How we implement
Validation is not a document you produce at the end of a project. It is a lifecycle that begins with the first requirement and ends only when the system is decommissioned. Our implementation methodology is mapped to the GAMP 5 lifecycle so that audit readiness is built in from day one - not reconstructed under inspection pressure.
We work independent of who implements: whether TrustFort delivers the build or reviews another partner's, the same validated method and the same evidence trail apply.
A GAMP 5-mapped lifecycle
Seven phases, each with defined deliverables and validation artifacts. Documentation is risk-proportional - calibrated to the GxP impact of each process, not maximal for its own sake (GAMP 5 2nd Edition and FDA CSA).
Phase 1: Planning
Scope, risk, and validation strategy agreed before build.
- Validation Plan (VP)
- Initial risk assessment
- GAMP 5 categorisation & GxP impact assessment
Phase 2: Specification
What the system must do, approved and traceable.
- User Requirements Specification (URS)
- Functional & Design Specifications
- Requirements traceability matrix (started)
Phase 3: Configuration & Development
Standard-first configuration; any code under change control.
- Configuration specification
- Change-controlled build records
- Unit-test evidence
Phase 4: Testing & Qualification
Documented evidence the system works as specified.
- IQ / OQ / PQ (or CSA-equivalent) protocols & execution
- User Acceptance Testing
- Deviation management; traceability matrix completed
Phase 5: Release
Formal sign-off that the system is fit for validated use.
- Validation Summary Report (VR)
- Go-live checklist with validation sign-off
Phase 6: Operation
Keeping the system validated through change and time.
- Training records; change & incident control
- Periodic system review
- Data integrity (ALCOA+), role segregation, audit trail
Phase 7: Retirement
Controlled exit that preserves the record.
- Controlled decommissioning
- Data archiving & retention
Risk-proportional, not maximal
Standard Business Central Cloud without custom development is GAMP 5 Category 4. We do not re-qualify Microsoft's infrastructure: Microsoft provides extensive qualification evidence (ISO 27001, SOC 2 Type II, ISO 27017), which is recognised as qualification of the platform. Our effort concentrates where the GxP risk actually sits - your configuration, your data, and your processes - so the validation package is defensible in an inspection without being wasteful.
Documentation is a deliverable, not an afterthought: every configuration decision is recorded with its rationale, and every requirement is traceable through specification, testing, and release.
Roles and responsibilities
Clear accountability is a prerequisite in regulated projects - not an outcome. Each engagement defines who does what, on both sides.
- Project Manager - plans validation activities and tracks deliverables against the plan.
- QA Lead - reviews validation documentation and confirms audit readiness.
- Consultants - configure and, where needed, develop under change control; document and unit-test.
- Client representatives - approve the URS, participate in acceptance testing, and sign off on acceptance.
Client-side responsibilities are defined up front, because a validated go-live depends on both parties.
See how this applies to your system
Every regulated ERP situation is different. In a short discovery call we map your current Business Central setup to the lifecycle above and identify where the audit-readiness gaps are.
Book a discovery call