VMPValidation Master Plan

A Validation Master Plan (VMP) is the highest-level validation document at a manufacturing site. Where each system has its own validation pack (URS, FS, DS, IQ, OQ, PQ, RTM), the VMP sits above all of them — listing every validated system, classifying each by GxP risk, identifying the deliverables required, assigning owners, and scheduling periodic review and revalidation.

Annex 15 §2 requires a VMP for every EU GMP site. FDA does not name a 'VMP' explicitly but expects an equivalent governance document under 21 CFR 211 and the 2011 Process Validation guidance. WHO TRS 1033 Annex 3 and PIC/S PI 041 both reinforce the same structure. In practice, a single VMP serves every major jurisdiction.

The VMP is the document an inspector asks for in the first hour of an inspection. It tells them, on a single page, that the site knows what it has, knows what state it's in, knows who's responsible, and knows when the next review is due. A site without a current VMP — or with a VMP that doesn't match reality — has effectively conceded the inspection before the first deviation is even discussed.

The VMP is not a nice-to-have. It is explicitly named in Annex 15 §2.1: 'All validation activities should be planned. The key elements of a validation programme should be clearly defined and documented in a validation master plan (VMP) or equivalent documents.'

Inspectors compare the VMP to the actual state of the floor. Any divergence is the start of a 483 or major finding — not because the divergence itself is dangerous, but because it shows the governance system isn't functioning.

Annex 15 §2 lists the minimum content. Most sites organise the VMP into ten sections:

1. Validation policy — the site's commitment, scope of GxP, governance structure, and statement of senior-management support.
2. Organisational structure — who owns validation overall, who approves at each stage, who executes, how Quality is involved, RACI diagram.
3. Inventory of validated systems — every computerised system, manufacturing equipment item, lab instrument, utility (water, steam, HVAC, compressed air), cleaning process and analytical method within scope.
4. Risk classification — GxP impact (high / medium / low) per item, often using a documented decision tree (ICH Q9, GAMP 5 V-model).
5. Validation deliverables matrix — for each item, the URS / FS / DS / IQ / OQ / PQ / PPQ / CPV documents required and their current revision status.
6. Schedule — initial validation timing, revalidation triggers, periodic-review frequency, planned PPQ runs.
7. Change control — how validated state is preserved across upgrades, configuration changes, supplier updates and process changes; ties to the QMS change-control SOP.
8. Acceptance criteria and deviations — what 'validated' means quantitatively, and how qualification or process deviations are managed.
9. Training requirements — who must be trained on which validated systems, how competency is recorded.
10. References — links to per-system validation packs, SOPs, the QMS, the Quality Manual, supplier audit reports.

The order is less important than completeness. An inspector pulls the VMP, picks two random systems from the inventory, and traces them to the latest qualification report and the next scheduled review. If those threads break, the VMP fails its purpose.

Confusing the VMP with a per-system pack is the single most common authoring error. The VMP is governance; the pack is evidence.

The VMP says 'V5 Ultimate requires URS, DQ, IQ, OQ, PQ, and is scheduled for annual review by Q3 each year' — it does not BE those documents. The pack itself lives in the document management system and is referenced from the VMP inventory.

Not every system needs the same depth of validation. A high-risk pharmaceutical filler obviously needs full PPQ; a label printer used for non-GxP shipping labels does not. The VMP must document how that distinction is made, so an inspector cannot accuse the site of arbitrary scoping.

Two complementary frameworks are used:

• ICH Q9 (R1) — Quality Risk Management. Combines severity, occurrence and detectability to score each system. Sites typically apply it to processes and equipment.
• GAMP 5 (2nd ed., 2022) — categories 1–5 for computerised systems. Category 1 = infrastructure (OS, virtualisation), Category 3 = non-configured COTS, Category 4 = configured COTS (most MES, LIMS, ERP, V5), Category 5 = bespoke. Higher categories demand more rigorous validation.

The VMP records the category for every computerised system and the corresponding deliverables. Inspectors increasingly expect a written justification per category — 'because we always validate it as Category 4' is not adequate.

The VMP schedule is the live operational artefact. It has three components:

1. Initial qualification dates — when each system was first qualified, with summary-report reference.
2. Periodic review dates — typically annual for high-risk systems, every 2–3 years for medium, every 3–5 years for low. Review confirms the system is still operating as validated, change-control has been honoured, and no new risks have emerged.
3. Revalidation triggers — explicit events that force a re-execution of all or part of the qualification: major upgrade, process scale change, equipment relocation, supplier change, repeated deviations, regulatory expectation change.

Annex 15 §10.5 states: 'Where possible, validated cleaning procedures should be revalidated periodically.' The same principle applies broadly — periodic review is the backstop that catches drift between formal change-control events.

Modern VMPs increasingly cover cloud-hosted SaaS systems — eDMS, eQMS, MES, LIMS, V5 Ultimate. Annex 11 §3 explicitly requires supplier assessment for any computerised system, and GAMP 5 (2nd ed.) added new guidance for cloud and Agile. The VMP must explain how that assessment was done and where the evidence lives.

Typical evidence package for a Category 4 SaaS supplier:

• Supplier audit report (or third-party shared audit report such as a Confirm-style cloud audit).
• SOC 2 Type II report covering the relevant Trust Services Criteria.
• ISO 27001 certificate and Statement of Applicability.
• Supplier's own quality manual, validation policy and SDLC summary.
• Disaster recovery / business continuity statement and tested RTO/RPO.
• Subprocessor list and data-residency statement.
• GDPR / HIPAA / data-processing addendum.
• Supplier change-notification SLA — how the customer hears about a release.

The VMP records the assessment outcome, the residual risks, the customer mitigations (e.g., parallel UAT for every major release) and the next reassessment date. For SaaS systems with monthly release cadence, the VMP must also describe how regression testing keeps pace without revalidating the whole pack each release.

