Certificates of Analysis: Don’t Trust, Verify

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-04-02-2018, Volume 42, Issue 4
Pages: 60, 64, 66, 69

Taking vendor product data at face value puts pharmaceutical manufacturers and their supply chain partners at risk.

Certificates of analysis (CoAs) are a tangible, and important, manifestation of a manufacturer’s relationship with its suppliers of APIs, excipients, and the other materials used to make drug products. Provided by suppliers to customers as a matter of course, these documents operate at the point where materials, laboratory control systems, and manufacturing intersect. These are three of the six crucial domains governed by any good pharmaceutical quality system (1). The right approach to managing and evaluating CoAs is also key to maintaining data integrity, an area where many pharma company compliance strategies continue to fall short (2).

CoAs summarize key information on product quality testing, including test conditions and parameters, specifications and requirements, results of tests (both qualitative and quantitative), and approval signature and date. They also provide information on the chain of custody, including such basics as the manufacturer’s name, address, telephone number/email and other identifiers that allow the material to be tracked throughout the supply chain.

Despite CoAs’ importance, some pharmaceutical manufacturers have begun to take them for granted. In other cases, they may be relying on them too much. As spectroscopist and consultant Emil Ciurczak notes, “They might be better off heeding the old Russian proverb: ‘Trust, but verify,’ which former US President Ronald Reagan often used in arms control talks with the former Soviet Union.”

In fact, given the complexity of outsourcing chains today, taking a defensive approach, and cutting straight to “verify” might be an even better strategy.  Ciurczak recommends taking a systematic approach and, in addition to thoroughly testing all incoming materials, randomly testing APIs a second time, on a rotating basis, to validate data in the CoAs.

In general, many pharma companies don’t do a good job in their annual verification of supplier CoAs, notes Irwin Silverstein, consultant to the International Pharmaceutical Excipients Council (IPEC).  “Their focus seems to be only on whether the sample they test annually meets the monograph. They should instead investigate any measurements that differ significantly from what was reported on the CoA. These differences may be due to differences in test method or sample preparation, lack of homogeneity within the excipient lot, or erroneous test results,” he says.

“Best practice would be to make CoA verification part of annual overall verification. It would require sending the excipient manufacturer a copy of the CoA they have received and asking whether their copy is genuine,” Silverstein says. In addition, manufacturers should review the CoA with attention to the reference to the test method. Where the method listed is not compendial, they should request a copy from the manufacturer, says Silverstein.

Oversight of OTC manufacturers 

A systematic approach to CoAs, and vendor data management, is extremely important. In finished drug products, FDA has clearly been stepping up its enforcement of current good manufacturing practices (GMPs) for over-the-counter (OTC) products. In February 2018, the agency issued a warning letter to an OTC antacid manufacturer in Mexico, which was found to have distributed product even before receiving CoAs on finished product test results from its third-party testing lab (3). 

The company had not tested for identity of incoming APIs and ingredients, and failed to verify supplier CoAs.  In some cases, FDA found, operators made up yield results in batch records for weighing, filling, and label reconciliation because there were no established methods or calculations used to determine yields.

Cellex-C International, a Canadian OTC manufacturer, received a warning letter from FDA in 2017 (4) for failing to test incoming APIs and ingredients. Regulatory inspectors found that the company relied almost entirely on its suppliers’ CoAs for evidence of identity and product conformance data (5). 

As FDA’s letter stated, “You must conduct at least one specific identity test to analyze all incoming components. You may not rely on your supplier’s CoA to verify the identity of your components.”

In addition, the company was cited for failing to test product identity, strength, and other specifications. Cellex-C  had outsourced lab testing for APIs in finished drug products, but FDA inspectors found that its managers had no action plan or timelines in place for testing products and supervising that outsourced testing. 
In India, Kim Chemicals, a manufacturer of OTC chest rubs and other treatments was penalized for data integrity deficiencies related to CoAs (6).  As FDA investigators wrote, “You had no records to support the analytical testing results that were reported on your CoAs.”

