SapotaCorp
Get in Touch
Dynamics 365

Pharma compliance on D365: LCS BPM + audit policies for FDA/EMA

Pharmaceutical companies running D365 F&O must satisfy FDA and EMA validation protocols - tracked configuration changes, audit trails, validated business process documentation. Standard logging doesn't cut it. The architecture combines LCS Business Process Modeler with database logging and audit policies.

Published Feb 05, 2026
Pharma compliance on D365: LCS BPM + audit policies for FDA/EMA

Key takeaways

  • Pharmaceutical companies on D365 F&O must satisfy FDA and EMA validation protocols: tracked configuration changes, audit trails, validated business process documentation. Standard logging does not cut it. The compliance architecture combines LCS Business Process Modeler with database logging and audit policies.
  • LCS BPM is the process documentation system FDA recognises. Every business process gets documented with steps, system inputs, expected outputs, and validation evidence. BPM documentation lives alongside the configuration; auditors pull both together.
  • Database logging captures every record-level change to regulated tables (inventory transactions, manufacturing batches, quality test results). The log is immutable, timestamped, user-attributed. Production teams enable it only on tables compliance requires — broad enablement floods storage.
  • Audit policies sit on top of database logging. The policy defines what triggers an audit alert (off-hours configuration change, bypass of a quality check), who gets notified, and what action is required. The combination of LCS BPM + database logging + audit policy is what passes FDA/EMA validation review.

Pharmaceutical companies running Dynamics 365 Finance & Operations face a higher compliance bar. FDA and EMA auditors want system traceability at the record level. They want configuration-change history across time. They want validated documentation showing each business process matches what the system actually does.

Standard infrastructure logging is not enough. The question is which D365 and platform capabilities can satisfy both traceability and validation. The pattern should not create a shadow compliance system.

What does not pass FDA/EMA scrutiny

Anti-pattern 1: Rely on IT change logs

"Enable standard logging and use IT change logs."

Infrastructure logs do not surface business-process events. VM logs and Azure Activity Log are too low-level. Auditors want to see which user changed which BOM at which time. They do not want to see which VM restarted.

Generic IT logging fails the audit question.

Anti-pattern 2: Manage compliance documentation externally

"Use Azure Monitor for logs. Manage compliance documentation in SharePoint or a GRC tool."

This splits the traceability story. The running system lives in D365. The validation documentation lives elsewhere. Keeping them aligned takes constant manual work.

Drift is inevitable. Drift is what auditors find.

Anti-pattern 3: Document only at go-live

"Rely on SharePoint project documentation. Track updates via Power Automate."

This captures processes as they were at go-live. It does not track what the system does today.

The quarterly auditor visit will surface the gap.

The pattern that satisfies regulators

Use LCS Business Process Modeler (BPM) for process validation documentation. Pair it with database logging and audit policies for system traceability.

What each piece contributes:

LCS Business Process Modeler

BPM captures the company's business processes as executable diagrams. Each diagram links to the F&O features that implement it.

Changes to the process get versioned. The documented process traces to the system behavior. This closes the "is the validation doc current" gap.

Database logging

F&O's built-in audit trail tracks row-level changes on configured tables.

Pharma-critical tables get logging enabled:

  • BOM records.
  • Formula records.
  • Batch records.
  • Quality test results.
  • Customer-specific formulations.

Every insert, update, and delete is captured with user, timestamp, and before/after values.

Audit policies at the platform level

These track who accessed what, when. Microsoft Purview and Azure audit logs cover tenant-wide access tracking. Regulators expect this layer.

Security Diagnostics

The Security Diagnostics report pulls the current security configuration. Auditors review it to see which users have which roles and privileges.

Together, the stack answers three questions every audit comes down to:

  1. What does the system do?
  2. How has it been changing?
  3. Who has been making the changes?

Database logging strategy

Logging every table is not a strategy. It destroys F&O performance. It produces log volumes nobody can review.

The pharma-specific pattern:

  • Always-on logging for process-critical tables: BOM, formulas, routes, batch records, quality tests, item specifications, customer contracts.
  • Insert + update + delete on those tables. Full lineage, including deletions. Auditors specifically ask about deletions.
  • Logging off for high-volume transactional tables with no compliance exposure (GL transactions, posted invoices).
  • Scheduled archive of logs to long-term storage (Azure Blob cold tier). Retention typically 7 years.

