Supplier Qualification – Approval & Monitoring

Q: Is supplier approval different from qualification?

Qualification is the evidence-gathering process; approval is the decision to list the supplier/site/material on the ASL with defined scope and conditions of use.

Q: How often should suppliers be re-qualified?

Re-qualification is risk-based. Critical suppliers are typically reviewed every 1–2 years or for cause; lower-risk suppliers may be on a longer cadence with remote surveillance in between.

Q: What if the supplier changes site or process?

Require a formal Notification of Change, evaluate under Management of Change, and perform FAI or re-validation as needed before resuming normal supply.

Q: Do distributors and brokers need full qualification?

Yes. Qualify them, verify their sources, and require identity controls and GDP compliance. Treat unannounced source changes as major deviations.

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Vendor Onboarding, Risk Classification & Surveillance • Procurement, QA, Regulatory

Supplier Qualification is the risk‑based process that evaluates, approves, and continually monitors external providers of materials, components, services, and contract manufacturing. It converts a prospective vendor into a controlled extension of the quality system by verifying capability, reliability, and regulatory alignment before any material flows into production. Qualification connects commercial sourcing to regulated expectations under QMSR, ISO 13485, GMP, and (for food) GFSI/GDP, and it is executed with attributable records, audit trails, and validated systems aligned to Part 11/Annex 11. Approved suppliers are listed on the ASL (Approved Supplier List) with defined scope, sites, and conditions of use; incoming lots remain under Quarantine until checks and QA Disposition confirm fitness‑for‑use.

“You don’t just buy material—you buy a piece of someone else’s process. Qualification proves that process is reliable, compliant, and in control.”

TL;DR: Supplier Qualification is a structured, risk‑based approval and monitoring program: pre‑screen → audit & document review → Quality Agreement → pilot/FAI → ASL approval → ongoing surveillance (KPIs, audits, SCAR). It integrates Goods Receipt, Incoming Inspection with justified sampling plans, CoA verification, and system controls that prevent use of unapproved or suspect sources.

1) What Supplier Qualification Covers—and What It Does Not

Covers: risk classification by material and use, desktop assessments and on‑site/remote audits, verification of certifications and process controls, definition of specifications and Quality Agreements, pilot lots or FAI to prove capability, and integration of receiving, inspection, and disposition plans with clear re‑qualification cadence and monitoring.

Does not cover: price‑only sourcing, blanket approvals without scope, or substituting supplier documents for your own risk‑appropriate testing and validation. A supplier is not “qualified” because they are famous or convenient—only evidence makes it so.

2) Legal, System, and Data Integrity Anchors

Purchased product controls are codified in QMSR (aligning U.S. device rules with ISO 13485), ISO 13485, and GMP. Distribution and food safety add GDP and GFSI scheme expectations. Electronic records for audits, approvals, and inspections must be validated (CSV), attributable, and protected by audit trails and e‑signatures, consistent with ALCOA(+) data integrity principles.

3) The Evidence Pack for a Qualification Dossier

An audit‑ready dossier links risk, scope, and evidence. It maps proposed materials to finished‑product risk, includes questionnaires and audit reports with resolved findings, current certifications, controlled specifications, and a signed Quality Agreement that defines responsibilities (deviations, CAPA, complaints, stability, NOC). It stores receiving/inspection plans, CoA verification procedures, pilot/FAI results, method equivalency and any MSA, and establishes baseline KPIs for ongoing monitoring.

4) From Pre‑Qualification to ASL—A Standard Path

1) Pre‑screen. Define need, map risk, and set approval criteria and testing stringency.
2) Desktop review. Evaluate questionnaires, certifications, and history; schedule audit if risk warrants.
3) Audit. Perform remote or on‑site audit; log findings and agree corrective actions.
4) Contract & control. Lock specifications and responsibilities in a signed Quality Agreement.
5) Prove capability. Run pilot/FAI lots; execute receipt testing and method checks; disposition via QA Disposition.
6) Approve. Add supplier/site/material to the ASL with inspection plans and re‑qualification cadence.
7) Monitor. Trend KPIs and quality signals; re‑audit per schedule or for cause; escalate to SCAR when systemic issues arise.

Material stays blocked in Quarantine until each gate is passed. Any failure triggers containment and remediation through MRB and CAPA.

5) Nonconformances During Onboarding

Discovery of identity issues, spec failures, or documentation gaps must be recorded as NCR/NCMR, with lots contained in the WMS. Supplier‑caused issues escalate to SCAR requiring root cause and effectiveness evidence. Conditional approvals may be granted with tightened inspection and probation; repeat signals revoke privileges such as Dock‑to‑Stock.

6) Scope, Sites & Sub‑Suppliers

Approvals are specific: to material, grade, site, and sometimes process. A site move, subcontracting, or formulation change is not covered without formal NOC and evaluation under MOC. Distributors and brokers are qualified, too; confirm upstream sources and require identity controls and GDP compliance.

7) Data Integrity—Proving the Proof

Supplier files, audit notes, approvals, and inspection records must be attributable and immutable, with audit trails and e‑signatures. Validated interfaces (CSV) should carry item/lot identities across ERP, LIMS, WMS, and QMS so the same lot is inspected, dispositioned, and—if necessary—traced back via Lot Traceability. At receipt, ASNs and SSCC labels anchor identity before sampling begins.

8) Sampling & Methods at Onboarding

Initial lots should face right‑sized scrutiny: justified sampling plans (often with stricter AQL), identity tests, and method verification in LIMS. Analytical work (e.g., HPLC) should include system suitability and second‑person review documented in the ELN. As performance proves out, sampling can be optimized under documented rationale—never silently reduced.

