The Role of CoAs in Supplier Oversight

Published on: 

Industry experts discuss best practices for certificates of analysis.

Certificates of analysis (CoAs) are used by materials suppliers to identify the product they are providing to a pharmaceutical manufacturer. They include information such as product name, material grade, batch number, expiration dates, testing dates, information on analytical testing performed on the material, as well as additional product information. According to Quincy Mehta, senior manager, Consumables Product Management at SCIEX, “CoAs are vital in ensuring both the outcome and quality of a product. CoAs contain key information relaying to a customer that each lot or unit of a product is manufactured, tested, and qualified for their application of use. SCIEX assigns test parameters and information in CoAs based on the needs and target applications of our customers. This provides a key level of support and confidence that SCIEX products are ready for use in our customer’s own quality controlled environments.”

Pharmaceutical Technology spoke with industry experts about the importance of CoAs and best practices for writing and working with these important documents.

Experts interviewed include: Agata Ochocinska, head of Quality (Europe) at Actylis; Peter Phillips, VP of Quality Operations at BIOVECTRA; Sarah Breen, senior manager, Quality, at C2 PHARMA; Subbareddy Inta, senior director, Quality and Compliance, Swati Tipnis, lead, Analytical Quality and Compliance, and Mayank Nagar, vice president and head, Tech. Services & Product Launch Management, all at Dr. Reddy’s Laboratories; IPEC Americas; Shailesh Vengurlekar, senior VP, Quality & Regulatory Affairs, at LGM Pharma; Siegfried Schmitt, vice president, Technical, at Parexel; and Susan J.Schniepp, distinguished fellow at Regulatory Compliance Associates.

CoAs and quality oversight

PharmTech: How does one assure regulators that CoAs are accurate and reliable?

Ochocinska (Actylis): Each organization must establish strict procedures governing the development of CoAs, including QC [quality control] methods, documentation practices, analytical methods and QA [quality assurance] processes in line with regulatory requirements.

These procedures should be outlined in SOPs [standard operating procedures] to guide the employees who sample, test and issue these documents. The system must be regularly verified, and its compliance confirmed (ex. by audit) providing proof of compliance and thus assuring regulators of the accuracy of generated documents, CoAs.

Phillips (BIOVECTRA): Regulators from FDA and Health Canada carry out regular inspections to audit the manufacturing process and product release to ensure it includes the generation of an acceptable CoA. They review the raw data that is included and the methods used to transcribe data onto the CoA.

IPEC Americas: Easing regulators’ concerns regarding CoA accuracy is best done through a comprehensive risk assessment and supplier qualification. If due diligence is performed, which should include an on-site audit, if possible, in which testing records and data traceability to the CoA are reviewed and verified, the concerns regarding CoA accuracy should be mitigated.

Vengurlekar (LGM Pharma): By performing on-site audits, regulators are able to review the data in person and ensure it is accurate. Once this has been done, with subsequent CoAs, the regulators can request the data electronically. Having a quality assurance representative also sign the CoA verifies that the information has been reviewed and verified by a second party.

Breen (C2 PHARMA): A standard operating procedure must be in place to document the creation, review, and approval of certificates of analysis. The [SOP] must detail the level of review that is performed on the CoA. Adequate control must be in place to ensure that the possibility of an incorrect CoA being released are kept to a minimum. For example including several level of review both within and between departments for CoA creation, review, and approval. Employers should champion quality culture making employees take quality focused actions.

Schniepp (RCA): The best practice to be able to assure regulators you have control over your supplier is to establish a robust quality agreement, periodically audit the supplier, and periodically verify the analytical results listed on the CoAs.

Nagar, Inta, and Tipnis (Dr. Reddy’s Laboratories): The tests mentioned on the CoA should be verified if they are compendial and validated. If they are in house tests, ensure they are accurate to be used for testing the product. Also, having one person to prepare the CoA and another review and approve it ensures reliability of the CoA. If the CoA is approved by QA who is independent of the manufacturing or QC unit, it adds an additional level of confidence and prevents bias.

PharmTech: Who is ultimately responsible for incorrect information on a CoA?

IPEC Americas: An excipient CoA is a legal document that certifies the quality of the excipient and demonstrates that the batch conforms to the defined specifications, has been manufactured under appropriate GMP [good manufacturing practice], and is suitable for use in pharmaceuticals. The excipient manufacturer or supplier who has generated the CoA is responsible for its accuracy. The IPEC-PQG Good Manufacturing Practices Guide for Pharmaceutical Excipients provides best practices for ensuring the quality of excipients and integrity of CoA data.

Vengurlekar (LGM Pharma): This responsibility solely lies on the supplier, and more specifically, it falls upon the person who is generating and entering the information in the CoA. Most of the time, this responsibility will fall upon quality control as it is their role to ensure the information is accurate and complete.

Phillips (BIOVECTRA): In the rare event a mistake is made, it is whoever generated the CoA who is responsible. We have audit trails, all electronically recorded, to identify when in the process a mistake occurred.

To avoid incorrect information, an analyst tests the product, generates the result, and records it onto the CoA. Then, our quality assurance team reviews all the raw data and ensures accurate transcription onto the CoA. These processes help avoid mistakes.