A quarterly log review procedure closes the feedback loop. The compliance team samples logs, verifies that changes had approval, and archives the review.

LCS BPM configuration

BPM works when these conditions hold:

  • Library structure matches the company's quality management system.
  • Process hierarchy stays maintained, from level-1 macro processes ("Manufacture batch") down to level-4 activity detail.
  • Process to feature linking stays current. Each process step points to the F&O feature that implements it.
  • Versioning is used. Process changes get new versions, not edits to the same version.
  • Sign-off gets recorded per version. Quality approves the documented process. IT approves the implementation.

BPM becomes the validated version of "how we do this". Auditors then verify it against observed system behavior.

System traceability beyond tables

Regulated environments need more than table-level logging. Three additional capabilities:

Batch genealogy

Track which raw materials went into which batch. Track which batches went into which finished goods. F&O's built-in batch tracking covers this.

Electronic signatures

Operations requiring 21 CFR Part 11 compliance need e-signatures on quality-critical transactions. F&O supports electronic signatures on parameter-defined actions.

Deviation tracking

When a batch deviates from specification, the deviation, investigation, and disposition need to be recorded. This sometimes extends standard quality management in F&O.

Each capability is standard or near-standard. Custom builds are usually reserved for industry-specific workflows not covered by the quality management module.

CSV (Computer System Validation)

The full validation story includes four stages:

  • IQ (Installation Qualification). Documented deployment of the system.
  • OQ (Operational Qualification). System behaves as designed under expected conditions.
  • PQ (Performance Qualification). System performs under production conditions.
  • UAT. User acceptance testing against the validated process.

LCS Environment Monitoring and deployment records cover parts of IQ. BPM-linked test execution (using Task Recorder or similar) covers OQ. Pharma implementations typically pair the D365 toolchain with a CSV partner for the full documentation package.

What ships with the architecture

A pharma-compliant D365 implementation has:

  • LCS BPM library populated with business processes linked to F&O features.
  • Database logging enabled on process-critical tables with a retention policy.
  • Audit policies at the tenant level via Purview.
  • Security Diagnostics report run quarterly with review by compliance.
  • Electronic signature configuration where 21 CFR Part 11 applies.
  • Batch genealogy and quality management module configured.
  • CSV documentation covering IQ, OQ, PQ, and UAT.
  • Quarterly audit log review procedure with sign-off.

The architecture uses what the platform provides. The compliance weight sits in the governance and procedures around it. It does not sit in parallel systems.

Winston Tran

Winston Tran

Power Platform + D365 Engineer

More from Dynamics 365

Synapse Link for F&O: retiring BYOD without breaking your reports

Synapse Link for F&O: retiring BYOD without breaking your reports

Dynamics 365Jun 02, 2026
The Complete D365 F&O Engineering Guide: 30 Production Patterns

The Complete D365 F&O Engineering Guide: 30 Production Patterns

Dynamics 365Apr 20, 2026
AX 2012 to D365 F&O upgrade: redesign, don''t re-overlay

AX 2012 to D365 F&O upgrade: redesign, don't re-overlay

Dynamics 365Apr 12, 2026
Audit trails in D365 without killing performance

Audit trails in D365 without killing performance

Dynamics 365Apr 04, 2026
PO approval at scale in D365: rule-based procurement workflows

PO approval at scale in D365: rule-based procurement workflows

Dynamics 365Mar 25, 2026
MES integration with D365 Supply Chain: Azure middleware pattern

MES integration with D365 Supply Chain: Azure middleware pattern

Dynamics 365Mar 13, 2026
Browse all Dynamics 365
Contact Us Now

Share Your Story

We build trust by delivering what we promise – the first time and every time!

We'd love to hear your vision. Our IT experts will reach out to you during business hours to discuss making it happen.

Contact Us

(+84) 38 339 6560

Email

michael@sapotacorp.vn

WhatsApp

Office

S-Building, 101 Huỳnh Tấn Phát, Hải Châu, Đà Nẵng

WHY CHOOSE US

"Collaborate, Elevate, Celebrate where Associates - Create Project Excellence"

SapotaCorp beyond the IT industry standard, we are

  • Certificated
  • Assured quality
  • Extra maintenance

Tell us about your project

contacts

S-Building, 101 Huỳnh Tấn Phát, Đà Nẵng (+84) 38 339 6560
Get in Touch
Contacts(+84) 38 339 6560michael@sapotacorp.vn
Follow us:Get in Touch