifecycle state reserved for the review of documents prior to approval. This state type allows business rules to be applied to the review of content.

! In Approval is the explicit lifecycle state reserved for the approval of documents prior to release. This state type allows business rules to be applied to the approval of documents.


22

! Approved state types signal that the document can no longer be changed. Changes to document content invalidate existing approvals and need to be restricted. The approved state may force a major version number increment. The approved state is also normally associated with �To-Be Read� notifications.

! Effective state type is reserved for published states and is the default viewing state. DCM contains functionality to ensure Effective documents remain �Current�. The current version of a document is the version that is seen by default in any application interface.

! Retired state types are reserved for old document versions. Effective documents are retired when another permanent version of the document is promoted to effective or when the document reaches its end effective date.

! Suspended state types are reserved for temporarily retired versions that have been superceded by a temporary effective document. A suspended document is re-instated to the effective state when the temporary document that replaced it reaches its end effective date.

! Obsolete state types are reserved for documents that are not being used in any version. Obsolete documents can not be versioned to create new in-progress content. Retention periods for controlled documents are calculated from the time the document enters the obsolete state.

! Custom state types are customer-defined and customer-specific.

Custom State Types. DCM lets users create customer-defined state types to add to the existing state types used in the standard document control lifecycle (In Progress, Approved, Effective, Retired, Obsolete, and Suspended). Using custom state types, functionality can be defined for more complex lifecycle models, such as corrective and preventative action style lifecycles that have defined impact analysis states, and lifecycles with multiple stages of approval such as those used in engineering. Custom state types can be used to define relationship attachment rules for specific relationship types to create customer-specific functionality. (Note: Custom state types are not supported in the initial first customer shipment release of DCM.)

Lifecycle State Configuration. Lifecycles are flexible in DCM through the use of application settings that can be configured at the lifecycle state level rather than at a document class level. Lifecycle state configuration is configured per lifecycle state and document class. State configuration can include:

! DCM state type ! Audit trail configuration per state ! Valid workflows per state ! Valid approvers and distribution lists per state ! Valid document relationships per state ! Whether to allow manual promotion ! Whether to automatically promote content upon collection of all specified approvals ! Whether to assign an auto-number ! Whether or not to send To Be Read notifications ! Approval and reject justification codes ! Approval and reject confirmation text ! Promotion notification text ! TBR notification text


23

Figure 14: DCM �Lifecycle State Extensions� Page

Lifecycle State Overrides. DCM allows administrators to define some configuration elements at the user, group, or role level, for a given lifecycle state and document class. This feature can be used to ensure that users handling sensitive content will be presented with relevant justification choices for overrides that make sense in the given situation. This feature can also be used to configure any number of custom notifications triggered by lifecycle state transitions.

Items that can be configured for specific groups of users per lifecycle state include:

! DCM state type

! Audit trail configuration per state

! Approval justification codes

! Valid workflows per state

Temporary Effective and Retired Documents. Occasionally, a temporary document may need to be made effective as a result of a temporary business process change. The currently effective document must be suspended for reactivation at a later date. This is sometimes referred to as a �deviation.� With DCM, documents can be made temporarily effective, thus temporarily retiring the most recent effective document. Temporary effective/retirement processing follows the steps outlined below.

1. A temporary in-progress document is created from the existing effective document.

2. When the temporary document is promoted to effective, the previous effective document is suspended rather than retired.

3. Promotion of the suspended document returns it to the effective state and retires the temporary effective document.


24

Effective SOP

Temporary SOP In-Progress

Temporary SOP Made Effective

Previous SOPMade Effective

Temporary SOP Retired

Previous SOP Suspended

1

2

2

3

Figure 15: Temporary/Effective Document Processing

Obsolete Documents DCM provides a process to �make obsolete� an entire version tree of a document, thus retiring an effective document without replaced it with another document. When a document becomes obsolete, all previous versions also become obsolete.

