SAP for Life Sciences Blogs
Connect with SAP experts in the life sciences industry to collaborate on projects, learn about new SAP solutions, and solve problems. Join the conversation.
cancel
Showing results for 
Search instead for 
Did you mean: 
0 Kudos

Imagine multiple GMP critical systems across different plants, departments and across the globe… No wonder this creates a lot of complexity for the people who control access to these systems.

Authorisation checks for access to systems is often cumbersome and, more importantly, not risk-free. In my experience, the processes around Access Control often face these problems:


  • It is manually managed in disparate systems
  • Authorisation on access approvals is poorly documented and managed
  • Segregation of duties is often completely overlooked, unclear, not documented and subject to change during the life cycle of systems
  • Authorisation on access approvals has no relation with training/qualification records
  • Emergency or temporary access is not supported and poorly documented
  • Access Control is not audit-ready at every moment in time


Needless to say, the problems above can lead to inappropriate, unauthorised access, which ultimately can lead to higher risks in the operation, non-compliance with 21 CFR Part 11 paragraph 11.10(d)/(g)/(i), loss of proprietary information and misuse of systems.

The graph below shows quality and effort of authorisation checks without an automated Access Control tool:

Figure 1: Quality and effort without AC tool


It is clear that this graph is very reactive, and therefore volatile. In a controlled/regulated environment this is of course undesirable.

Creating a business case for automated Access Control

That said, making a case for an automated Access Control system can actually be quite straightforward because you can measure direct impact by recording and analysing:


  • The access request process, with requests, changes and their throughput times and documentation
  • The efficiency of the approval process
  • A list of systems that are (or should be) subject to Access Control
  • The internal and external audit findings
  • Possible risks of SoD
  • Extent of compliance with GMP regulations such as 21 CFR Part 11 (Electronic records; Electronic signatures)


In the following figure, we have mapped the quality and effort of an automated tool onto the same graph. It is obvious that the effort is high when kicking off an implementation project like this, but the return on investment on quality and reduction of effort is achieved relatively quickly.

Figure 2: Quality and effort with AC tool


In my opinion, manually managing Access Control within (large) GMP critical environments is nearly impossible. The risks of non-compliance due to human error increase as new applications are introduced more rapidly and the IT landscape becomes increasingly more complex.

Introducing automated tools can help in structuring the requesting and management process. The additional benefit is that you have an extensive check on the current state.

Looking for help to build your business case? Get in touch!

1 Comment