Jun 22, 2025
Peter Busk
When legacy systems challenge compliance
Why older systems create problems
Many pharmaceutical companies still use older IT systems in their production and quality assurance. They often work just fine on a daily basis, but when viewed from a compliance perspective, problems quickly arise. The systems are rarely updated to handle today's requirements for data integrity, traceability, and validation, making them vulnerable in audits.
It is not uncommon for legacy systems to lack basic functions such as audit trails, electronic signatures, or secure user management. In many cases, it is difficult or impossible to document that data has not been altered or deleted. This directly contradicts GxP requirements and can lead to serious compliance consequences if authorities raise questions.
What is the risk of keeping them?
When companies choose to keep their old systems, it is often because they are stable and integrated into core processes. However, stability is not the same as compliance. The biggest problem is that legacy systems often cannot be validated according to modern standards, and it can be challenging to implement changes without affecting the entire operation.
Moreover, it can be a challenge to find documentation for the original implementations and changes, especially if the systems are many years old or developed internally. This makes it difficult to demonstrate to authorities that the system still meets the requirements. At the same time, it is hard to train new employees on older systems that are no longer intuitive or well-documented.
How to minimize the risk
The best way to handle legacy systems is to conduct a risk-based review of them. This means assessing which systems are still necessary, which can be phased out, and which require extra control. For the systems that are chosen to be retained, a plan must be established for how to document their compliance.
This could, for example, be done by introducing compensating controls. If a system does not have an automatic audit trail, manual logs and regular audits can be implemented. If access control is weak, physical controls can be introduced or access limited through organizational processes.
Additionally, it is important to document everything you do. If you choose to keep a legacy system, you must be able to show that you have considered the risks, implemented measures, and that the system is continuously monitored and evaluated. This demonstrates both responsibility and maturity in compliance work.
If you want to learn more about how to manage compliance risks from older IT systems in pharma, feel free to reach out to us so we can have an informal chat.
By
Peter Busk
CEO & Partner
[ HyperAcademy ]
