Even in the highly regulated environment of the pharmaceutical and medtech industry, a legally compliant and fully digital archiving of documents is possible. "Substitute scanning" provides the necessary basis.

Paper or digital format? As soon as it comes to documents that have to be retained, most companies in the process industry nowadays use a "hybrid solution": Documents are not consistently captured, stored and updated digitally, but are generally filed in paper form in order to comply with the relevant legal requirements. At the same time, in day-to-day business, people work with scans, for example, which then ultimately have to be printed out on paper and stored accordingly. The legal security is offset by high archiving costs, and, at the same time, the storage space needed for the ever-increasing amounts of paper can result in follow-up costs.

Complete document digitization solves these challenges. By using "substitute scanning", it is possible to do this in a legally compliant way. This procedure replaces hybrid documentation with fully electronic recording and archiving of production and quality documents, including all raw data and reports, in a manner that complies with regulations and preserves the evidential value of all documents. This results in "true copies".

"A complete digitalization of documents is possible in a compliant manner." 

Gains in efficiency and resources

Regulation-compliant substitute scanning has several advantages, especially in terms of simplified digitalization of operational processes, such as the signatures or approval processes. This process ensures Data integrity, for example, by using electronic signatures. Furthermore, information is immediately available thanks to software features like text recognition/OCR search. Keywording, linking and central storage of digitized documents further ensure that they can be retrieved easily. This enables location-independent, electronic approval processes.

It also eliminates the need for paper archives in the future. This can save a considerable amount of storage space and reduces costs for archive management or for security measures such as fire protection. When it comes to deciding between financing a new building for storing paper documents or digitization of archives, the second option usually quickly proves to be more profitable.

"Unlike with new buildings, digitization of archives usually pays off quickly."

Guidelines for regulation-compliant scanning and storing process

Those who decide in favour of legally compliant and complete digital archiving should do so with the awareness that this must be accompanied by a complete and consistent move from the paper format – after all, no digitization initiative/strategy is meaningful if the employees continue to print out documents.

The crucial starting points for such an initiative are two guidelines issued by the German Federal Office for Information Security (BSI): TR-03138 for substitute scanning (RESISCAN) and TR-03125 for preserving the evidential value of cryptographically signed documents (ESOR). These guidelines represent the current state of the art.

TR-RESISCAN – substitute scanning

This guideline applies to all electronic recording processes when converting paper-based original documents to digital copies. It considers the loss of security features of the paper-based document (type, texture, ink, etc.) and defines a secured scanning process that preserves the evidential value of the scanned document and thus ensures the ability of the document to serve as a proof in a compliant manner.

TR-ESOR – preservation of the evidential value of cryptographically signed documents

What needs to be taken into account though when making this "transformation" from paper documents to digital storage? The BSI guideline on the TR-ESOR procedure addresses how to secure integrity as well as how to securely retain/store scanned and cryptographically signed documents while preserving their evidential value over the long term. For example, it outlines the procedure for digital approval processes using electronic signatures and digital seal and time stamp formats. It also regulates the cross-company information exchange of "true copies".

By eliminating hybrid documentation in a legally compliant way, TR-ESOR provides an internationally established standard that ensures maximum data integrity. The implementation of both guidelines also ensures that scanning and archiving no longer lead to integration gaps due to discontinuity of media.

"TR-ESOR ensures maximum data integrity by eliminating hybrid documentation." 

Scanning concept for substitute scanning

Companies that want to develop a concept for substitute scanning should divide this process into six successive phases. The initiation phase focuses on compiling generic content and previous insights from actual as-is analyses and wh-questions that the scan concept should contain. Based on this, the sequence and practical implementation of the scanning process (visual/textual) are then designed. This process should be included as a user story in the requirement specification for the scanning software. The third phase involves specifying the target processes as well as technical, organisational, personnel and security measures.

In the fourth phase the issue of preserving evidential value with the TR-ESOR middleware is addressed. Here, only the functional and technical requirements are to be included in the user requirement specification for the TR-ESOR middleware. Then, the overall architecture of the scanning system, the TR-ESOR middleware and the target systems must be defined. In the final phase, the completed scan concept can be used as a blueprint for rollout in other areas.

Figure: Substitute scanning vs. traditional paper processing (click on image to enlarge) © msg advisors

Management tips:

• Always implement substitute scanning in tandem with the introduction of a TR-ESOR solution.
• Integrate substitute scanning into your organization's digitalization strategy and input/output management.
• Note that substitute scanning requires electronic processing, but not an e-file (e.g., e-invoicing, CAFM, etc.).
• Consider the use of cryptographic security for substitute scanning in the context of your organization's digitalization, for example regarding elements of your IT security strategy.