OBJECTIVE:

• To define a risk-based, documented process to evaluate, qualify, approve, and periodically re-qualify suppliers of materials and services so they consistently meet specifications and GMP requirements.

 SCOPE:

Applies to

• APIs,
• Excipients,
• Primary/printed/secondary packaging,
• Process aids,
• Lab chemicals,
• Contract testing,
• Calibration and HVAC Validation
• Contract Manufacturing organizations,
• Distributors
• Service agreements for Equipment / Instrument in Production, Utilities and QC.
• Service agreements for the general services like PEST control.
• Consultant agreements for consultation within the organization.

RESPONSIBILITIES:

Head Quality Assurance (QA):

• • • Shall responsible for final qualification decision,
    • Shall approve identified| Risk class,
    • Shall approve supplier re-qualification as per frequency

Designee QA:

• • Shall approve risk class,
  • To perform supplier audits,
  • To perform Technical Quality agreements with the suppliers,
  • To prepare and maintain Approved Supplier List (ASL),
  • To prepare supplier performance scorecards before requalification of supplier.

Quality Control (QC):

• • Shall perform Supplier Sample testing and compilation of results,
  • Trending of test results with Supplier Certificate of Analysis (COA).

Procurement:

• • Shall initiate new supplier proposals.
  • Shall procure the materials only from ASL-approved sources;
  • Shall initiate Purchase Order (PO) in alignment with specifications.

Production / Warehouses / Engineering:

• • Shall provide feedback on process/pack performance;
  • Shall provide incoming checks

Regulatory Affairs:

• • Shall review Spec/dossier alignment;
  • Drug Master File (DMF) tracking;
  • Change notifications to the regulatory authorities

Supplier / Contractor:

• • Shall Provide complete dossiers.
  • To provide certificate of analysis (CoA) align to our specification
  • To provide Certificate of Conformity (CoC);
  • To implements CAPA for the observation during Audit findings at their end.

 DEFINATIONS:

• Risk assessment (in QRM): A structured, documented part of Quality Risk Management that covers risk identification, risk analysis, and risk evaluation to judge potential impacts on product quality and patient safety—before deciding controls.
• Change control (change management): A formal, prospective, documented system to evaluate, approve, implement, and verify planned changes to facilities, utilities, equipment, materials, methods, specs, or documents that may affect quality/GMP compliance. It must use quality risk management and include effectiveness checks.
• MAH (Marketing Authorization Holder): The legal entity that holds the marketing authorization for a medicinal product in the EU/EEA and is ultimately responsible for its quality, safety, efficacy, and compliance (including PV and oversight of manufacturers/importers/QP release).
• Technical/Quality Agreement (TQA): The written contract between the contract giver and acceptor for outsourced GMP activities. It clearly assigns responsibilities, communication routes, change-control and deviation handling, audit rights, subcontracting rules, records/data integrity, and other technical arrangements.

PROCEDURE:

Material/Service Criticality and Risk Assessment (Risk-Based Approach):

• Initial risk assessment shall perform to determine the rigor of the qualification process.

Material/Supplier Classification:

• The cross-functional team (QA, QC, Purchasing) shall classify the material and potential supplier as High, Medium, or Low risk based on factors including:

Material Criticality (Direct Impact on Tablet Quality):

• • High Risk: APIs, Critical Excipients (e.g., those affecting dissolution or stability), Primary Packaging (in direct contact with the tablet).
  • Medium Risk: Non-critical Excipients, Printed Packaging, Secondary Packaging.
  • Low Risk: General laboratory reagents, non-GMP services.

Supplier Risk Factors:

• Geographical location, regulatory history, complexity of the material’s manufacturing process, supply chain length, and previous audit history (if known).

Determine Qualification Method:

• Based on the risk classification, define the required qualification activities. Audits are mandatory for API manufacturers.