Auto Agents Agents are processes that run periodically at specific times as specified by certain job parameters. DCM utilizes agents to perform timed events that provide the following functionality:

! Periodic review notifications

! Auto promotion to effective state when a document reaches its effective date

! Auto promotion to the retired state when a document reaches its retirement date

! Auto reinstatement of the previous effective version (suspended) when a temporary effective document reaches its ending effective date

Types of Document Relationships By using the relationship type configuration screen, administrators can define and configure custom document relationship types. (All DCM relationship types are configured using this utility. For more information on pre-configured relationship types, refer to �Defining Relationships� in the coordinator section of this document.)

Custom relationships can be configured for any number of document classes and can be used among multiple controlled content solutions. They can also be configured to control how parent and child documents function together with respect to approvals and promotion of content. Consequently, custom relationships can be used to configure custom change management processes that differ from DCM standard change request and change notice processing. Custom relationships can be any of the following types:

Supporting relationship types are used to attach supporting information to a document, change notice, or change request. Supporting content can be any uncontrolled piece of content in the repository.


25

Content Reference relationship types indicate that the relationship is between two effective versions of content and is used for reference or tracking purposes. Content Reference relationship types persist with future effective versions of content.

Closes relationship types signify a relationship between two change document types. For example, a closes relationship can be created from a change notice to an approved change request showing that the change notice has closed the loop on the changes initiated by the change request.

Process relationship types are used for aggregating content together in the form of change packets or other change management forms. Process relationships allow for rules to be defined that govern how an attached document behaves with respect to its parent through the approval and promotion processes. Process relationships are used to configure the out-of-the-box Affects and Against type relationships used to create change requests and change notices. The following options are available only to process type relationship types:

! Promote child when parent is approved: Dictates that any promotion processed for the parent will be applied to any child documents attached with this relationship type. (The pre-configured Affects relationship type provided with DCM uses this option to allow an entire change packet to be promoted to the approved state at one time.)

! Approve child when parent is approved: Dictates that any approval processed for the parent will be propagated down and applied to any children attached with this relationship type.

! Approve children before parent can be approved: Provides for the creation of change packets or other aggregations of documents. Before the parent can be processed, it must wait for children to be processed.

Relationship Attachment Rules. Attachment rules dictate which document classes are valid parent classes and which document classes are valid child classes for each type of relationship. Attachment rules also allow attachments to be restricted to specific lifecycle states. For instance, attachment rules used in the pre-configured Against relationship type restrict the parent to the pre-configured change request document class and restrict children to the effective state.

Figure 16: DCM �Document Relationship Configuration� Page

Flexible Change Management. Change management is handled in DCM with change requests and change notices. Change requests identify documents as potentially requiring changes. An approval of a change request signifies that the associated documents in fact require changes. Change notices are used to introduce changes to those documents


26

back into the system. Approval of a change notice accepts the changes to the associated documents as approved. Special relationships identify documents that should be processed by the change request or change notice.

Change requests and change notices are configurable �change classes� and do not have hard-coded functionality. DCM can support multiple change classes with flexible lifecycle and relationship configurations.

Change packets can be created that follow existing DCM change notice functionality where the approvals and promotions to the change notice are propagated to affect any attached documents. In this model, the change document �ushers� the attached documents through their lifecycles. This is acceptable when all of the changes are similar, as in the case of a logo change, or when changes result from the modification of an underlying template.

Relationships can be configured to allow creating change packets that require processing of any attached documents for approval and promotion. Business rules can be defined for the change class to disallow promotion or approval of the parent until all children have been processed. This is useful for managing collections of documents with related but largely dissimilar changes.

Conditional Business Rules DCM allows for conditional business rules, such as those specifying who must approve content or who must be trained and certified on a document. These rules can be defined according to however many criteria a document may possess. Conditional business rules enable organizations to define roles according to functional area, discipline, or other criteria, in addition to by document type or document name.

Types of Business Rules. Documentum Compliance Manager allows for three types of business rules:

! TBR Distribution List rules pertain to users and groups who receive To Be Read and promotion notifications when the document is promoted.

