Supplier Quality Management (SQM)

Q: Can a strong CoA history eliminate testing?

Not entirely. For low-risk attributes a justified reduction is possible, but identity testing and critical attributes require periodic independent verification.

Q: How often should we audit suppliers?

Risk-based. High-risk or critical suppliers every 1–2 years or for cause; others on a longer cycle with remote surveillance in between.

Q: What triggers loss of dock-to-stock?

KPI breaches, unannounced changes, or audit findings. The privilege returns only after sustained performance recovery and re-qualification.

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Supplier Qualification, Monitoring & Corrective Action • Procurement, QA, Regulatory

Supplier Quality Management (SQM) is the framework that selects, qualifies, monitors, and continually improves external partners who provide materials, components, services, and contract manufacturing. Effective SQM connects commercial sourcing with regulated quality expectations (GMP, QMSR, ISO 13485), ensuring that what arrives at Goods Receipt is identity‑true, conforming, and traceable, and that issues are contained and corrected through SCAR. SQM is inseparable from Quality Agreements, Incoming Inspection, CoA verification, and Lot Traceability—and it must be executed with proven data integrity and system validation.

“SQM turns suppliers into controlled process steps in your own quality system—measured, auditable, and continuously improved.”

TL;DR: SQM governs how suppliers are qualified, contracted, and monitored so purchased goods are fit‑for‑use and fully traceable. It relies on risk‑based approval, written expectations in Quality Agreements, right‑sized Incoming Inspection with statistical sampling, and closed‑loop corrections via SCAR. Records must be attributable and audit‑ready under Part 11/Annex 11, and warehouse status (Quarantine/Hold/Release) must prevent use of unapproved or suspect material.

1) What SQM Covers—and What It Does Not

Covers: SQM spans supplier onboarding and risk classification, on‑site or remote audits and questionnaires, execution of Quality Agreements, receipt controls at Goods Receipt, Incoming Inspection with AQL or tightened sampling, verification of CoAs against specifications, Notification of Change handling, deviation/NC escalation, MRB disposition, and SCAR follow‑through. It also includes continuous performance monitoring (e.g., OTIF, RFT) and periodic re‑qualification.

Does not cover: SQM does not substitute for your own process validation, content testing where risk demands it, or proper Document Control. It cannot compensate for suppliers selected purely on price, nor can it be performed by procurement alone without QA authority. SQM also isn’t a one‑time file build; it is a living control loop.

2) Legal, System, and Data Integrity Anchors

Purchased material controls are core expectations under QMSR (modernized U.S. device regulation aligning with ISO 13485), ISO 13485 clause 7.4, and pharmaceutical GMP. Food and beverage programs often align to GFSI schemes and distribution under GDP. Electronic SQM records must meet Part 11/Annex 11 expectations, with validated software (CSV) and immutable audit trails so that approval decisions are attributable and reconstructable. ALCOA(+) data integrity principles apply to supplier files, CoA verifications, and inspection results.

3) The Evidence Pack for a Supplier File

An audit‑ready supplier file links qualification rationale to ongoing performance. It includes risk classification and material mapping, questionnaires and audit reports, approved specifications and controlled Quality Agreement, sampling/inspection plans, CoA verification records, change notifications with MOC impact assessments, NCR/NCMR histories, SCAR responses and effectiveness checks, and a scorecard of KPIs (e.g., OTIF, defects per million, right‑first‑time). If the supplier performs special processes or contract manufacturing, include validation and FAI evidence and any relevant PFMEA/Control Plans.

4) From Sourcing to Steady State—A Standard Path

1) Define need and risk. Link material to product risk and regulatory pathway; set approval criteria and inspection stringency.
2) Qualify. Collect questionnaires, perform audits (remote/on‑site), verify certifications, and lock expectations in a signed Quality Agreement.
3) Approve. Add to the Approved Supplier List (ASL) with scope; configure receiving/inspection plans in systems.
4) Control receipt. At Goods Receipt, verify identity, condition, and documentation; move to Quarantine pending checks.
5) Inspect & release. Execute Incoming Inspection per plan (sampling statistics); reconcile CoA; disposition via QA Disposition.
6) Monitor & improve. Trend complaints, NCRs/NCMRs, and SCAR; recalibrate risk and inspection stringency; re‑audit on schedule or for cause.

