Common DI points of failure: Legacy Systems


The presence of outdated or legacy equipment and systems within the pharma industry are a seemingly inevitable consequence of how the industry is shaped.

As the lab adds new cutting edge systems and equipment, there is an equal pushback of ‘locking-in’ validated approaches and friction to replace or update equipment that require  new qualification and validation activities. Systems that are used rarely or for bespoke tasks don’t make financial sense to constantly upgrade.

How can quality departments balance the costs of validating new systems as well as managing long-term data storage that exists in legacy systems?
In fact, there is no better time than now to consider alternatives to your legacy systems.

What has changed?

In the last years, the regulatory agencies have started approaching legacy systems with increased scrutiny.

Since 1997 electronic records have been subject to FDA laws, under the FDA’s  Federal Food, Drug, and Cosmetic Act and 21 CFR 11[1] where the FDA emphasized that discretion should be applied to legacy systems. However, the FDA has also shown increased scrutiny towards data integrity violations, with recent warning letters clearly showing that limited functions from legacy systems are not sufficient justification for data integrity violations[2].

Similarly, in the current Annex 11 of the Eudralex[3] (which first came into effect in 2011) the criticality of updating systems (and audit trails) was based on company risk assessments. However, the wording of the draft update for Annex 11 shows a much stronger stance[4]. In the update,  audit trails are required for all systems, with the grace period for systems without an audit trail described as “long expired”.

Other places where legacy systems can be found

Another location where Legacy systems can also develop is in systems for archiving and viewing older data in a native format. Even though these data are ‘frozen’, data integrity issues inevitably creep up on these systems. For example, vendors may stop supporting or updating the system, eventually leading to critical errors. Or, more simply, all personnel who originally used the system may slowly migrate out of the department over time until no-one left remaining has the institutional memory of how to run the system.

Therefore, these kinds of legacy systems can accidently lead to compliance challenges if the data can no longer be accessed or understood while archived. Additionally, if the legacy system requires an older operating system which might be out of service, this can create a weak point in the network’s security that can lead to cyber security risks across the whole network.

What alternatives are there to fully replacing equipment?

Luckily, there are multiple good workarounds to remove the data integrity, technical compatibility and security risks in legacy systems without requiring full replacement. For archival data, the ISPE’s Good Practice Guide on Data Integrity by Design[5] recommends virtual machines for legacy data storage or processing needs and outlines analysis approaches for deciding when archival data should be stored as static. Increasingly, master executor systems (EG LIMS, LES for laboratory systems) have been implemented in part to outsource record keeping (e.g., audit trails, data) or even electronically execute equipment that might otherwise be open to data integrity concerns.

Indeed, the push towards electronic interface systems as a part of laboratory automation represent a major step forwards towards handling legacy systems. LIMS in particular, has seen massive growth in recent years and an increase to 15 major suppliers[6], underscoring the growing importance of data centralizing.


Legacy systems create a variety of serious compliance, security, and data integrity challenges and are subject to increasing scrutiny from regulatory agencies. However, these problems can be prevented by upgrading equipment, by implementing a data centralization strategy or by implementing external systems that manage or replace missing components.

Do you need help with managing your legacy systems?

GxP-CC can support you in laboratory information or execution management systems, supporting or leading equipment audits with our teams experienced in data integrity, data governance, and IT security. We also support training through workshops.

Contact us today to get started.



[5] ‘ISPE GAMP® RDI Good Practice Guide: Data Integrity by Design’, n.d., 176.


You Might Also Like:
Join Our Team
Reach your full potential while making a powerful impact.
Learn More
Contact Us
Let’s find the best solution for your compliance needs.
Learn More