9) Warehousing Controls & Release

Until qualified and released, stock is not usable. The WMS should default to Quarantine, enforce sampling holds, and require QA Disposition before allocation. Label checks, temperature records, and FEFO (First‑Expire‑First‑Out) protect quality between receipt and use. Dock‑to‑stock is an earned privilege with automatic revocation when KPIs degrade.

10) Identity, Origin & Compliance

Retain provenance and compliance documents with the qualification file: Country of Origin/COI, declarations (halal, kosher), and—where applicable—FSMA 204 Key Data Elements and allergen controls. Device suppliers must align UDI data with labels and master data; pharma suppliers should align labeling with barcode verification and traceability needs.

11) Managing Supplier Changes

Process tweaks at a supplier can shift risk without warning. Mandate formal NOC for site, process, material, equipment, or test changes. Evaluate under MOC, update documents and inspection plans, and—if warranted—run FAI or re‑validation before restoring normal supply. Unannounced changes are treated as major deviations with potential ASL suspension.

12) Validation & Special Processes

Where the supplier runs special processes (e.g., sterilization, coating), review validation reports, capability data, and MSA. Link their PFMEAs to your Control Plans so prevention and detection live where the risk truly resides—often at the supplier site. For CMOs/CPOs, confirm process validation status and tech transfer documents before approval.

13) Metrics That Demonstrate Control

ASL Coverage: percent of spend under qualified suppliers/sites with defined scope.
Pilot/FAI Right‑First‑Time: acceptance rate of onboarding lots without rework.
Audit Closure Time: median days to close findings to effectiveness.
SCAR Recurrence: repeat rate of root causes within 6–12 months.
Dock‑to‑Stock Share: spend under privilege and auto‑revocations triggered.
Unannounced Changes: incidents per 12 months; zero is the goal.
CoA vs. Lab Delta: frequency/magnitude of discrepancies at receipt.

These KPIs make the health of qualification visible and drive decisions on privileges, re‑audits, and sourcing risk.

14) Common Pitfalls & How to Avoid Them

“Famous brand” approvals. Evidence beats reputation—always audit to scope.
Scope creep. Tie approval to material/site; require NOC for any change.
CoA‑only reliance. Keep identity testing and critical attributes in your plan.
Disconnected systems. Validate integrations so lot identity and status match across ERP/LIMS/WMS/QMS.
Stale re‑qualification. Maintain cadence; use risk and performance to set frequency.
Poor containment. Enforce Quarantine and MRB; never “use under evaluation.”

15) What Goes in the Approval Record & ASL

Record the supplier name and site, approved materials/grades, risk class, linked specifications, inspection/testing plans, and re‑qualification cadence. Attach audit reports, certifications, and the signed Quality Agreement with NOC terms. Include KPI thresholds, NCR/NCMR/SCAR history, and any privileges (e.g., Dock‑to‑Stock) with auto‑revoke criteria. Keep all records version‑controlled under Document Control.

16) How This Fits with V5 by SG Systems Global

V5 Supplier Onboarding. The V5 platform provides a guided onboarding workflow: configurable questionnaires, desktop review checklists, risk scoring, and audit templates that issue findings and track closures to effectiveness with audit trails and e‑signatures. Approvals create ASL entries bound to specific materials and sites—no scope, no purchase.

V5 Agreements, Change & Controls. Agreements and specifications live under centralized Document Control. MOC workflows govern supplier NOC, automatically routing impact assessments to sampling plans, labels, and shop‑floor instructions, and placing holds until risks are mitigated.

V5 Receiving, LIMS & WMS Integration. Purchase Orders from ERP are checked against the ASL; if the supplier/material/site is not approved, the system blocks the order or routes for exception. At Goods Receipt, V5 verifies ASNs and SSCC labels, applies Quarantine, and generates sampling jobs to the lab. Results return from LIMS to update QA Disposition—no spreadsheets, no retyping.

V5 Quality Signals & SCAR. Nonconformances at receipt create supplier‑linked records, and repeated causes trigger automated SCAR workflows with effectiveness checks. Live dashboards trend OTIF, DPM, audit status, and change‑notice compliance against thresholds to grant or revoke privileges like Dock‑to‑Stock.

V5 Traceability & Recall Readiness. When approved material flows into production, V5 binds supplier lot IDs into end‑to‑end genealogy so any field issue can be traced to supplier shipments within seconds, accelerating containment and recall readiness. Bottom line: V5 makes qualification enforceable at the moment of purchase, receipt, and use—closing the loop from approval to monitoring.

17) FAQ

Q1. Is supplier “approval” different from “qualification”?
Qualification is the evidence‑gathering process; approval is the decision to place the supplier/site/material on the ASL with defined scope and conditions of use.

Q2. How often should suppliers be re‑qualified?
Risk‑based. High‑risk or critical suppliers typically every 1–2 years or for cause; lower risk on a longer cadence with remote surveillance in between.

Q3. Can strong CoA history replace identity testing?
No. Identity testing and critical attributes require periodic independent verification. CoA history can justify risk‑based reductions for non‑critical tests.

Q4. What if the supplier changes site or process?
Require NOC, evaluate under MOC, and perform FAI/re‑validation as needed before resuming normal supply.

Q5. When is Dock‑to‑Stock appropriate?
Only after sustained performance against KPIs, stable change control, and clean audits. It is conditional and revocable upon adverse trends.

Q6. Do distributors and brokers need full qualification?
Yes—qualify them, verify their sources, and require identity controls and GDP compliance. Treat unannounced source changes as major deviations.