If any step fails—e.g., missing change notice for a material reformulation or repeated OOS at receipt—material remains on hold while MRB and CAPA restore control.

5) Handling Nonconformances & SCARs

When purchased product fails identity or specification, document an NCR/NCMR, contain affected lots in the WMS, and convene MRB to determine fate (rework, return, replace, or scrap). For supplier‑caused issues, issue a SCAR that demands root cause, corrective action, and effectiveness evidence. Persistent or severe issues trigger escalations—heightened inspection, probation, or removal from the ASL—under MOC to protect downstream batches.

6) Contract Manufacturing & Services

When suppliers perform manufacturing, testing, or logistics, the oversight bar rises. The Quality Agreement must allocate responsibilities for validation, deviation/CAPA, complaint handling, stability/retention samples, and NOC lead times. Shipped goods should arrive with verifiable identity—e.g., ASNs and SSCC labels tied to contents—and must remain under GDP control. If the supplier is a CMO/CPO, include process transfer documentation, validation status, and joint audit commitments.

7) Data Integrity—Proving the Proof

Approval decisions must be backed by trustworthy records. Supplier audits, CoA checks, and inspection data require attributable users, time‑synced timestamps, and audit trails. E‑signatures for approvals, SCAR closures, and inspection results must meet Part 11. Interfaces that move POs, ASNs, and test results between ERP, LIMS, WMS, and QMS should be validated under CSV so the same lot identity flows without transcription error.

8) Sampling, Methods & Laboratory Controls

Receipt testing should be risk‑based, not reflexively minimal or maximal. Use justified sampling plans (including AQL) and validated methods, executed in LIMS with second‑person verification where required. Identity testing is critical for high‑risk inputs; chromatography (e.g., HPLC) or spectroscopic methods should include system suitability checks, and ELN notes should capture rationale for any reduced testing strategy. When supplier reliability proves out, inspection may be tightened or reduced under documented rationale—never removed silently.

9) Warehousing Status, Holds & Dock‑to‑Stock

Material is not available for use until released. The WMS should default receipts to Quarantine, enforce sampling holds, and release stock only after QA disposition. “Dock‑to‑stock” privileges are earned via proven performance and maintained through continuous monitoring; any negative trend automatically revokes the privilege. FEFO, label verification, and temperature controls help preserve quality between receipt and use.

10) Identity, Origin & Regulatory Documentation

Identity and provenance matter. Retain and reconcile Country of Origin/Issuance documents, certificates (e.g., halal, kosher), and any regulated trade paperwork alongside CoAs. Where applicable (food), track FSMA 204 Key Data Elements and allergen declarations (Allergen Control) as part of the supplier record. For devices, ensure UDI data align with labels and master data.

11) Managing Supplier Changes

Process tweaks at your supplier can silently shift your risk. Require formal NOC for changes in site, process, formulation, equipment, or test methods. Evaluate under MOC, update documents and inspection plans, and—where warranted—perform FAI or re‑validation before resuming normal supply. Quality Agreements should define notice periods and evidence requirements up front.

12) Validation & Special Processes

Supplied special processes (e.g., sterilization, coating) require validation evidence and ongoing capability monitoring. Ask for process validation reports, MSA for supplier gauges, and statistical control data where critical. Link supplier PFMEAs to your Control Plans so detection and prevention live where the risk is actually controlled—often at the supplier site.

13) Metrics That Demonstrate Control

OTIF & RFT: on‑time‑in‑full and right‑first‑time delivery rates by supplier/material.
Defects per Million (DPM): normalized nonconformance rate at receipt and in process.
SCAR Effectiveness: closure on time, recurrence rate within 6–12 months.
Audit Findings: number and severity, with closure lead time.
Dock‑to‑Stock Eligibility: percent of spend on privileged suppliers, with auto‑revocations.
Change Notice Compliance: NOC lead time vs. agreement; unannounced change incidents.

