Supplier qualification

Supplier qualification is the documented decision — by Quality, on behalf of the company — that a supplier of a starting material, intermediate, primary packaging, secondary packaging, equipment, or GxP service is technically and quality-systemically capable of consistently meeting the company's specifications, and may be added to the Approved Supplier List. It is required by EU GMP Chapter 5, ICH Q7 §7, FDA's expectations under 21 CFR 211.84 and 820.50, ISO 13485 §7.4, 21 CFR 111.75 for dietary supplements, and Article 46(f) of Directive 2001/83/EC for finished pharmaceutical manufacturers.

ICH Q9(R1) Quality Risk Management drives the proportionality. Suppliers are tiered by the impact their material or service could have on product quality, patient safety and regulatory compliance:

Mis-tiering — particularly under-tiering a Major as Minor — is the single most common Form-483 supplier-management finding.

1. Request raised by procurement / development; QA confirms the tier and the qualification plan.
2. Risk assessment — supplier history, country, regulatory inspection record (FDA 483s, EU GMP non-compliance, MHRA reports), prior relationship.
3. Technical questionnaire — manufacturing process, change-control practices, complaint handling, sub-supplier management, regulatory registrations.
4. Quality questionnaire — quality system maturity (ISO 9001 / ICH Q10 / ISO 13485 / 21 CFR Parts), most recent regulatory inspection outcomes, audit and CAPA practices, data-integrity programme.
5. On-site audit (or qualified remote / virtual audit for lower-tier or COVID-context cases) — performed by qualified auditor, against an agreed scope, with a written report and a CAPA tracker.
6. Three qualifying lots — received, tested against the agreed specification, including identity, purity, key impurities and physical attributes; lot-to-lot consistency assessed.
7. Quality Agreement — written, signed by both parties, covering scope, responsibilities, change notification, complaint handling, regulatory liaison, audit rights, retention. EU GMP Chapter 7 makes this mandatory for outsourced GMP activities.
8. Approved Supplier List entry — Quality signs the qualification decision; supplier appears on the ASL with the qualified material, the spec, the qualified manufacturing site, and the qualification expiry / next-audit date.

The on-site audit is typically 1-3 days, covering: facility (production areas, warehouse, QC labs, utilities), quality system (document control, training, CAPA, change control, deviation, complaints), production (process flow, IPC, recipe control, equipment qualification), QC (method validation, OOS handling, stability if applicable), and traceability (lot genealogy from raw to finished). The auditor leaves with a written list of observations; the supplier responds with a CAPA plan; the auditor verifies closure before issuing the final report. EU GMP Annex 16 expects QPs to know the supplier audit is current; FDA expects equivalent due diligence.

Remote / virtual audits — accepted by most regulators since 2020 — are still typically followed by an on-site audit on the next qualified cycle, unless the supplier's risk profile justifies remote-only (e.g. low-risk excipient supplier already audited multiple times).

EU GMP Chapter 7 §7.10-7.18 (and ICH Q7 §17, and FDA's 2016 Quality Agreement guidance) make the written Quality Agreement mandatory for outsourced GMP activities — contract manufacturing, contract testing, contract sterilisation, packaging, distribution. The agreement is distinct from the commercial supply agreement: it cannot be conflated with it, and it must clearly assign every quality responsibility — change notification with minimum lead time, complaint handling, deviation reporting, regulatory inspection rights, sub-contracting controls, audit rights with reasonable notice, retention of records. A missing or weakly-drafted Quality Agreement is a top Form-483 contractor-related observation.

• Performance scorecard — OTIF (on-time-in-full), CoA-vs-actual delta, complaint rate, deviation rate. Trends below threshold trigger CAPA at the supplier (open a non-conformance with the supplier as part of the company's CAPA system).
• Periodic re-audit — typically every 3 years for Critical, every 5 for Major; risk-based extension possible with strong scorecard evidence.
• Supplier change notification — every change at the supplier (process, equipment, site, sub-supplier) must be notified per the Quality Agreement; the company assesses impact, opens change control if needed, and approves before the change ships.
• Disqualification — sustained poor performance, regulatory action against the supplier, or material change that exceeds the qualified envelope triggers disqualification; alternate suppliers must be in place for single-source critical materials.

1. Supplier on the ASL with no qualification evidence on file (especially after acquisitions).
2. Quality Agreement not in place for a contract manufacturer.
3. Audit overdue — re-qualification programme not driven by a calendar.
4. Supplier change made without notification; manufacturer found out at receipt of an off-spec lot.
5. Risk tier set as 'Minor' for an active ingredient or sterile component.
6. On-site audit report not closed (open observations from 2 years ago).
7. Sub-supplier chain not mapped — e.g. the API supplier's own starting-material supplier is unknown.
8. Quality Agreement and commercial supply agreement conflated, signed once 5 years ago, never revisited.

• Supplier master holds every supplier, the qualified material(s), the qualified site(s), the risk tier, the qualification status, the Quality Agreement reference, the last audit date, the next audit due, and the named contact at the supplier.
• Qualification workflow walks through the documented steps — risk assessment, questionnaires (templated by tier), audit planning + report capture, qualifying-lot test results, Quality Agreement upload, QA sign-off via two-person e-signature.
• Approved Supplier List is the queryable single source of truth — purchase orders for a material must be against a qualified supplier for the qualified site; off-list ordering is hard-blocked unless an emergency override is invoked with a Major deviation.
• Performance scorecard auto-computes OTIF, CoA-vs-actual, complaint rate, deviation rate per supplier per material; trends below threshold open a CAPA with the supplier as the subject and notify procurement.
• Change-notification workflow: the supplier portal (where used) lets the supplier file change notifications directly; impact assessment is routed to the right SME and to QA; an approved change updates the supplier master and any open POs reflect the new envelope.
• Re-audit calendar: every Critical / Major supplier has a calendared next-audit date driven by the qualification cycle; the audit programme cannot fall behind silently.