Information Gathering and Preliminary Assessment:

• Supplier Questionnaire: Purchasing / Quality Assurance sends a comprehensive Supplier Qualification Questionnaire to the potential supplier to gather essential information, including:
• • • Company profile, organizational structure, and history.
    • Details of the Quality Management System (QMS) (e.g., change control, deviation, CAPA systems).
    • GMP/ISO certificates and regulatory inspection history.
    • Manufacturing process flow diagram and Site Master File (if available).
    • Specific declarations for raw materials (e.g., TSE/BSE status, Residual Solvents, Elemental Impurities).
• Document Review by QA: QA reviews all submitted documentation, including specifications, Certificates of Analysis (CoA), and regulatory declarations, against the defined requirements for the material.
• Detailed Assessment and Verification:
  • On-site/Remote Audit: For High-Risk suppliers (e.g., API manufacturers), a formal EDQM / WHO PQ audit shall mandatory. If not, we may proceed with risk based approach.
•  The audit scope focuses on the material’s manufacturing process and the supplier’s QMS controls.
•  API Manufacturers: The audit shall confirm compliance with in accordance to cGMP.
• Excipient Manufacturers: The assessment shall include a documented risk assessment (as per the SOP on the formalized risk assessment for excipients) which may necessitate an on-site audit. Otherwise, we shall proceed with remote audit.

Sampling and Testing:

• QC shall receive samples of three consecutive batches of the material (if required by the risk assessment).
• QC shall perform full analytical testing (or specified partial testing) against the material specification.
• For tablets, critical quality attributes like Particle Size Distribution (PSD) and Bulk/Tapped Density of API shall be assessed for their impact on tablet properties (e.g., blend uniformity, compression).

 Final Approval and Documentation:

• Audit Report and CAPA: Quality Assurance shall issue the final audit report, classifying any deficiencies (Critical, Major, Minor).
• The supplier must provide a Corrective and Preventive Action (CAPA) plan, which QA shall review for adequacy.
• Technical Quality Agreement (TQA): A legally binding Quality Agreement shall be executed between the two parties, defining their respective GMP responsibilities, including:
  • Change notification requirements.
  • Handling of deviations, complaints, and recalls.
  • Audit rights and frequency.
  • Roles for batch documentation review and testing.
• Final Qualification Decision: Based on the satisfactory audit report, CAPA closure, successful material testing, and executed Quality Agreement, QA formally shall approve the supplier.
• Approved Supplier List (ASL): The new supplier and material are added to the Approved Supplier List (ASL).
• The ASL shall be updated immediately upon any approval status change via Change Control form.
• Where starting materials are procured via a broker, trader or agent, the source shall be treated as High Risk until full traceability to the original manufacturer is established and qualify the original manufacturer.

Ongoing Monitoring and Re-qualification:

• • Performance Monitoring: Purchase department and QC Department shall responsible for the continuous monitoring of approved suppliers and Quality Assurance periodically reviews the data.
• Key Performance Indicator (KPI) like Quality, Delivery and Regulatory shall be used for evaluation of the supplier.
• The metrics like Certificate of Analysis (CoA) compliance, Out-of-Specification (OOS) results, Deviation/Non-conformance frequency, and Complaint rate shall be used to evaluate Quality KPI.
• The QMS documents and Supplier documents shall consider as evident for Quality KPI.
• The metrics like On-Time-In-Full (OTIF) rate, supply chain security issues. Shall be used to evaluate Delivery KPI.
• Past purchasing records shall consider as evident for Delivery KPI.
• The metrics like Notification of changes to manufacturing process/site, regulatory inspections, and license updates shall be used to evaluate Regulatory KPI.
• Re-qualification: The approved status of all suppliers shall subject to periodic re-qualification based on their risk classification and ongoing performance.
• High Risk (APIs, Critical Excipients): Re-assessment every 2 years (or sooner if performance is poor). This generally requires a follow-up audit or a comprehensive document review.
• Medium/Low Risk (Other Materials/Services): Re-assessment every 5 years. This is typically a documented quality review covering the metrics and an updated questionnaire/regulatory documentation review.
• Triggered Re-qualification: A formal re-qualification is initiated immediately if any of the following events occur:
  • A Critical/Major deficiency is identified in an audit.
  • A critical product quality defect is traced back to the supplier (e.g., OOS leading to batch rejection/recall).
  • An unapproved significant change is made by the supplier.
  • Regulatory action (e.g., Warning Letter) against the supplier’s facility.
• Supplier Discontinuation (De-Qualification)
  • A supplier may be permanently removed from the ASL based on chronic non-compliance or failure to resolve critical quality issues.
•  The impact of discontinuing the supplier on the current production shall be assessed, and a mitigation strategy (e.g., dual-sourcing, run-down plan) must be approved by the production head and QA head.
• The supplier is formally removed from the ASL, and the closure decision is documented in the supplier’s file.
• All documentation generated during the supplier qualification lifecycle must be retained as part of the Quality Management System (QMS) and maintained in a dedicated Supplier Qualification File as follow,
  • Initial Risk Assessment Report.
  • Completed Supplier Qualification Questionnaire.
  • Audit Plan and Final Audit Report (including CAPA review).
  • Signed Quality Agreement/Technical Agreement.
  • Laboratory testing results of qualification batches (QC reports).
  • Approved Supplier List (ASL) with defined re-qualification dates.
  • Supplier Performance Monitoring Records (e.g., quality trend data).
  • Re-qualification/De-qualification reports.

