Supplier Assessment
in GAMP 5:
What to Ask and How to Use It

Why Supplier Assessment Is Part of Validation

In GAMP 5, the supplier of a software system is not just a vendor — they are a contributor to the validation evidence. The regulator's logic is straightforward: if a system integrator or software vendor has a mature quality management system and can demonstrate they test their products rigorously, the pharmaceutical company can leverage that work rather than repeat it entirely. Conversely, a supplier with no documented QMS is a risk that must be compensated for with more extensive in-house testing.

This is why EU GMP Annex 11 §3 requires supplier assessment before the contract is awarded — not after the system is installed. An assessment completed retrospectively is a finding.

The Supplier Assessment Questionnaire (SAQ)

The SAQ is a structured questionnaire sent to the supplier before contract award. It covers: Quality Management System certification (ISO 9001, ISO 13485), software development lifecycle methodology, defect tracking and release management processes, test documentation practices, and post-delivery support arrangements.

The SAQ is not an audit — it's a paper assessment. The supplier completes it and provides supporting evidence (ISO certificates, sample procedures). Based on the SAQ response, the pharmaceutical company decides whether a more detailed on-site audit is needed, or whether the paper assessment is sufficient.

The Supplier Assessment Report (SAR)

The SAR documents the outcome of the supplier assessment. It references the SAQ responses, notes any gaps or concerns identified, and draws a conclusion: the supplier's QMS is adequate to support leveraging their testing evidence, or it is not and additional in-house testing will compensate for the gap.

The SAR should be completed and approved before the URS is sent to the supplier for FDS authoring. It informs both the validation scope (what vendor testing evidence will be leveraged) and the contract (what documentation deliverables the supplier must provide).

What to Ask in the SAQ

An effective SAQ for a PLC/SCADA system integrator covers:

• ISO 9001 or equivalent certification — certificate reference and expiry
• Software development lifecycle methodology — do they follow IEC 62443 or similar?
• Version control system — how is PLC/SCADA code versioned and released?
• Testing procedures — what testing is performed before delivery? Is it documented?
• Defect management — how are bugs tracked, prioritised, and resolved?
• Factory testing evidence — can they provide factory test records for the delivered system?
• Post-delivery support — what are the support arrangements for the validated period?
• Subcontractor management — if subcontractors are used, how are they assessed?

What "Leveraging Supplier Testing" Actually Means

When the SAR concludes that a supplier's QMS is adequate, the pharmaceutical company can leverage the supplier's test evidence in their own OQ. In practice this means: if the supplier has factory test records showing that a specific function was tested and passed, those records can be referenced as supporting evidence in the OQ rather than requiring a full re-execution from scratch.

The critical condition is that the factory test records must exist, be retrievable, and specifically cover the functions being claimed. "The supplier is ISO certified" is not the same as "the supplier has documented test records for the batch sequencing logic we're leveraging." The SAR should specify exactly which functions are being leveraged and what evidence exists.