Breen (C2 PHARMA): On a manufacturing site some of the following people have the potential to impact the final CoA. The research chemists that create the synthetic route for the product must ensure that any impurities that are not purged are included in the final specification. The process team involved in the validation must ensure that the final output material is a homogeneous mixture as only meaningful results come from a homogeneous material. The quality control analyst must ensure that methods are validated correctly and are capable of detecting the required impurities. They are also responsible for ensuring the methods are executed appropriately and the data is transcribed correctly into the CoA. [QA] does a review of the batch record and the [QC] data in order to ensure compliance before creating the final CoA. [QA] are the final approval on the CoA, but rely on the competence of those in the previous steps.

Ultimately everyone on a site is responsible if incorrect information appears on a CoA as quality is everyone’s responsibility.

Best practices for CoAs

PharmTech: What are some best practices for writing CoAs?

Schmitt (Parexel): They should be auto-generated by suitably configured documentation management systems. The data required to populate the CoA should not be entered manually, but should be electronically transferred from the instrument to the CoA-creating system, where this is possible. Typically, CoAs are created in Portable Document Format (PDF). To assure compliance with archiving requirements, PDF/A should be used. In fact, unless mandated by law, CoAs should only be created, signed, and issued electronically.

Schniepp (RCA): One of the best practices for writing CoAs is to avoid listing ambiguous test results (i.e., pass/fail, < X, > X, ). When information on the CoAs isn’t specific, it is much harder for companies to perform deviation, investigation, or CAPA [corrective and preventive action] analysis into product failures.

Vengurlekar (LGM Pharma): There are very specific guidelines already put into place for drafting a CoA by governing regulatory bodies. Each regulatory body is clear in their expectations for what information must be included, including the expected document format as well as the specific required information. It is best practice to stick to those expectations, so all information is accurately captured.


IPEC Americas: In the year 2000, IPEC-Americas published the first version of the Certificate of Analysis Guide for Bulk Pharmaceutical Excipients to assist excipient manufacturers in preparing certificates of analysis. The most recent version of this guide [was published] in
October 2022. The guide provides a framework for [CoA] content and best practices. According to the guide, ‘A CoA for excipients should be prepared and issued by the company responsible for the material. It is expected that a complete and accurate CoA is provided to the user (medicinal product manufacturer) for each batch and/or delivery of excipient.’

Nagar, Inta, and Tipnis (Dr. Reddy’s Laboratories): Certificates of analysis should be issued for each batch of intermediate or API or FP [finished product] manufactured/produced. The CoA for any product should be complete, legible, and comprehensive with all the information regarding the product. It should have at the bare minimum the name/logo of the manufacturer, name of the product, batch number, date of manufacture and expiry or retest, name of the tests performed with acceptance criteria and results. Finally, the CoA should be signed by the personnel preparing it and countersigned a personnel reviewing and approving it. The CoA should also be written and approved as close as possible to the date of testing.

Phillips (BIOVECTRA): It’s essential to establish which of a product’s critical quality attributes (CQAs) need to be tested. Gathering data about CQAs defines the expected specifications, which are tied into the process and rely on the capability of the test methods. Standard tests measure appearance, identity, purity, and potency. Tests with greater specificity are needed for the measurement of things like process impurities. ICH [International Council of Harmonisation], which BIOVECTRA uses to govern its quality system, provides guidance on defining specifications.

A good CoA program needs electronic record-keeping to simplify version control, history, and change control. It’s best practice to have a document management system (DMS).

PharmTech: Do sponsor companies or contract development and manufacturing organizations (CDMOs) have input on what is included in a supplier’s CoA?

Schniepp (RCA): Yes, CDMOs should have input for two reasons. If a CDMO is purchasing material for use in multiple customers’ products, they should be the primary negotiator as to what information is needed on the CoA so the material is accepted by all the affected customers. If the client is buying the material for use only in their products, the CDMOs should still have input on the contents of the CoA because the material will be used at their site and they need to know if it will impact any other products or if there is cross contamination considerations to be addressed.

Ochocinska (Actylis): Supplier CoAs can be adapted to specific requirements; however, minimum regulatory requirements must be adhered to in terms of the general content as pharmacopeial monograph (if applicable). Additional testing may be included or more rigorous testing standards than the compendial grade may be applied if necessary.

Vengurlekar (LGM Pharma): Yes, they absolutely can. If a supplier is not following the guidelines as required, then the sponsor company can request more information and ensure all guideline materials are provided. Occasionally, clarification on a certain test will also be required. I’ve seen CDMOs ask for additional details from tests that have been performed and are lacking all information. The main details of the CoA will not be altered, but usually it is in the case of clarification or meeting the guidelines.

Phillips (BIOVECTRA): Most of the information in a certificate is similar from product to product. This is true for our core line of off-the-shelf chemical reagents, like dithiothreitol (DTT), for which we’ve established the specifications and provide those to our clients. Having said that, our clients will inform us of a particular CQA they need us to assess, which allows us to develop and apply the appropriate test methods and specs.