Technicians would document finished product analysis on a piece of paper, transcribe the test results onto a certificate of analysis, and then destroy the paper with the original test results. As a result, there was no record verifying that tests had been run in the first place.

In 2014, FDA issued a warning letter to CBSCHEM, an API distributor in Hong Kong, for inconsistent documentation and failure to record manufacturer’s identity, address, batch number, purchase, receipt, transportation, distribution, and CoAs and provide this information to customers (7). In addition, CoAs did not include batch or lot codes, laboratory testing information, expiry or retest dates, and other relevant information.  The facility was also found to store unlabeled APIs inside inadequately labeled totes.

But these issues pale when compared to problems that FDA inspectors discovered more recently.  In 2017, the agency issued warning letters to three API and ingredient distributors that created false CoAs (8,9,10). The following passage was almost exactly duplicated in FDA warning letters sent to Lumis and Su Zhou Pharmaceuticals in China, and Sal Pharma in India. 


False records, unlabeled materials


“For many APIs, you generated CoAs by copying and pasting analytical results from the original API manufacturers, replacing the manufacturers’ information with your letterhead, then issuing these CoAs to your customers. You omitted critical information, including the original manufacturers’ names and addresses and the names, addresses, and telephone numbers of laboratories that performed the testing,” read one such letter. One of the companies also held unlabeled material, which was reportedly offspec and due to be destroyed, in its “released for shipping” area.

In addition, Sal Pharma was selling APIs from two suppliers that were not registered with FDA, calling itself the manufacturer. According to the FDA letter, company’s staffers would pick up API from suppliers, relabel it with Sal Pharma’s information in the car, and then drop the API off to its clearing agent without knowing whether the material would be stored in a temperature-controlled environment.

Su Zhou Pharmaceutical Technologies was found not to have a quality unit onsite, or written procedures for quality activities.  Instead, FDA inspectors found, salespeople signed CoAs as “QC directors” and as quality testers. Among other problems, including nonexistent temperature controls, the company distributed supplies from a manufacturer that was on FDA’s Import Ban list, under its own name.

Caveat emptor

Such problems, and penalties, can only be shared by unwary pharmaceutical clients. Tamara Felton-Clark a former acting district director within FDA’s Office of Manufacturing Quality, pointed out one case (1) where a manufacturer worked with multiple contract manufacturing organizations (CMOs) to make various drug products.  Several of these CMOs had received FDA warning letters for cGMP problems with API manufacturing, but the manufacturer did not take action.

The manufacturer’s quality control procedures involved checking whether a CoA was present for each material, rather than testing that the material and verifying information within the accompanying CoA. As a result, product made using the ingredients was problematic, with some lots failing stability tests and customers complaining of problems with the product.

FDA issued the company a warning letter for cGMP deficiencies, including inadequate CMO oversight by the quality department.  “Manufacturers are responsible for the quality of their products, and the reliability of associated test results, regardless of who tests them,” Felton-Clark said.

In another case, Felton-Clark pointed to a finished drug manufacturer that found high levels of impurities in raw materials.  These impurities resulted in an up to a 75% rejection rate for some compounds and generated customer complaints, but no action was taken. Failure to test and document problems and to verify CoAs resulted in warning letters, recalls, a multimillion dollar fine, and, eventually, a permanent injunction, she said. 

CoAs and data integrity

Manufacturers may often fail to consider the importance of document control, auditing, and data review, to reduce the risk of data integrity failures, as consultant Magaly Aham told attendees at a PDA Pharma Industry Trends conference in Brazil in 2017 (2).  This can often be a function of inadequate training, pressure to increase output, and a misunderstanding of priorities, she noted.