The inspector findings against VMPs are remarkably consistent across FDA, MHRA, EMA and PIC/S inspections:

• VMP exists but inventory is out of date — half the listed systems are gone, new systems aren't listed.
• No risk classification — every system treated identically, oversimplifying or overcomplicating.
• Schedule never updated — periodic reviews overdue and there's no evidence anyone noticed.
• Change control disconnected — system upgrades happen with no link back to the VMP entry.
• Signed once at creation, never re-signed at annual review.
• No mention of cloud / SaaS supplier qualification under Annex 11 §3 and GAMP 5 supplier audit.
• VMP cites SOPs that have themselves been superseded.
• Deliverables matrix references documents that don't exist or live in a different system without traceable IDs.
• Roles named for people who have left the company.
• No statement of how Stage 3 CPV (FDA 2011 guidance) is run, despite products being in commercial supply.

Most of these failures aren't about missing intent — the site genuinely runs a validation programme — they're about the VMP being treated as a one-time deliverable instead of a living register. Treat the VMP like the inspector treats it: open it every quarter, reconcile it against reality, and re-sign annually.

V5 ships a VMP template populated with the V5 platform as a GAMP 5 Category 4 system, including pre-filled risk classification, supplier qualification evidence (V5 SOC 2 / ISO 27001 / supplier audit pack), and the deliverables matrix pointing to the V5 validation pack.

The template includes placeholder rows for the customer's other systems — ERP, LIMS, scales, ovens, autoclaves, HVAC, water — which the customer Quality team extends to match their site. Periodic-review dates, owners and revalidation triggers are captured as structured data in V5's document control module, so the schedule renders as a dashboard, not a static Word table that goes stale.

• Document-control module enforces two-person e-signature on the VMP itself.
• Periodic-review dates drive automated calendar reminders to the owner 60 / 30 / 7 days out.
• Change-control entries automatically reference back to affected VMP inventory rows.
• Supplier-document module stores the V5 audit pack so customers don't have to chase it at each audit.
• Inspector view: one-click export of the VMP plus current inventory plus open change-control items as a single PDF.

Annex 15 §2.3 expects the VMP to include an inventory of systems and equipment together with their validation status and the criticality classification driving the depth of validation. The inventory is the single section every inspector turns to first, and the section that most often exposes a programme that has lost discipline. Sites with mature VMPs treat the inventory as a living register reviewed quarterly; sites with weak VMPs let it drift, and the inevitable inspector finding is that the inventory does not match the kit on the floor.

Annex 15 §11 expects qualified systems and processes to be subject to periodic review at a defined frequency, with the cadence proportionate to risk. The VMP names the policy cadences and the reviewable artefacts. Mature sites layer a continuous-review process underneath the formal cadence so that change-driven re-qualification triggers fire in real time rather than waiting for the calendar.

• GxP-critical systems (LIMS, MES, ERP-quality module, V5 in scope): annual full review; quarterly evidence sweep against the change-control log.
• GxP-supporting systems (training tracker, document control, deviation management): biennial full review; annual evidence sweep.
• Non-GxP business systems (HR, finance, marketing): documented exclusion from VMP scope; reviewed only when a change brings them into GxP scope.
• Process validation (per ICH Q8/Q9/Q10 lifecycle): continued process verification (CPV) plan reviewed annually; SPC trend review monthly; revalidation triggered by Cpk drift, supplier change, or out-of-trend event.
• Cleaning validation: 3-batch revalidation per product introduction; annual statistical review of swab/rinse trend data; revalidation triggered by formula change, new contaminant, or NCR cluster.
• Computerised systems (Annex 11 §11): periodic review per the validation status, the change history, the incidents, the deviations, the access-rights review and the back-up/restore test evidence.

The change-driven trigger is what catches things between calendar cycles. Any change-control record that touches a GxP-critical system requires a validation-impact assessment, signed by Validation and QA, before the change is approved. The decision is one of: no impact (rare, requires justification), like-for-like replacement (focused IQ only), partial re-qualification (focused OQ/PQ on the affected modules), or full re-qualification (treat as a new system). Sites that skip the impact assessment for 'small' changes are how an MES upgrade silently invalidates a year of CPV evidence.

V5 does not author the customer's VMP — the VMP is the customer's site governance document, owned by Quality. What V5 does is generate the evidence the VMP commits to maintaining: the validation pack, the change-control audit trail, the periodic-review extracts, and the operational metrics (deviation rate, CAPA closure rate, training compliance) that the VMP-mandated annual review consumes.

• Validation Pack PDF — generated per release, signed by Validation Lead and QA Director, traced via RTM to every URS item; the artefact the VMP names as the IQ/OQ/PQ evidence for the V5 tenant.
• Change-control register — every customer-visible change carries a change-control record with the impact assessment, the validation-impact decision, the test evidence and the two-person approval; exportable to the customer's eQMS on request.
• Periodic-review extract — annual report listing every configuration change in the period, the deviations raised against the system, the CAPAs, the access-rights changes, and the back-up/restore test evidence; designed to drop directly into the customer's Annex 11 §11 periodic review file.
• Continued Process Verification dashboard — SPC charts (Xbar-R, I-MR, EWMA) per WO family with Cpk trending, Western Electric rules alerting, and a CPV report exportable as PDF for the annual product review.
• Computer system inventory entry — V5 ships with a pre-populated inventory entry the customer drops into their VMP inventory; the entry carries GxP classification, GAMP 5 category, owner roles, and the current validation references.
• Annual VMP-readiness check — a self-service report that flags any open NCRs against the validated state, any change-control records lacking validation-impact assessment, and any periodic-review items past due.