BOOK FREE HOME COLLECTION
+123 456 7899 90
Get a Quote
Make Appointment
Get a Quote

Supplier Qualification Checklist for APIs & Research Compounds — Checklist

Supplier Qualification Checklist for APIs & Research Compounds — Checklist

Why supplier qualification should be “risk‑based” (not “one‑size‑fits‑all”)

Supplier qualification is not a paperwork exercise; it is your mechanism to control outsourced activities and purchased materials through a defined supply chain. ICH Q10 explicitly extends the pharmaceutical quality system to outsourced activities and purchased materials and calls for: (a) assessing suitability/competence before selecting suppliers, (b) defining responsibilities in written agreements, and (c) monitoring/reviewing supplier performance and material quality over time. ICH Database

A risk‑based approach prevents two common failure modes:

  • Over‑qualification of low‑impact research compounds (wasted cycle time, minimal risk reduction), and

  • Under‑qualification of API suppliers where you may rely on CoAs, contract labs, or complex logistics (high operational and compliance exposure).

ICH Q9(R1) supports calibrating the effort/formality/documentation to the level of risk and explicitly links risk decisions to patient protection (including situations where product availability may be impacted). ICH Database

Step 1) Send a pre‑audit questionnaire and request sample documents

The purpose of the pre‑audit package is to answer one question: Is this supplier worth auditing (and at what depth)?

Segment first: API vs research compound (and intended use)

A simple segmentation that keeps you aligned internally:

  • GMP API for clinical/commercial use: expect full qualification rigor (supplier quality system + audit + ongoing monitoring).

  • Non‑GMP research compound for early R&D: qualification can be lighter, but still needs identity/traceability and basic controls (especially if you will reproduce work across lots).

If you plan to rely on supplier analytical results (e.g., CoA values), ensure your qualification plan supports reliability checks and periodic verification. Both ICH Q7 and 21 CFR 211.84 explicitly allow reliance on supplier analysis only when you have a system to evaluate suppliers and verify reliability at appropriate intervals. ICH Database+1

Pre‑audit questionnaire: what to ask (high signal, low fluff)

A) Quality system and scope

  • What is your manufacturing scope (API, intermediate, custom synthesis, repack/relabel)?

  • Which sites perform manufacturing vs testing vs packaging vs storage?

  • Which standards apply (e.g., ICH Q7 alignment for APIs)?

B) Analytics and CoA controls (make this prominent)

ICH Q7 is explicit that authentic CoAs should be issued (on request) and list tests performed, acceptance limits, numerical results where applicable, and be signed by authorized quality personnel, including identifying the original manufacturer. European Medicines Agency (EMA)
Ask:

  • Who issues CoAs and how are they authorized?

  • Do you use contract labs? If yes, how are they qualified and controlled?

  • How are OOS investigations handled?

  • How are reference standards controlled?

C) Logistics and distribution controls (even for “non‑temperature‑sensitive” items)

ICH Q7 requires that APIs/intermediates be transported in a manner that does not adversely affect quality; special transport/storage conditions should be on the label; and the manufacturer should ensure transportation contractors know and follow the appropriate conditions. European Medicines Agency (EMA)
Ask:

  • How do you define and control shipping conditions (temperature/humidity if critical)?

  • What seals/tamper evidence is used?

  • How do you manage chain‑of‑custody and traceability?

  • What lanes and carriers are typical for our region?

D) Change notification commitments

If a supplier’s changes can alter impurity profiles, analytical comparability, packaging, or shipping, you need clear notification expectations and a mechanism to assess impact before supply is disrupted.

E) Data integrity (minimum viable questions)

  • How do you control access, audit trails, and data review for chromatographic systems?

  • How are critical calculations and integrations controlled?

Sample document request list (pick 8–12, not 40)

For APIs (typical pre‑audit set)

  • Quality manual or quality overview

  • Site/org chart (incl. Quality unit independence)

  • Example batch CoA (recent, redacted)

  • OOS procedure (table of contents + key pages)

  • Deviation/CAPA procedure (table of contents + key pages)

  • Change control procedure (table of contents + key pages)

  • Data integrity policy or governance statement (summary)

  • Stability/retention summary (high level)

  • Shipping SOP excerpt (packaging, labeling, sealing, lane controls)

  • List of critical equipment (manufacturing + QC) and calibration/maintenance approach

For research compounds (lighter set)

  • Example CoA/test summary and traceability (lot/batch ID)

  • Analytical method summary (what technique confirms ID/purity)

  • SDS

  • Shipping/labeling approach and chain‑of‑custody basics

Copy/paste: Pre‑audit packet tracker

  • Supplier legal entity + site(s):

  • Material(s) in scope:

  • Intended use stage: Research / Nonclinical / Clinical / Commercial

  • Pre‑audit questionnaire sent: (date / owner)