Often, when regulators note these problems during inspections, Aham said, the deficiencies will fall under 21 Code of Federal Regulations (CFR211.22 (a), for “failure to establish an adequate quality control unit with the responsibility and authority to approve or reject all components … in process materials and drug products.” She recalled cases where one company’s quality control (QC) department allowed the use of adulterated API manufactured by another company.  The department had approved CoAs for six APIs as well as finished products before running QC and release tests, while the production manager signed and dated the “prepared by” and “checked by” sections in the CoA. 

Depending on the product involved, such omissions might have fatal results, especially when potentially hazardous materials are being formulated for sensitive patient populations.  The level of risk involved was clear in a recent case where FDA inspectors found that a CMO of homeopathic infant’s teething tablets accepted raw materials without validating data in CoAs or performing adequate material testing. These failures resulted in product that contained varying levels of the API belladonna, and a warning letter to Raritan Pharmaceuticals (11) in June 2017. 


Sharing the blame and the cost

In the end, compliance problems will only be shared by all supply chain partners if they are not accounted for, and prevented. Strong supplier quality agreements and clear delineation of roles and responsibilities are a key first step, especially where production involves several different outsourcing partners, according to quality expert Sue Schniepp.  She recalls a situation where a CMO was making clinical trial quantities of an API for a drug manufacturer (12).

As the sixth manufacturing run of clinical materials was about to begin, the CMO noticed that the API looked different than it had in previous runs, although the API supplier’s CoA showed that it met specs. The manufacturer had contracted with a third-party lab for API release testing, so the CMO could only run an incoming material identity test, Schniepp explained.

After the manufacturing run, product was sent to another testing lab, which found that the material was out of spec. The CMO asked for permission to talk with the API manufacturer to address the quality issues, but the drug manufacturer would not allow it, so the clinical trial batch was placed on hold.
Then during a regulatory inspection, all problems were revealed and, as a result, the CMO, client, and API manufacturer all received 483s and product approval was delayed.

As Ciurczak says, pharmaceutical quality by design (QbD) offers partners an opportunity to supplement and go beyond the CoA, to prevent quality problems from the start.  Once manufacturers get results from design of experiments and design space work, they can then specify optimal ranges of values such as moisture content, crystallinity, and particle size distribution to API and raw material suppliers, and offer to pay a premium for product that meets those criteria.

In the end, buyers must still test product, and validate CoAs, to mitigate data integrity and drug safety risks. In a complex, interconnected global supply chain, trust alone just won’t cut it, as more manufacturers are discovering.


1. T. Felton-Clark, “cGMP Case Studies,” a presentation made at Regulatory Education for Industry: Focus on cGMPs and FDA Inspections, FDA and Small Business and Industry Assistance Program, Silver Spring, MD, July 15, 2015.
2. M. E. Aham, “

,” a presentation at the PDA Pharma Industry Trends Conference, March 14, 2017, Sao Paulo, Brazil.
3. FDA, Warning Letter to Prosana Distribuciones Sa de CV, Dec. 18, 2017.
4. Pharmaceutical Technology editors, “Canadian Manufacturer Receives FDA Warning Letter,” Aug. 14, 2017.
5. FDA, Warning Letter to Cellex-C International, August 2, 2017.
6. FDA, Warning Letter to Kim Chemicals Private Ltd, October 16, 2017.
7. FDA, Warning Letter to CBSChem Ltd, January 13, 2014.
8. FDA, Warning Letter to Lumis Pharmaceuticals, March 2, 2017.
9. FDA, Warning Letter to Su Zhou Pharmaceuticals, January 16, 2017.
10. FDA, Warning Letter to Sal Pharmaceuticals, April 20, 2017.
11. FDA, Warning Letter to Raritan Pharmaceuticals, June 20, 2017.
12. S. Schniepp, Pharmaceutical Technology, 41(30)(2017), p. 58. 

Article Details

Pharmaceutical Technology
Vol. 42, No. 4
April 2018
Pages: 60, 64, 66, 69


When referring to this article, please cite it as A. Shanley, “Certificates of Analysis: Don’t Trust, Verify,” Pharmaceutical Technology 42 (4) 2018.