! Mandatory Approver rules pertain to lists of approvers who must approve a document when it enters an approval state.

! Available Approver rules pertain to lists of approvers who are available to be added as additional approvers to a document when a dynamic performer workflow is started or directly from the approvals pane by an authorized user.

Figure 17: DCM �Conditional Business Rule Configuration� Page


27

View and Print Control DCM manages the print process for controlled documents, giving companies a way to audit printing, restrict printing to authorized users, and record this information as a way to manage the hard copy distribution of controlled documents. These capabilities help customers meet stringent regulatory requirements that call for the printer, recipient, and reason for printing to be recorded.

Watermarks. DCM supports the use of watermarks as well as banners, headers, footers, and overlays, such as additional text, graphics, barcodes, and other properties. DCM can be configured to require that these items will always be displayed on printed or exported PDF renditions of documents. Watermarks and related features are configured using an XML based administrative tool.

Watermark

Header

Footer

Figure 18: Header & Footer/Watermark Printout Example

Controlled Printing. Controlled printing refers to the printing of a PDF rendition of a controlled document by authorized users. Certain regulatory requirements specify that all controlled printing activities be authenticated and fully audited. Regulations may even require that the printer, recipient, and a reason for printing all be recorded and that a unique system-generated copy number and an expiration date be assigned. DCM controlled printing functions include:

! Controlled print: The printing of a pre-set number of copies by an authorized user for either a named recipient or a distribution of users

! Controlled re-print: The printing of an additional copy by an authorized user for a named user or distribution of users who have already received a controlled print

! Recall print: The recalling of a controlled print or re-printed copy for destruction. (The controlled printing interface does not destroy the printed copy but requires user authentication that the copy has indeed been destroyed.)


28

With DCM, administrators can track every printed copy of a controlled document. DCM provides a full audit trail for all printed copies showing who received which copies and when, and who destroyed which copies and when.

Audit Trail, Authentication, and Electronic Signature � Trusted Content Services DCM leverages the capabilities of Documentum Trusted Content Services (TCS) to support extensive audit trail, authentication, and electronic signature capabilities. Using Documentum Administrator, customers can select for which events and document types audit, authentication, and/or electronic signature are required. Thanks to TCS, DCM can support e-signature processing on any event, not just approval tasks. TCS enables DCM to be a 21CFR11 compliant solution and aids in compliance with the predicate rule. It is the administrator�s responsibility to configure the system appropriately to meet regulatory requirements.

TCS provides DCM with the following capabilities:

! Robust, configurable, and extendable audit trail of all user and document actions

! Justification codes enforced for document sign-off

! Non-repudiation ensured by securely linking signatures to audit trail

! Signatures displayed on all human readable forms of the content

! Authentication management with attempt limits and account disabling

The events listed below are explicitly audited by DCM. Additional audit trails can be configured from other server audit events.

! dcm_approve: approve event ! dcm_reject: reject event ! dcm_cancel_reject: cancel reject of a controlled document event ! dcm_convert: convert to controlled document event ! dcm_create_cd: create controlled document event ! dcm_import_cd: import controlled document event ! dcm_create_cr: create change request ! dcm_create_cn: create change notice ! dcm_promote: promote event ! dcm_add_approver: add approvers event ! dcm_remove_approver: remove approvers event ! dcm_attach_lifecycle: attach lifecycle to controlled document ! dcm_checkin_cd: check in controlled document ! dcm_checkout_cd: check out controlled document ! dcm_cancel_checkout_cd: cancel check out controlled document ! dcm_export_cd: export controlled document ! dcm_delete_cd: delete controlled document ! dcm_change_policy: modify lifecycle ! dcm_change_document_class: modify document class ! dcm_change_business_application: modify business application ! dcm_change_autoname_scheme: modify autoname scheme ! dcm_change_relation_type: modify relationship type ! dcm_change_auto_process: modify dynamic auto process ! dcm_change_review_period: modify review period event ! dcm_change_cd_properties: modify control document�s properties ! dcm_start_control_workflow: start control workflow for control document ! dcm_create_relationship: create relationship between two documents ! dcm_remove_relationship: remove relationship between two documents ! dcm_send_tbr: send To Be Read notification