  • Documents received: (date)

  • Gaps/questions to verify onsite:

  • Audit type recommended: Remote / Hybrid / Onsite

  • Proposed audit scope: Quality system / Analytics / Logistics / Both

Step 2) Conduct a risk‑based audit focusing on analytics and logistics

A practical audit for APIs and research compounds should focus on the two places failures actually show up downstream:

  1. Analytics (can we trust the data and CoA?)

  2. Logistics (does the material that was released arrive unchanged and traceable?)

A) Analytics focus: what to verify onsite (or via live remote walkthrough)

1) CoA issuance and governance

ICH Q7 details what a CoA should contain (tests, limits, results, authorization, manufacturer identity) and the expectation for authentic CoAs. European Medicines Agency (EMA)
Audit checks:

  • CoA template content and signatory controls

  • Traceability from CoA → raw data → sample ID → batch record

  • Handling of repackers/reprocessors (who is “original manufacturer,” what is referenced)

2) Incoming materials controls (supplier’s own suppliers)

If they cannot control their own incoming materials, you inherit variability.

3) OOS / deviation discipline

ICH Q7 requires OOS results be investigated and documented per procedure, including analysis of data and conclusions. European Medicines Agency (EMA)
Audit checks:

  • recent OOS examples (sanitized) and how root cause was determined

  • retesting/resampling governance

  • CAPA effectiveness checks (not just closure dates)

4) Reference standards and system suitability

ICH Q7 includes expectations around reference standards (primary/secondary) and periodic requalification for secondary standards. European Medicines Agency (EMA)
Audit checks:

  • standard qualification and traceability

  • storage, use logs, expiry/retest of standards

  • system suitability rationale (not just limits copied forward)

5) Can you rely on their test results?

If you intend to reduce incoming testing based on supplier results, you need a reliability program. ICH Q7 recommends full analyses on at least three batches before reducing in‑house testing and checking CoA reliability at regular intervals. ICH Database
If you operate under US drug CGMP, 21 CFR 211.84 similarly allows acceptance of supplier analysis in lieu of testing when you conduct at least one specific identity test and establish reliability through appropriate validation at appropriate intervals. ecfr.gov

B) Logistics focus: what to verify (often overlooked)

1) Shipping conditions and labeling controls

ICH Q7 expects special transport/storage conditions to be stated on labels when needed and that transport contractors know and follow the appropriate conditions. European Medicines Agency (EMA)
Audit checks:

  • labeling content and review/approval

  • sealing/tamper evidence

  • packaging suitability for the material (moisture/light sensitivity, etc.)

  • lane risk awareness (seasonality, customs dwell times, last‑mile)

2) Storage and distribution records, traceability, and contracted logistics

The EU GDP guidelines for active substances (2015/C 95/01) provide concrete expectations for distributors, including contemporaneous records, deviation investigations/CAPA, evaluation of changes affecting storage/distribution, and record retention. ECA Academy
They also specify records supporting traceability (purchase/sale, batch number, certificates of analysis, bills of lading/transport records) and require that contracted storage/transport be covered by a written contract and that the contractor follows appropriate storage/transport conditions. ECA Academy

Even if your supplier is primarily a manufacturer, these GDP principles are highly audit‑useful for evaluating whether logistics can undermine released quality.

Copy/paste: Risk‑based audit agenda (1–2 days)

Day 0 (pre‑work): document review + risk questions + scope confirmation
Day 1 (core):

  1. Opening meeting + scope confirmation

  2. Quality system overview + key procedures (deviation/CAPA, change control, training)

  3. QC lab walkthrough (CoA governance, raw data traceability, OOS, standards)

  4. Batch record walkthrough (one representative lot)

  5. Logistics walkthrough (packaging, labeling, sealing, shipping release process)

  6. Warehouse walkthrough (segregation, storage condition monitoring if critical)

  7. Closeout: observations + required responses + timelines

Audit outputs

  • Critical/major/minor observations

  • Required CAPAs and due dates

  • Qualification recommendation (approve / conditional / reject)

  • Defined monitoring plan (KPIs + cadence)

Step 3) Define KPIs and a re‑qualification cadence in your quality agreement

Two frameworks strongly support this:

  • ICH Q10 calls for monitoring and review of supplier/material performance, plus written agreements that define responsibilities and communications. ICH Database

  • EU GMP Chapter 7 makes the Contract Giver ultimately responsible for control and review of outsourced activities, including assessing legality/suitability/competence prior to outsourcing and monitoring/reviewing performance and needed improvements. Public Health

KPI set (short, actionable, not “scorecard theater”)

Choose 6–10 KPIs max and align them to the real failure modes: quality escapes, release delays, and logistics variability.

