Vendor Qualification (VQ) – Source Approval
This topic is part of the SG Systems Global regulatory & operations glossary.
Updated October 2025 • Supplier Approval & Oversight • QA, Procurement, Manufacturing
Vendor Qualification (VQ) is the structured evaluation and approval of external sources—raw‑material and packaging suppliers, contract manufacturers, testing labs, and logistics providers—before they can supply production. VQ verifies capability, compliance, and risk controls under an organization’s Supplier Quality Management (SQM) system, and connects contractual expectations (Quality Agreement) to receiving controls (Incoming Inspection, Component Release) and ongoing performance monitoring.
“Approve the source, then trust—but verify—every shipment.”
1) What VQ Covers—and What It Does Not
Covers: approval of material/component suppliers, contract manufacturers, contract labs, and critical logistics partners. It encompasses competency, capacity, compliance (e.g., GMP/GDP/ISO 13485 contexts), data integrity, and change control.
Does not cover: release of individual shipments (that’s Component Release and Incoming Inspection). Nor does VQ replace ongoing oversight in SQM or contractual controls in the Quality Agreement.
2) Legal, System & Data Integrity Anchors
VQ operates within the QMS and applicable regulations: 21 CFR Part 211 (pharma), Part 820 / QMSR (devices), Part 117 (food), ICH Q7 / Q10. Records live under Document Control with attributable users and robust Data Integrity. Purchasing is gated so POs can only be raised to qualified sources.
3) The Vendor Qualification Evidence Pack
Typical evidence includes: vendor questionnaires, scope of supply, process maps and controls, certifications (GMP/GDP, ISO), regulatory inspection history, key contacts and escalation, Quality Agreement, sample CoAs, method details and change controls, trial‑lot results and incoming tests, audit reports and CAPA, and logistics/serialization capabilities where relevant (EPCIS, GTIN, SSCC).
4) From Request to Approval—A Standard Path
1) Intake & triage. Procurement/QA raises a new‑vendor request with business case and commodity risk.
2) Risk classification. Categorize by material criticality and service impact; define oversight depth.
3) Due diligence. Document review, remote assessment, and—if risk warrants—on‑site audit with CAPA.
4) Contracting. Execute Quality Agreement and define NOC/MOC pathways.
5) Trial lot & receiving plan. Prove capability via pilot shipments and aligned incoming testing.
6) Approval to AVL. Add to AVL with scope, sites, items, and expiry/re‑qual cadence; monitor performance.
5) Risk‑Based Segmentation & Oversight
Segment vendors (e.g., Critical/High/Medium/Low) using criteria such as patient/consumer risk, novelty/complexity, sterilization or special controls, sole‑source exposure, change frequency, and country/route risk. Oversight scales accordingly—from desk reviews to full on‑site audits, tighter sampling, and more frequent re‑qualification.
6) Quality Agreements—Scope & Triggers
Quality Agreements clarify responsibilities for specifications, change notification (NOC), testing/CoA content, deviations/complaints, record retention, audit rights, and recall cooperation. They should reference your sampling/acceptance plans, labeling/traceability expectations, and data‑sharing formats (e.g., EDI, ASN).
7) Audits & Third‑Party Certifications
Use risk‑proportionate audits to verify systems, data integrity, calibration/maintenance, training, and change control. Recognize credible third‑party certificates as inputs—not substitutes—for your own evaluation. Track findings to closure via CAPA and, if needed, provisional approval with enhanced monitoring.
8) Aligning VQ with Receiving & Testing
VQ outcomes must drive sampling and release logic: critical vendors/components may require 100% identity or tight AQL, while proven performance can justify skip‑lot or reduced testing. Always reconcile supplier CoA with your Component Release rules and Incoming Inspection plans.
9) Master Data, Identity & Traceability
Maintain clean vendor/site/item master data (legal names, addresses, site codes) and enforce identity from source to receipt with PO line controls, barcode standards, and, if applicable, serialized logistics (EPCIS/SSCC) to support end‑to‑end genealogy.
10) Performance Monitoring & Scorecards
Track on‑time delivery (OTD), defect/NCR rate, responsiveness, right‑first‑time documentation (accurate CoA/label), SCAR count and closure days, and cost/lead‑time adherence. Use trends to adjust sampling, trigger audits, or escalate to MRB/sourcing actions for persistent risk.
