The Supplier Qualification Process, Step by Step

The supplier qualification process is the structured, risk-based discipline by which a regulated company decides whether a supplier or service provider is fit to sit inside its quality system. Done well, it protects patients, satisfies inspectors and removes friction from your supply chain; done poorly, it becomes a paperwork ritual that fails at the first audit finding. This guide walks through each stage as it should run under EU GMP, MHRA expectations and ICH Q9 thinking.

Why supplier qualification matters under EU GMP and GDP

Regulators are unambiguous: you remain responsible for the quality of materials and services you outsource. EU GMP Chapter 5 and Chapter 7 place the onus on the manufacturing authorisation holder to assess and approve suppliers of starting materials, primary packaging and outsourced activities, while EU GDP guidelines extend the same logic to the procurement and distribution of finished medicines. The 21 CFR 210/211 framework takes a comparable position for the US market.

In practice this means a supplier is never simply "approved" once and forgotten. Qualification is a lifecycle: you justify the initial decision, document it, and then keep it current through performance monitoring and periodic review. ICH Q10 frames this as part of the pharmaceutical quality system, and ICH Q9 supplies the risk language that should drive how much scrutiny each supplier receives.

Step 1: Define the need and classify the supplier by risk

Begin before you ever contact a vendor. Specify exactly what you are buying, the quality attributes that matter and the regulatory status of the material or service. A sterile-filling subcontractor, an active substance manufacturer and a stationery supplier sit at entirely different risk tiers, and your effort should follow the risk.

Use a documented risk assessment, consistent with ICH Q9, to assign a criticality category. Typical inputs include:

• Product impact — does the material or service touch the product, its container-closure system or its data?
• Process role — is the supplier performing a GMP- or GDP-regulated activity, such as sterilisation, testing or temperature-controlled transport?
• Substitutability and supply risk — is this a sole source, and what is the impact of failure?
• Regulatory profile — country of operation, inspection history and applicable standards.

This classification determines everything downstream: the depth of assessment, whether an on-site audit is required, and how often you will re-qualify. Tiering your supplier base properly is the single biggest efficiency gain in the whole supplier qualification process.

Step 2: Assess the supplier — questionnaires, documentation and audits

With risk understood, gather objective evidence that the supplier can meet your requirements. A layered approach works best.

Desktop assessment

Start with documentation: a completed quality questionnaire, current manufacturing or wholesale dealer authorisations, GMP or GDP certificates, ISO registrations where relevant, and recent inspection outcomes. Cross-check certificates against the EudraGMDP database rather than taking copies at face value. For lower-risk suppliers, a robust desktop review with sound justification may be sufficient.

On-site and remote audits

For critical suppliers — active substance makers, sterile manufacturers, contract laboratories, key logistics providers — an audit is expected. Plan it against a clear scope, use trained auditors, and weight your agenda towards the processes that carry product and patient risk. Where a physical visit is impractical, a justified remote or hybrid audit can bridge the gap, but the rationale must be documented. Shared third-party audit reports can supplement your programme, yet they rarely replace your own judgement for high-risk activities.

Data integrity

Build ALCOA+ expectations into every assessment. Records that are not attributable, legible, contemporaneous, original and accurate undermine any certificate of analysis or batch record a supplier provides. For laboratories and any data-generating activity, probing data governance and audit-trail review is now a standard inspection theme.

Step 3: Approve, contract and define responsibilities

A qualification decision must be made by quality, recorded, and supported by the evidence gathered. Approval is not a rubber stamp from procurement; it is a documented conclusion that residual risk is acceptable.

Formalise the relationship in writing. For outsourced GMP and GDP activities, EU GMP Chapter 7 expects a written contract or technical/quality agreement that clearly separates the duties of contract giver and contract acceptor. A good quality agreement spells out:

1. Specifications, testing and release responsibilities;
2. Change control and deviation notification obligations;
3. Sub-contracting rules and the right to audit;
4. Complaint, recall and data-integrity expectations.

Add the supplier to your approved supplier list only once the agreement and approval are in place. Structured supplier management at this stage prevents the all-too-common gap where purchasing begins before quality has signed off.

Step 4: Monitor performance and re-qualify on a risk basis

Approval opens an ongoing relationship, not a closed file. Monitor each supplier against agreed metrics so that qualification reflects real performance rather than a historic snapshot.

Practical monitoring tools include:

• Incoming quality data — rejection rates, out-of-specification results and certificate-of-analysis reliability;
• Deviation and complaint trends linked to the supplier;
• Change notifications and how promptly they are communicated;
• Delivery and documentation accuracy, including cold-chain excursions for GDP suppliers.

Feed this evidence into periodic re-qualification on a frequency set by risk tier — more often for critical suppliers, less for low-risk ones. A material change, a serious deviation or an adverse inspection should trigger reassessment regardless of the calendar. Where performance falls short, escalate through CAPA and, if necessary, disqualification and supplier change control. Examples of how this works in practice are set out in our case studies.

Common pitfalls that fail inspection

Most supplier-related findings are avoidable. The recurring themes are familiar to any inspector:

• One-size-fits-all qualification that ignores risk, wasting effort on trivial suppliers while under-scrutinising critical ones.
• Stale approvals with no evidence of periodic review or current authorisations.
• Quality agreements that contradict reality, or are missing for outsourced GMP/GDP activities.
• Weak change notification, so the first you learn of a supplier change is a batch failure.
• Audit reports without closed actions — findings raised but never verified as resolved.

Each of these is straightforward to close with a proportionate system and disciplined record-keeping. The goal is a programme an inspector can follow from risk rationale to current approval without gaps.

Key takeaways

A robust supplier qualification process is risk-based, evidence-led and continuous. Classify suppliers by the risk they pose, assess them in proportion, approve through quality with a clear contract, then keep that approval honest through performance monitoring and timely re-qualification. Align the whole programme with EU GMP, GDP guidelines and ICH Q9 and Q10, and embed ALCOA+ wherever data is generated.

If you would like a second opinion on your supplier programme, help designing a risk-tiered qualification framework, or support with supplier audits, our team can help. Explore our full range of services or get in touch to discuss your requirements.

Regulatory sources

This guidance reflects current UK and EU GMP/GDP requirements. Primary references:

• EU GMP Chapter 7 — Outsourced Activities
• EU GMP Part II — Active Substances (APIs)
• EMA — GMP/GDP Questions & Answers

Always confirm against the latest published version of each source.