In the meantime, such VMPs have become a legal requirement in Europe through Annex 15 of the European GMP directive (16).
The US FDA may not ask for a VMP; the inquiry may be for the company's approach to validation. The VMP, and the examples it
contains, has become the perfect document to help answer any question about the level of validation.
An equivalent document in the area of risk assessment is a risk management master plan. Such a document should be developed
at a fairly high level within the company. It should describe the company approach to risk management and assessment and should
include templates for risk identification, evaluation, mitigation, and control. It also should include criteria and examples
for severity and probability. The master plan can be used to derive risk management plans for individual projects. The main
advantages are increased efficiency, and, even more importantly, consistent implementation.
A risk management master plan should also include examples of factors that impact risk categories. This is important to ensure
a consistent approach in the company risk assessment. An example with some recommendations is shown in Table II.
Examples are quite useful for getting an idea of what type of systems fall into the different categories. Another type of
question that is frequently posed is whether, for example, a laboratory management system or a documentation system falls
in the high, medium, or low-risk category. Sometimes even systems from specific vendors are mentioned. This is the wrong question.
The risk is not dependent mainly on the system but more on the records created, evaluated, transmitted, or archived by the
A Laboratory Information Management System (LIMS) in a non-regulated research department is not a high-risk system, at least
not from a compliance view. On the other hand, a LIMS in a pharmaceutical quality control laboratory is most likely a high-risk
system because the records have a high impact on product quality.
Both the International Society for Pharmaceutical Engineering (ISPE) and the Pharmaceutical Research and Manufacturing Association
(PhRMA) have given examples for what may qualify as high-risk. The PhRMA wrote a letter to the FDA on Nov. 29, 2001 related
to the "Proposed FDA Guidance on the Scope and Implementation of 21 Code of Federal Regulations (CFR) Part 11." The letter included a ranking of five systems related to their risk on product quality. Those with the highest
risk were manufacturing batch records and manufacturing LIMS and Quality Assurance (QA) systems (13).
The ISPE wrote a white paper on the "Risk-Based Approach to 21 CFR Part 11" with the recommendation that the focus of efforts
should be on records that have a high impact, i.e.: those records upon which quality decisions are based. Examples of high
impact records include batch records and laboratory test results (14).
Examples of records with low impact include environmental monitoring records not affecting product quality, training records,
and internal computerized system information such as setup and configuration parameters. Other examples are planning documents
and Standard Operating Procedures (SOPs) for non-critical operations.
GAMP has published a Good Practices Guide: A Risk Based Approach to Compliant Electronic Records (16). This document illustrates examples of records that have high, medium, and low impact on risk.
In general, systems fall into the high-risk category when they have a direct impact on product quality and patient safety.
Examples are systems used in pharmaceutical manufacturing and quality control such as electronic batch record systems, analytical
control systems, also document management systems and data bases with high-risk records. For example, wrong analytical test
results that are used as a criterion to release a batch are highly critical, because there is no further testing and the product
is released to the market immediately. An example of a system with high impact on patient safety is a distribution record
system. If a product must be recalled because adverse effects on patients have been identified and some of the distribution
records are lost, incorrect, etc., the product cannot be completely removed from the market, thereby having a high impact on patients.
Examples of systems in the medium-risk category include systems that are used to qualify and monitor the systems defined as
high-risk. These would also include configuration management software.