These KPIs make SQM visible, letting you reward strong partners and intervene early when signals drift.

14) Common Pitfalls & How to Avoid Them

File‑only approvals. Replace paper qualification with evidence (audits, capability data, pilot lots).
CoA as a substitute for identity. Verify identity independently at justified frequency; never rely on CoA alone for high‑risk attributes.
Unmanaged supplier changes. Enforce NOC with contractual notice; treat unannounced changes as major deviations.
Privilege without performance. Make dock‑to‑stock conditional and revocable, driven by KPIs.
Disconnected systems. Validate integrations so lot IDs, inspection status, and holds match across ERP, LIMS, WMS, and QMS.
Allergen/traceability gaps. In food, require KDE capture and allergen segregation evidence from the source.

15) What Goes in the Supplier Record

Identify the supplier, scope, risk class, and approved materials; attach signed Quality Agreement, audit reports, certifications, and contacts. Include specifications, sampling/inspection plans, CoA verification expectations, NOC terms, and logistics requirements (e.g., ASN/SSCC). Track NCR/NCMR history, SCARs with effectiveness checks, KPIs with thresholds, and re‑qualification cadence. Records should be immutable, attributable, and version‑controlled under Document Control.

16) How This Fits with V5 by SG Systems Global

V5 Supplier Hub & Onboarding. The V5 platform centralizes supplier onboarding with configurable questionnaires, audit templates, risk scoring, and an Approved Supplier List that ties directly to purchasable items. Agreements, specs, and SOPs live under Document Control with audit trails and e‑signatures.

V5 QMS: Deviations, SCAR & Change. Within the V5 QMS, receipt nonconformances trigger supplier‑linked records, SCAR workflows, and effectiveness checks. MOC handles NOC with impact routing to specs, sampling plans, and shop‑floor instructions.

V5 Receiving, LIMS & WMS. The V5 WMS enforces Quarantine on receipt, verifies identity against ASNs and SSCC, and blocks allocation until QA disposition. Sampling instructions flow to lab with labels and chain‑of‑custody; results return from LIMS automatically, updating status without spreadsheets.

V5 MES & Traceability. When approved materials enter production, V5 MES captures point‑of‑use scans and binds supplier lot IDs into end‑to‑end genealogy. Any later defect can be traced back to supplier, shipment, and inspection record in seconds, powering rapid containment and recall readiness.

V5 Analytics & Scorecards. Live dashboards aggregate OTIF, DPM, SCAR timeliness, NOC compliance, and audit scores into supplier scorecards. Thresholds drive privileges such as dock‑to‑stock, and adverse trends auto‑tighten inspection plans—closing the loop between performance and control.

Bottom line: V5 turns SQM from a static binder into a closed‑loop control system that connects onboarding decisions to day‑to‑day receiving, testing, production use, and continuous improvement.

17) FAQ

Q1. Can a strong CoA history eliminate testing?
Not entirely. For low‑risk attributes a justified reduction is possible, but identity testing and critical attributes require periodic independent verification.

Q2. How often should we audit suppliers?
Risk‑based. High‑risk or critical suppliers: every 1–2 years or for cause; others on a longer cycle with remote surveillance between visits.

Q3. When do we issue a SCAR vs. an NCR only?
Use an NCR/NCMR to disposition a specific lot. Issue a SCAR when the cause is supplier‑systemic, repeated, or high impact—requiring corrective action at the source.

Q4. What triggers loss of dock‑to‑stock?
KPI breaches (e.g., rising DPM, missed OTIF), unannounced changes, or audit findings. The privilege returns only after sustained performance recovery.

Q5. How do we manage a supplier site move?
Treat as a formal change: require NOC, assess risk under MOC, review validation, perform FAI or pilot lots, and re‑approve before normal shipment.

Q6. Do distributors need the same controls as manufacturers?
Yes. Distributors and brokers must meet identity, storage, GDP, and traceability expectations; qualify them and verify their sources.