29

Benefits of Documentum Compliance Manager Documentum Compliance Manager helps organizations automate the sharing and management of controlled documents and other content to achieve regulatory compliance and attain high standards of product and service quality. Users can create, review, revise, approve and distribute controlled content online within an audited environment. In place of elaborate manual or email-driven processes for review, approval and distribution, DCM creates a Web-driven knowledge chain that links disconnected processes for collecting, sharing, and applying content to meet stringent quality goals and compliance requirements.

DCM dramatically reduces the time and effort required to manage dynamic, controlled content. Customers increase the reliability of controlled content, and gain these compelling business advantages:

! Regulatory compliance

! Reductions in operating costs and production delays

! Increased yields and improved safety conditions, in manufacturing organizations

! Faster time to market

! More efficient distributed operations

Operational cost savings from the deployment of Documentum Compliance Manager can be substantial. For traditional manual systems, global manufacturers dedicate up to 50 percent of their operational workforce to documenting business processes. This costly overhead delays the introduction of new products, negatively impacts profit margins, and weakens a competitive position. Automating business processes using DCM frees many of these knowledge workers to perform more valuable job functions that drive innovation of new products and processes.

DCM leverages the Documentum content repository that lets customers securely manage all controlled content. Customers can simultaneously review and annotate documents as well as graphically define and monitor change notice routing. Current document versions become instantly available to authorized users. With this improved method for revising and managing dynamic content, users, managers and external parties know when and why changes were made.

DCM is based on the Documentum 5 platform, Documentum 5-based lifecycles and workflows, Trusted Content Services for audit trails and digital signatures, the Documentum client development environment (Web Development Kit) and tools, and the Documentum 5 Business Objects Framework. DCM is Java-based and designed to fit in seamlessly with any J2EE-based Web development strategy. Compliant content is handled properly from any interface accessing the server because the business rules that enforce compliance reside in the business objects themselves. The built-in modularity of WDK and the extensibility of the Business Objects Framework make DCM the perfect framework for the development of compliant content applications by systems integrators, technology partners and customers.

In sum, Documentum Compliance Manager incorporates the best practices of many successful global implementations of Documentum solutions for managing controlled content. Improving the reliability of controlled content helps reduce waste and errors, and improves the quality of information used for decision-making. Documentum Compliance Manager helps global organizations today improve the way they meet quality objectives and achieve compliance.


Documentum 6801 Koll Center Parkway Pleasanton, CA 94566-7047 phone (925) 600-6800 fax (925) 600-6850 www.documentum.com

© 2004 Documentum, a division of EMC Corporation. All rights reserved. Documentum and the Documentum logo are the trademarks or registered trademarks of EMC Corporation in the United States and throughout the world. All other company and product names are used for identification purposes only and may be trademarks of their respective owners. Documentum cannot guarantee completion of any future products or product features mentioned in this document, and no reliance should be placed on their availability. Printed in the U.S.A. 60530304V1

30

About Documentum

Documentum, a division of EMC, provides enterprise content management solutions that enable organizations to unite teams, content, and associated business processes. Documentum�s integrated set of content, compliance, and collaboration solutions support the way people work, from initial discussion and planning through design, production, marketing, sales, service, and corporate administration. With a single platform, Documentum enables people to collaboratively create, manage, deliver, and archive the content that drives business operations, from documents and discussions to e-mail, Web pages, records, and rich media. The Documentum platform makes it possible for companies to distribute all of this content in multiple languages, across internal and external systems, applications, and user communities. As a result, Documentum customers, which include thousands of the world�s most successful organizations, harness corporate knowledge, accelerate time to market, increase customer satisfaction, enhance supply chain efficiencies, and reduce operating costs, improving their overall competitive advantage.

For more information about Documentum, visit www.documentum.com or call 800.607.9546 (outside the U.S.: +1.925.600.6754).