11) Deviations, Complaints & SCAR
Inbound nonconformances create NCR/NCMR and supplier SCAR. Tie SCAR effectiveness to future approval status; unresolved or systemic issues may require suspension or removal from AVL, with contingency sourcing activated.
12) Metrics That Demonstrate Control
- Time to Qualification: median days from intake to AVL approval.
- Audit Closure Cycle: days to close audit findings/CAPAs.
- Defect Rate / PPM: inbound NCRs per million received.
- OTD: on‑time deliveries versus PO promise.
- SCAR Effectiveness: % closed on time without recurrence.
- Re‑qual Compliance: % vendors re‑qualified per policy cadence.
These KPIs show whether sources are capable, controlled, and improving over time.
13) Common Pitfalls & How to Avoid Them
- Paper approvals without trials. Require pilot lots and receiving plan alignment.
- Sole‑source risk unmanaged. Document contingency plans and dual‑source critical items.
- Static questionnaires. Refresh evidence at re‑qual; verify changes via NOC.
- AVL not enforced. Gate PO creation and Goods Receipt to approved vendors/sites only.
- Weak data integrity. Store vendor docs and audits under governed Document Control.
- One‑size oversight. Calibrate audits and sampling to risk and performance.
14) What Belongs in the VQ Record
Vendor and site identities; scope of approval (items, specs, services); risk classification and rationale; audit reports and CAPA; executed Quality Agreement; trial‑lot outcomes and receiving plan; performance baselines/targets; NOC/MOC pathways; approval signatures, dates, and re‑qualification due dates—all retained with searchable audit trails.
15) Changes, Re‑Qualification & Lifecycle
Define when supplier changes require notification (people, process, materials, site, equipment, methods). Evaluate NOCs, decide on impact, and trigger MOC and re‑qualification as needed. Use suspension/delist procedures for unacceptable risk, and maintain business continuity plans for critical items.
16) How This Fits with V5 by SG Systems Global
Guided onboarding & risk scoring. The V5 platform orchestrates questionnaires, document collection, and site details; it calculates risk tiers that drive required audits, trial lots, and re‑qual cadence.
Audit & agreement control. V5 manages audit checklists, findings, and CAPA to closure, and routes the Quality Agreement through governed approvals with version control.
AVL‑gated purchasing. Integration with POs ensures only approved vendors/sites/items can be ordered; Goods Receipt and Incoming Inspection plans apply automatically at receipt.
Digital traceability. V5 reconciles supplier CoA/ASN/labels (EDI, ASN) and, where used, serialized logistics (EPCIS/SSCC) to maintain end‑to‑end genealogy.
Supplier performance & SCARs. Live scorecards trend OTD, defect/NCR, and SCAR effectiveness; thresholds trigger audits, sampling changes, or AVL suspension. NOC workflows integrate with MOC for controlled adoption.
Bottom line: V5 turns VQ into a closed‑loop, AVL‑gated process—from onboarding and audits to receiving and performance—so only capable, compliant sources feed your operations.
17) FAQ
Q1. What documents are required to approve a vendor?
Typically: completed questionnaire, certifications, audit report/CAPA (if applicable), Quality Agreement, trial‑lot results, agreed sampling/receiving plan, and master data (legal/site details).
Q2. How often should vendors be re‑qualified?
Based on risk and performance (e.g., annually for critical, 2–3 years for lower risk) or sooner upon significant change via NOC.
Q3. Is vendor qualification the same as supplier qualification?
Terms are often used interchangeably. This glossary distinguishes VQ as the approval event and Supplier Qualification as the broader lifecycle (approval and monitoring).
Q4. Can we rely solely on supplier CoAs?
Not at first. Establish trust with qualifying tests and trend performance; reduced testing/skip‑lot can follow demonstrated capability and stable history.
Q5. What triggers a suspension or delist?
Major audit failures, repeated SCAR recurrences, critical NOC without advance approval, data integrity concerns, or significant performance degradation.
Q6. How does VQ support recalls?
Clean AVL scope, site codes, CoA/ASN reconciliation, and genealogy allow rapid upstream trace to affected vendors, lots, and shipments.
Related Reading
• Supplier & Agreements: SQM | Supplier Qualification | Quality Agreement | SCAR
• Receiving & Release: PO & Receiving | Goods Receipt | Incoming Inspection | Component Release | CoA
• Risk & Change: QRM | MOC | NOC
• Traceability & Data: Lot Traceability | EPCIS | EDI | ASN | Document Control | Data Integrity