For our suppliers, an uncommon case would be if we identified an impurity in the supply of a critical raw material. In that case, we would work with our supplier to add this to their certificate.

Breen (C2 PHARMA): Yes, CDMOs must have an input on what is included in a supplier CoA. A product can be released considering the pharmacopeia, for example Ph.Eur./USP/ChP.; however, the pharmacopeia does not fully cover impurities that may form in the production process as a result of the synthetic pathway. It is for this reason that CDMO and
supplier must work closely together for the analysis methods and specification of each product.

Nagar, Inta, and Tipnis (Dr. Reddy’s Laboratories): Yes. Both product owners or sponsor companies and contract manufacturing organizations collaborate in defining the specification and designing the certificate of analysis. Input is valued from both to ensure the compliance to guidelines, systems, and submission requirements.

IPEC Americas: For standard (“catalog”) excipient products, CoA customization should not be expected by the customer. In some cases, information can be added to a supplier CoA, when agreed upon between customer and supplier. Typically, when information is added beyond the standard CoA, it is done as an addendum rather than modifying the supplier’s standard template. Custom CoAs, even as addendums, can be difficult to manage using standard CoA software, and thus are generally discouraged by suppliers.

PharmTech: What are some best practices for verifying the information in a CoA received from a supplier?

Vengurlekar (LGM Pharma): Typically, there is a SOP in place to establish a procedure for verifying the information. From this SOP, the quality assurance person will be able to take the steps to ensure the information is verifiable. On the receiving end, the sponsor company or CDMO can also have their own procedures set. These procedures can include asking the supplier to provide copies of the lab notebooks which will ultimately verify that the information is correct.

Phillips (BIOVECTRA): It is important not to rely on a supplier’s CoA, especially for critical raw materials. It is best practice to qualify suppliers, verifying their testing protocols and ensuring they have a quality system in place to provide accurate results. Our quality team qualifies suppliers by retesting the material to the supplier’s standard and validating that we get the same results. Ultimately, this reduces the need for us to test everything they supply, relying more on their data. We also conduct an annual review of our suppliers, including to find if there are any emerging FDA or Health Canada trends against a supplier.

Our clients usually audit us on an annual or biannual basis, as well as review all our raw data on a batch-by-batch basis. Some will send our product out for further testing.

IPEC Americas: According to 21 CFR [Code of Federal Regulations] 211 the sponsor may accept a supplier’s CoA provided that they establish the reliability of the supplier’s analyses. The sponsor should determine how best to verify this, which may include an on-site audit of the supplier.

Nagar, Inta, and Tipnis (Dr. Reddy’s Laboratories): Pharmaceutical companies usually do analyze the API or excipient using the compendial method or the method shared by the API/excipient manufacturer and prepare their own CoA and compare the results to the drug substance/excipient manufacturer’s results in the CoA provided. Another practice is to perform vendor qualification and analyze three batches from the supplier and qualify the vendor based on the comparison of the results to the CoA from the supplier. After successfulvendor qualification, one batch could be tested on annual basis with full testing of all the tests on the specification and partial testing of the subsequent batches with only the most critical tests, and adapting the results from the supplier CoA for the non-critical tests based on the vendor qualification and verification of the results for certain no of lots. This practice should be periodically evaluated for potential risk, and should be part of organization’s quality management system

Breen (C2 PHARMA): A [CoA] for commercial release must always be created based on the submitted and approved registered detail. The S41 [the section of the filing that refers to the specifications that are registered for that product] is checked in order to compare the test methods/specification registered versus the test methods/specifications on the CoA. The stability data is checked to ensure that the correct re-test expiry date is present on the CoA. Results generated and reported on the CoA should be observed and if any untoward trends are noted, these must be investigated. The information and transcriptions must be thoroughly checked to ensure compliance. Signatures and dates applied to the CoA are checked to confirm the sequence of event. For example the date of manufacture cannot be after the date of release.

Ochocinska (Actylis): Each CoA must be approved and dated to be valid. While verifying the information on a CoA, one should always refer to the product specification (compendial or agreed), its grade and type (intermediate, API, excipient, cell culture grade, etc.). The type of product will dictate the type of testing mandatory for the specific material allowing for document verification and acceptance.

Schmitt (Parexel): As a minimum, it is necessary to verify whether the correct form and format was used as agreed in the quality/technical agreement. Then, it must be verified that all required test results are included.

A CoA should be digitally signed, otherwise it is necessary to verify that the hand signature isn’t a facsimile. If only a (scanned) copy is provided,
the sponsor must verify during audits that the original and the supplied copy are identical.

Schniepp (RCA): The most conservative approach would be to verify all the information regarding the analytical results by performing the tests. This approach isn’t practical or cost effective. Currently, the best practice for verifying the information on the CoA is to establish a robust quality agreement with the supplier and the establish a program to periodically verify the test results. I would advise the program be tailored to the needs of the material being evaluated. For example, if you only receive a material two times a year, it isn’t realistic to verify the analytical results of that material every tenth lot. The analytical verification time frame for any material should be based on risk analysis.

About the author

Susan Haigney is managing editor of Pharmaceutical Technology.