Most supplier qualification programs are built reactively. A supplier fails an audit, a raw material fails incoming testing, or an FDA investigator asks for supplier qualification records during an inspection — and the manufacturer realizes their supplier qualification program is either inadequate or doesn’t exist in a documented form. The program that gets built in response to a crisis is almost always more burdensome than the one that would have been built proactively.
A well-designed supplier qualification program does three things: it ensures that the suppliers you use are capable of providing materials that meet your specifications, it creates a documented record of how you verified that capability, and it scales as your supplier base grows without requiring proportionally more resources to manage. Here’s how to build one.
For dietary supplement manufacturers, supplier qualification requirements are embedded in 21 CFR Part 111. Under 21 CFR Part 111.75, manufacturers must establish and follow written procedures for qualifying suppliers and for verifying the identity of components. The regulation provides two pathways: conduct your own identity testing for each component, or establish a qualified supplier program that allows you to rely on the supplier’s COA for identity verification.
The qualified supplier pathway requires documented evidence that the supplier’s testing is reliable. That evidence typically includes an audit of the supplier’s quality system, a review of their testing methods and laboratory qualifications, and periodic verification testing to confirm that the supplier’s results are accurate. The regulation doesn’t prescribe exactly what a qualified supplier program must look like, but FDA expects it to be documented, risk-based, and consistently applied.
For food manufacturers under 21 CFR Part 117 (Preventive Controls for Human Food), supplier qualification requirements are addressed in Subpart G. The framework is similar — risk-based, documented, with verification activities proportional to the risk posed by the supplier and the ingredient.
The most practical supplier qualification programs use a tiered structure that applies different qualification requirements based on the risk level of the supplier and the materials they provide. A tiered approach lets you apply rigorous qualification to high-risk suppliers without creating an unsustainable administrative burden for low-risk ones.
A three-tier structure works well for most manufacturers:
Tier 1 — Critical Suppliers: Suppliers of active ingredients, high-risk raw materials, or materials with a history of adulteration or contamination concerns. Qualification requirements: on-site audit or comprehensive remote audit, full supplier questionnaire, review of ISO 17025 accreditation or equivalent, method review, and annual re-qualification. Examples: botanical extract suppliers, probiotic culture suppliers, suppliers of ingredients with known adulteration risk.
Tier 2 — Standard Suppliers: Suppliers of excipients, packaging materials, and other materials with moderate risk. Qualification requirements: supplier questionnaire, COA review, and periodic verification testing. Re-qualification every 2–3 years or upon significant change. Examples: excipient suppliers, capsule shell suppliers, label printers.
Tier 3 — Low-Risk Suppliers: Suppliers of commodity materials, office supplies, or materials that don’t contact the product. Qualification requirements: basic supplier information on file, COA review for applicable materials. No formal re-qualification unless issues arise.
The tier assignment should be documented and justified. When FDA investigators review your supplier qualification program, they’ll want to see that the tiering decisions are based on risk factors — not on which suppliers are easiest to audit.
For Tier 1 and Tier 2 suppliers, the qualification package should include:
Supplier questionnaire: A structured questionnaire covering the supplier’s quality management system, manufacturing practices, testing capabilities, regulatory compliance history, and subcontracting practices. The questionnaire should be specific enough to be useful — generic quality questionnaires that ask only about ISO certifications and general quality practices don’t give you the information you need to make a qualification decision.
Quality certifications: ISO 9001 certificates, ISO 17025 accreditation scopes (for testing laboratories), GMP certificates, or other relevant certifications. Verify these directly with the issuing body, not just from the supplier’s documentation.
Testing documentation: For suppliers of tested materials, review their test methods, their laboratory qualifications, and representative COAs. For high-risk ingredients, ask for method validation data for the specific tests you’re relying on.
Audit report: For Tier 1 suppliers, an audit report documenting the findings of an on-site or remote audit. The audit should cover the supplier’s quality system, manufacturing practices, testing capabilities, and any corrective actions from previous audits.
Verification testing results: For any supplier where you’re relying on their COA for identity verification, periodic verification testing — running your own tests on samples from the supplier — is the evidence that their testing is reliable. The frequency of verification testing should be documented in your SOP and should be proportional to the risk level.
A supplier qualification program is only as good as the SOPs that govern it. At minimum, you need:
The change notification SOP is often the weakest link. Suppliers change their processes, their raw material sources, and their manufacturing sites without always notifying customers. Build a requirement into your supplier agreements that significant changes must be communicated to you before implementation, and define what “significant” means.
As your supplier base grows, the administrative burden of managing a supplier qualification program grows with it. A manufacturer with 10 suppliers can manage qualification records in spreadsheets. A manufacturer with 100 suppliers needs a more systematic approach.
Quality management software with supplier qualification modules — platforms like MasterControl, Veeva Vault, or TrackWise — can automate re-qualification reminders, track qualification status, and maintain audit trails. The investment in software is justified when the administrative overhead of manual tracking becomes a quality risk in itself.
Even without dedicated software, a well-designed spreadsheet tracker that captures supplier name, tier, qualification date, re-qualification due date, and qualification status can manage a supplier base of 50–75 suppliers effectively. The key is building the re-qualification reminders into a calendar system so that due dates don’t slip.
At Aurora TIC, we help manufacturers design supplier qualification programs that satisfy FDA requirements, scale with business growth, and create the documentation infrastructure needed to defend the program under regulatory scrutiny. The framework above is a starting point — the specific requirements will depend on your product category, your regulatory context, and the complexity of your supply chain.