Quality KPIs

  • Lot acceptance rate (no deviations/investigations)

  • CoA right‑first‑time (doc errors per lot)

  • OOS rate (and recurrence of same root cause)

  • CAPA responsiveness (time to containment + time to closure)

Supply/Service KPIs

  • OTIF (on‑time, in‑full)

  • Lead time stability (variance vs confirmed lead time)

  • Allocation/backorder frequency

Logistics KPIs (if applicable)

  • Temperature excursion rate (if temperature controls are critical)

  • Lane deviation rate (customs holds, misrouting, damage, seal breaks)

Re‑qualification cadence (risk‑based)

Set cadence by criticality and performance, then write explicit triggers:

  • Periodic: annual / biennial / triennial audit or assessment (based on risk tier)

  • Event‑based triggers: major deviation, repeated CoA errors, site change, critical method change, repeated lane excursions, quality trend shift, use of new subcontractor

Copy/paste: Quality agreement performance section (minimum viable)

Supplier qualification and monitoring

  • Supplier is approved for materials/sites listed in Appendix A.

  • Supplier notifies Buyer/MAH of quality‑impacting changes prior to implementation (timelines defined).

  • KPIs (Appendix B) reviewed on a defined cadence; performance below thresholds triggers CAPA.

  • Re‑qualification cadence: ___ (by risk tier), plus event‑based triggers.

  • Right to audit (onsite or remote) and access to relevant records for investigation support.

  • Subcontracting requires prior approval (and transparency of the supply chain).

(These elements reflect the direction in ICH Q10 and EU GMP Chapter 7 regarding agreements, competence assessment, and ongoing monitoring/review.) ICH Database+1

Step 4) Record decisions, owners, and due dates

Supplier qualification fails operationally when decisions are implicit (“I thought QA approved them”) or scattered across emails.

Copy/paste: Supplier qualification decision log

Decision Why it matters Owner Due date Status Evidence location
Audit required? (Y/N) and type Sets qualification rigor
Approved scope (materials/sites) Prevents scope creep
CoA reliance approach Drives incoming testing strategy
Logistics controls required Prevents in‑transit quality loss
KPIs + thresholds approved Enables monitoring
Re‑qualification cadence approved Keeps approval current

Step 5) File supporting documents with the final record

Your “supplier dossier” should be reconstructable: if someone asks why is this supplier approved a year from now, you should be able to answer without re‑auditing.

Copy/paste: Supplier dossier filing checklist

  • Pre‑audit questionnaire + responses

  • Sample documents reviewed (CoA, procedures, etc.)

  • Audit plan, audit report, observation responses, CAPAs and closures

  • Approved scope statement (materials, sites, subcontractors)

  • Quality agreement (final) with KPI section and re‑qualification cadence

  • CoA reliability evidence (if you rely on supplier testing), consistent with expectations to validate/verify supplier results at intervals ICH Database+1

  • Logistics requirements (shipping instructions, pack‑outs, lane controls if applicable)

  • KPI scorecards and QBR minutes (if you run QBRs)

Step 6) Schedule a follow‑up review to capture lessons learned

Qualification should improve over time. A short follow‑up review prevents repeat issues (and reduces audit scope later).

ICH Q10 and EU GMP Chapter 7 both emphasize ongoing monitoring/review and improvement of outsourced activities and purchased materials—not just one‑time approval. ICH Database+1

Copy/paste: 30–45 minute lessons‑learned agenda

When: 60–90 days after first deliveries (or after first 3 lots), then per KPI cadence

  1. What did we learn from the first lots (quality, documentation, logistics)?

  2. Did CoAs match expectations (content, consistency, trend signals)?

  3. Any recurring issues (doc errors, OOS, delays, seal breaks, excursions)?

  4. Were our incoming testing and CoA reliance assumptions valid? ecfr.gov+1

  5. Actions: update questionnaire, audit checklist, agreement clauses, or KPI thresholds (owners + due dates)

Practical closing: what makes this “work” day‑to‑day

If you implement only three things:

  1. Pre‑audit screening with sample docs (to avoid wasting audits),

  2. Audit depth aimed at analytics + logistics (where downstream failures live), and

  3. KPIs + re‑qualification cadence written into the quality agreement (so “approved” remains meaningful),

…you will materially reduce receiving holds, deviations tied to supplier variability, and emergency re‑sourcing during supply disruptions—while staying aligned to risk‑based expectations in ICH Q10/Q9 and EU GMP Chapter 7

Checklist

  • Send a pre‑audit questionnaire and request sample documents.
  • Conduct a risk‑based audit focusing on analytics and logistics.
  • Define KPIs and a re‑qualification cadence in your quality agreement.
  • Record decisions, owners, and due dates.
  • File supporting documents with the final record.
  • Schedule a follow‑up review to capture lessons learned.

Notes:

This checklist is for educational use only and does not replace your internal procedures.