Compliance Transparency
What the guidance says, what you must decide, and what Valkit.ai provides — kept rigorously separate.
Every customer receives a full validation package at no extra charge with every release of the Valkit.ai platform. Our position on GAMP® categorization is offered as context to support your independent risk assessment — not as a determination of what your organization is required to do.
GAMP® is not itself a regulatory requirement. It is a globally recognized industry best practice, developed and maintained by ISPE, that provides a risk-based framework for the compliance of computerized systems in the life sciences. Regulators — including the US FDA — frequently reference GAMP® in published guidance documents and public engagements, and alignment with GAMP® is widely understood as evidence of a rigorous, scientifically sound approach to computerized system compliance.
GAMP® category definitions are tools to support risk-based decision-making. Where this page references those definitions, it is to provide context that may inform your own documented risk assessments — not to prescribe a compliance outcome. Regulated companies are solely responsible for their own classification decisions and for ensuring compliance with all applicable laws and regulations.
A distinction that is persistently missed in industry is what a DVT actually produces. When a regulated company validates a piece of equipment, a laboratory instrument, or a software system, the DVT creates and manages the digital records of that validation activity — the protocols, test scripts, executed test cases, deviation records, approvals, and final reports. These are computerized system lifecycle records: documentation of the validation process itself, not records required by predicate rules to demonstrate product quality.
The ISPE Good Practice Guide: Digital Validation, Section 1.3, and GAMP® 5 Second Edition, Appendix D9, draw a precise distinction between two categories of records a DVT may hold — and that distinction is directly relevant to any risk assessment a regulated company conducts.
The documentation of validating equipment, instruments, or software systems. These records do not directly support the medicinal product lifecycle, are not required by predicate rules, and are not considered GxP records per GAMP® 5 Second Edition, Appendix D9. A DVT used solely to manage such records is characterized as a GAMP® Category 1 tool for that intended use.
Formal process validation plans, analytical method validation records, and process performance qualification batch data for commercial products. These are predicate rule records — analogous to batch records in an ERP. A DVT managing these records is managing GxP records, and the risk assessment must reflect that accordingly.
Where a regulated company configures connections to other systems, implements custom workflows, or extends the platform beyond its standard configuration, those extensions introduce additional variables that a risk assessment must account for independently. The out-of-the-box platform and any customized deployment are distinct subjects for risk assessment and should not be conflated. In a properly risk-based approach, the validation effort applied to those customizations would typically be more rigorous than that applied to the base platform.
Valkit.ai's interpretation of these guidance documents is informed by the regulatory background of its Chief Product Officer, Stephen Ferrell — a contributor to GAMP® 5 Second Edition, Chair of GAMP® Americas, member of the ISPE GAMP® Global Steering Committee, reviewer of the ISPE Good Practice Guide: Digital Validation, chapter lead on the ISPE GAMP® AI Guide, and trainer of both the US FDA and the Chinese NMPA. This does not represent the position of ISPE or any regulatory authority.
Whether, and to what extent, a regulated company must validate its DVT is a determination that Valkit.ai, GAMP®, or any guidance document cannot make on behalf of that company. It is a risk-based decision that each regulated entity must reach independently, through a documented assessment of their own intended use, quality system, and risk appetite.
Valkit.ai supports every classification — without exception. Whatever your organization determines through its own risk-based process, Valkit.ai will support it. We provide the guidance context, the validation documentation, and the platform support to underpin your compliance process at any classification level.
Valkit.ai executes and documents a complete internal validation of the platform with every software release. These deliverables are made available to all customers at no additional cost — not because any specific regulatory framework requires it for a particular use case, but because transparency and customer assurance are core to how we operate.
This internal validation does not determine the GAMP® category you should assign. It is a voluntary control we apply to give your team a well-documented foundation that supports whatever risk assessment and implementation approach your quality system requires, and to eliminate redundant validation effort on your side.
Valkit.ai Validation Package — Delivered with every platform release · Accessible to all customers · Executed within Valkit.ai
Included at no charge