How we implement

Validation is not a document you produce at the end of a project. It is a lifecycle that begins with the first requirement and ends only when the system is decommissioned. Our implementation methodology is mapped to the GAMP 5 lifecycle so that audit readiness is built in from day one - not reconstructed under inspection pressure.

We work independent of who implements: whether TrustFort delivers the build or reviews another partner's, the same validated method and the same evidence trail apply.

A GAMP 5-mapped lifecycle

Seven phases, each with defined deliverables and validation artifacts. Documentation is risk-proportional - calibrated to the GxP impact of each process, not maximal for its own sake (GAMP 5 2nd Edition and FDA CSA).

  1. Phase 1: Planning

    Scope, risk, and validation strategy agreed before build.

    • Validation Plan (VP)
    • Initial risk assessment
    • GAMP 5 categorisation & GxP impact assessment
  2. Phase 2: Specification

    What the system must do, approved and traceable.

    • User Requirements Specification (URS)
    • Functional & Design Specifications
    • Requirements traceability matrix (started)
  3. Phase 3: Configuration & Development

    Standard-first configuration; any code under change control.

    • Configuration specification
    • Change-controlled build records
    • Unit-test evidence
  4. Phase 4: Testing & Qualification

    Documented evidence the system works as specified.

    • IQ / OQ / PQ (or CSA-equivalent) protocols & execution
    • User Acceptance Testing
    • Deviation management; traceability matrix completed
  5. Phase 5: Release

    Formal sign-off that the system is fit for validated use.

    • Validation Summary Report (VR)
    • Go-live checklist with validation sign-off
  6. Phase 6: Operation

    Keeping the system validated through change and time.

    • Training records; change & incident control
    • Periodic system review
    • Data integrity (ALCOA+), role segregation, audit trail
  7. Phase 7: Retirement

    Controlled exit that preserves the record.

    • Controlled decommissioning
    • Data archiving & retention

Risk-proportional, not maximal

Standard Business Central Cloud without custom development is GAMP 5 Category 4. We do not re-qualify Microsoft's infrastructure: Microsoft provides extensive qualification evidence (ISO 27001, SOC 2 Type II, ISO 27017), which is recognised as qualification of the platform. Our effort concentrates where the GxP risk actually sits - your configuration, your data, and your processes - so the validation package is defensible in an inspection without being wasteful.

Documentation is a deliverable, not an afterthought: every configuration decision is recorded with its rationale, and every requirement is traceable through specification, testing, and release.

Roles and responsibilities

Clear accountability is a prerequisite in regulated projects - not an outcome. Each engagement defines who does what, on both sides.

  • Project Manager - plans validation activities and tracks deliverables against the plan.
  • QA Lead - reviews validation documentation and confirms audit readiness.
  • Consultants - configure and, where needed, develop under change control; document and unit-test.
  • Client representatives - approve the URS, participate in acceptance testing, and sign off on acceptance.

Client-side responsibilities are defined up front, because a validated go-live depends on both parties.

See how this applies to your system

Every regulated ERP situation is different. In a short discovery call we map your current Business Central setup to the lifecycle above and identify where the audit-readiness gaps are.

Book a discovery call