Disrupting the Status Quo of Legacy Systems

Nov. 27, 2018
How embracing modernization will put pharma on the path toward operational quality, efficiency and regulatory compliance

To keep pace with the ever-changing world of regulatory compliance, pharmaceutical manufacturers are faced with modernizing their legacy control systems to optimize performance. Emerging technological advancements, such as data collection and analysis tools, are helping facilities make more informed data-driven decisions and meet regulatory requirements.

Many facilities, however, have yet to take advantage of the latest tools and techniques available, relying instead on traditional methods that continue to run on legacy computing power. Change is hard. There are many unanswered questions that arise when facing the daunting prospect of modernization. Uncertainty and doubt can stop forward progress, creating risk as processes run on aging platforms or equipment.

For those in the uncertain category, let’s look at modernization from a different perspective: Why should you upgrade or enhance legacy process control systems and data collection equipment at all? What gains will be made? Your existing system works, so why mess with it given the combined expense of the equipment, engineering, installation and validation? Many facilities have been running their production processes for years, creating and storing printed reports, paper strip charts, etc., then dragging it all out when a compliance audit occurs. It works … mostly.

So, what has changed that requires us to change?

Drivers of Change

With respect to modernization, there are typically three primary areas that drive change:

  • Cyber vulnerabilities
  • Smart manufacturing
  • Obsolescence

Cyber Vulnerabilities

Many in the life sciences industry have enrolled in the United States Computer Emergency Readiness Team (US-CERT) program, and receive regular alerts detailing the latest identified vulnerabilities in industrial control system (ICS) components and software. A large percentage of the alerts contain this disconcerting statement: “ATTENTION: Exploitable remotely/low skill level to exploit.” This kind of vulnerability presents a seemingly good argument for not having modernized and connected control systems. After all, you can’t hack a filing cabinet, remotely anyway.

One flaw in this argument, however, is that legacy systems are connected, typically residing on flat network architectures. Legacy process control networks were originally reasonably secure, because they served a very limited purpose: They provided inter-processor communications where needed, gave operators the ability to monitor and interact with the control system, and served data to the process historian. Basically, if left to themselves (isolated from the outside world), this works. Over the years, however, some very ingenious tools and techniques have been devised to expose process data to the business layer, and this is where the vulnerability problem lies. In the new connected enterprise world view, some very comprehensive technology is available that provides centralized tools for securing, managing, versioning, tracking and reporting automation-related asset information. This automated asset management software enhances visibility into all aspects of the network and control systems hardware and software. It provides real-time information that can impact uptime, productivity, quality and regulatory compliance.

Smart Manufacturing

Smart manufacturing is not as much a revolution as it is the realization of the benefits provided by the advent of the connected enterprise and big data. From the control system perspective, smart manufacturing had its beginnings with the first distributed control systems (DCSs) and programmable logic controllers (PLCs) in the 1980s. In many instances, these control systems (dating mostly from the mid to late 1990s) are still in use today. Unfortunately, these systems generally lack the interoperability, capacity and structured data that is needed as a foundational piece of the smart manufacturing construct. Additionally, these systems are not designed with the degree of security required in today’s cyber landscape.

Whether or not pharmaceutical manufacturers embrace the entirety of smart manufacturing, there is ever increasing pressure from the business side of the fence for more data from the manufacturing layer. They want access to data that can be delivered in real-time, is actionable, and complete to facilitate collaboration among employees, suppliers and customers. This information ensures the right products can be delivered at the right time: safely, profitably and in the correct quantities.

With the arrival of big data and advanced analytics, we now have process data, maintenance data, logistics data and product data (a company’s intellectual property) making up the constellation of interesting information about industrial assets. This data is sensitive by nature, containing information that could, if maliciously obtained, be very damaging to a company. This new data paradigm requires building in more thorough security at every level to address the sensitive nature of industrial data. To accomplish this, we are forced to revisit the network architecture and infrastructure of our facilities and enhance or, more likely, upgrade the control systems to support the cyber security and data model requirements. If we take a wait-and-see approach, we are faced with outdated systems and the potential for catastrophic consequences.


In today’s digital world, the speed at which technology changes increases exponentially. Just look at the computing power in our handheld devices. How often do we find ourselves upgrading to the latest operating system or buying a new device just to accommodate more mobile apps, gaming and entertainment capability and other bells and whistles? When we don’t upgrade, we experience slow data connections, compatibility issues and communication challenges.

The life sciences industry is facing similar pressure to upgrade and modernize. Customer demand and new innovative technologies, such as the Industrial Internet of Things (IIoT), cloud and mobile computing, open architecture, and advanced data analytics, are driving change. Without compatible systems to run these technologies, your facility will be hard-pressed to improve quality and efficiency to meet compliance regulations and stay competitive. You may believe maintaining the status quo is the best option. As your systems age, however, you run an increased risk of unplanned downtime as components fail. Sourcing spares for these systems becomes difficult as OEM support comes to an end. The cost of maintaining legacy systems can approach the cost of an upgrade or full modernization, without realizing any of the benefits gained from upgrading.

Add to this issue the specialized operational knowledge required to monitor and maintain these legacy systems. What happens when long-term experienced engineers leave or retire? Without a way to efficiently capture and transfer this knowledge to new employees and the next generation, this undocumented tribal knowledge may be lost and can lead to operational challenges and therefore significant cost. You will need to attract and retain new talent who relate better to a modern workplace. To this end, you will need to use smart, flexible and open systems, running new technology, to move forward.

Technology for Compliance Sake

The primary areas that drive change also compel us to embrace it. For pharmaceutical manufacturers who have been working within regulatory constraints for years, it is hard to change validated processes and shed regulatory uncertainty. Process analytical technology (PAT) practices have made improvements easier to implement but changes are still complex. Those who rise to meet these challenges and take advantage of new standard requirements (e.g., 21 CFR Part 11), smart manufacturing technologies, data tools and techniques, and new platforms will benefit, especially in meeting compliance requirements.

Compliance with FDA regulations and current good manufacturing practice (CGMP) standards depends on smart instruments to extract data that is, again: accurate, actionable, timely and complete. This is particularly important when considering product/process geology records. If modernization is implemented properly, you can know everything that happens when executing a batch, order and the like, depending on the facility. This includes everything that goes into the product, what equipment is used, who is involved, how long it takes, whether there are any deviations, whether a clean in place (CIP) is required and whether it was executed, who did it, did it conform to the required specifications, were the necessary lab tests run, what are the results and on and on. Also, just as important, can I access this information quickly? Can I provide compliance reports to auditors with everything they need when they need it? These questions and others concerning product and process genealogy can be easily answered in a timely fashion with the thoughtful implementation of both upgraded control systems and data analytics infrastructure.

Forward Progress

Modernization is inevitable and necessary to stay competitive. To start the journey, you need a clear path forward to help get past the fear of disrupting the status quo. Of course, many factors must be weighed and considered when upgrading legacy systems and technology, such as standard requirements, equipment inspection, validated processes, quality documentation, supply chain traceability and more.

Embracing technological change gives you a real competitive advantage and can start you on the right path toward operational quality, efficiency and regulatory compliance.


About the Author

Tim Gellner | Senior Consultant