Qualification of Service provider:

• The Company is responsible for assessing the legality, suitability, and competence of the Contract Acceptor prior to outsourcing. This can include:
• • • Questionnaires (Paper Audit): Information shall be collected on their working system, licenses, experience, and facilities.

• Government Authority Compliance Status: Necessary Licenses shall be verified (e.g., ISO, Licenses issued by local government authorities) and review their inspection history.
• Audits (On-site or Remote): For service activities like Workshops for engineering or fabrication work, an on-site audit by the Company’s qualified personnel is typically required before approval.
• For lower-risk services (e.g., standard pest control,) or where the supplier going to provide consultation or going to perform the activity at our premises (e.g. Calibration), a questionnaire and review of certifications may sufficient.
• Services agreements shall be performed with service providers for clarity about agreement validity, Roles of both the parties, terms of agreement discontinuation.

Qualification of Contract laboratories:

• Quality Risk Management and Criticality Assessment:
• • • The Comopany shall perform a documented risk assessment to classify the services based on its potential impact on product quality and GMP compliance.
•  Based on the risk, define the exact technical and quality requirements the supplier shall meet (e.g., Lab certifications, specific standards like ISO).
• Initial Assessment and Selection:
  • Potential contract lab shall be identified.

• Competence Review (Due Diligence): The Compoany is responsible for assessing the legality, suitability, and competence of the Contract Acceptor prior to outsourcing. This can include:
  • Questionnaires: Collect information on their Laboratory system, licenses, experience, and facilities.
•  Regulatory Status: Verify they hold the necessary licenses (e.g., Laboratory certifications and review their inspection history.
•  Audits (On-site or Remote): For high-risk, direct-impact activities (Contract Lab), an on-site audit by the Company’s qualified personnel is typically required before approval.

Technical Quality Agreement (TQA):

• A formal, written contract shall be established between the Company and the Contract Acceptor.
•  TQA shall clearly establish and specify the duties and responsibilities of each party regarding GMP-related activities (e.g., change control, deviations, complaints, Recall, Pharmacovigilance, documentation, and subcontracting).
•  Final Approval and Documentation: The contract lab/service is formally approved by the Company Quality Assurance.
•  A comprehensive file for the approved supplier shall be maintained, including the risk assessment, audit reports, qualification evidence (e.g., certificates), and the final Quality Agreement.

  Qualification of Distributor:

Authorization Verification:

• Company shall verify an authorization or entitlement to supply medicinal products to the public (e.g., a registered pharmacy, a hospital, a licensed doctor, etc.), as defined by national law.
• Company shall Obtain a copy of the customer’s relevant license or authorization (e.g., pharmacy license).
• If you are supplying controlled medicines, a hard copy of their specific Controlled Drugs (CD) license (where applicable) shall be obtained prior to supply, and its expiry date must be monitored.
• Ensure the name, address (including the delivery address), and license number on the documents match their business registration and your sales order.
• Confirm the customer’s legal status, company registration number, and VAT number (check for validity).
• Company shall review their website (if applicable) and use a tool like Google Maps to verify the physical address to ensure they appear to be a legitimate operation.
• For new or high-risk customers, a risk-based assessment should consider their storage facilities and ability to maintain product quality (e.g., proper temperature control for temperature-sensitive products). This helps mitigate the risk of product quality degradation.
• Ensure all checks required by your company’s SOP have been completed and documented.
• The final approval of the customer should be done by delegated qualified personnel.
• Safety Data Exchange Agreement (SDEA) shall be performed.
• Distributor shall requalify after every five years.
• All parts of the qualification process must be fully documented and easily retrievable for regulatory inspections and audits. This includes:
  • Initial Risk Assessment
  • All copies of licenses and authorizations obtained (with checked expiry dates).
  • Technical Quality Agreement (TQA)
  • Safety Data Exchange Agreement (SDEA)
  • Final Approval
  • Requalification

REFERENCE:

• EU GMP Chapter 5: Production (Starting Materials) and Chapter 7: Outsourced Activities
•  WHO TRS guideline for supplier Qualification

RECORDS:

REVISION HISTORY: