CoACertificate of Analysis

A Certificate of Analysis (CoA) is the formal, lab-signed statement that a specific lot of a material or product was tested against an approved specification and that the results met (or did not meet) that specification. It identifies the lot, lists the tests performed, gives the methods and the acceptance criteria, reports the actual results, and bears the signature of a qualified analyst or quality unit. It is the document a downstream user — whether your QA reviewer, your customer's incoming-goods inspector, or an FDA investigator — relies on to make a release decision.

CoAs flow in both directions. As a manufacturer you receive a supplier CoA with every lot of raw material you accept, and you issue a finished-product CoA with every lot you ship. The regulatory weight on the two is asymmetric: 21 CFR 211.84(d)(2) lets you rely on a supplier CoA only after you have established the supplier's reliability through periodic in-house testing; 21 CFR 211.165 requires you to actually test (not just rely on someone else's test) before you release your finished product.

USP General Notices and ICH Q6A converge on the same list of mandatory CoA fields. A CoA missing any of these is rejectable at incoming inspection and is a finding at audit.

• Material or product name and grade (e.g. 'Microcrystalline Cellulose NF').
• Manufacturer name and address.
• Lot, batch, or control number — the identifier that ties the CoA to a single, traceable unit.
• Date of manufacture and, where relevant, date of expiration or retest.
• The specification version the lot was tested against.
• Each test, the analytical method (e.g. USP <711> Dissolution), and the acceptance criterion.
• The actual numeric or descriptive result for each test.
• A pass/fail conclusion against the specification.
• Date of analysis and signature (or e-signature) of the responsible analyst or quality unit.
• Any deviations, retests, or out-of-specification results and their disposition.

ICH Q6A adds that the CoA should reference compendial methods (USP, EP, JP) by name where applicable, so a downstream user can verify the method without having to obtain proprietary SOPs. For non-compendial methods, the CoA should at minimum identify the SOP number and version.

211.165(a) is unambiguous: 'For each batch of drug product, there shall be appropriate laboratory determination of satisfactory conformance to final specifications for the drug product, including the identity and strength of each active ingredient, prior to release.' The CoA is the artefact that documents this determination. 211.165(d) extends the rule to include acceptance criteria, with the test results within the criteria, before release.

211.165(e) imposes the validation requirement: the analytical methods used to generate the CoA results must be validated and the validation documentation must be available. Methods that have drifted from their validated state generate CoAs whose values are technically non-compliant even when they appear to pass.

211.165(f) closes the loop on out-of-specification results: 'Drug products failing to meet established standards or specifications and any other relevant quality control criteria shall be rejected.' A CoA that records an OOS without triggering a rejection or a documented OOS investigation under 211.192 is itself a finding.

111.75 governs identity, purity, strength and composition testing for dietary supplements. The headline rule is 111.75(a)(1)(i): the manufacturer must conduct at least one appropriate test or examination to verify the identity of any component that is a dietary ingredient. This identity testing cannot be delegated to a supplier CoA without a 111.75(a)(2) exemption petition.

111.75(b) extends to non-dietary-ingredient components: identity, purity, strength and composition must be confirmed before use. Manufacturers may rely on a supplier CoA for these components only after qualifying the supplier under 111.75(a)(2) — meaning periodic in-house verification of the supplier's CoA values.

The FDA's most-cited 111 finding is the failure to perform identity testing on dietary ingredients and instead rely on the supplier CoA without an approved exemption. The CoA you receive does not substitute for the test you owe.

A supplier CoA accompanies a lot of incoming material. Your obligation is twofold: confirm the CoA on its face is complete and signed (a CoA missing the lot number or signature does not satisfy 211.84), and confirm the supplier's reliability through periodic in-house testing. 211.84(d)(2) permits release of a component on the basis of the supplier CoA only after you have established the reliability of the supplier's analyses at appropriate intervals.

An in-house CoA is the certificate your own lab generates for a finished or intermediate lot. It is the artefact you ship to your customer and the artefact the FDA will ask for when investigating a release. It must be tied to the BMR/BPR for the batch, must reference the specification version in force at release, and must be signed by the quality unit.

Modern eQMS treats supplier CoAs as documents in the supplier-doc table (audience: from-supplier) and in-house CoAs as records generated from the LIMS test results, e-signed, and rendered through the regulated-report PDF pipeline.

An OOS result on a CoA cannot be quietly retested away. FDA's 2006 OOS guidance (still the operative document) requires a phase-one laboratory investigation to rule out analyst error or instrument fault, followed if necessary by a phase-two manufacturing investigation. Retests are permitted but must be pre-defined in an SOP and the original OOS result must remain in the record.

The CoA must reflect the full OOS history: the original result, the investigation reference, the retest results, and the final disposition. A CoA that only shows the passing retest result — with the OOS suppressed — is data integrity fraud.

Every value on a CoA must be Attributable, Legible, Contemporaneous, Original and Accurate. The analyst who ran the HPLC must be identifiable from the audit trail. The result must be the original value the instrument produced, not a rounded or transcribed version. The integration parameters used must be reproducible. Any reprocessing of the chromatogram must be documented and the original integration retained.

PIC/S PI 041 and FDA Data Integrity guidance both treat CoA generation as one of the highest-risk processes for data-integrity failure. A LIMS that allows manual override of instrument values without an audit trail, or that allows the analyst to delete a chromatogram before signing, is non-compliant regardless of what the CoA PDF looks like.

Customer pressure is moving the CoA from PDF to structured data. Large pharma and food customers increasingly require digital CoAs as XML or JSON that can be ingested into their incoming-goods system without rekeying. The PDF remains the human-readable artefact; the structured payload is what feeds automation.

The most common formats are EDI 863 (Report of Test Results) for transactional shipments, GS1 EPCIS for serialised products, and customer-specific JSON schemas. A CoA that supports both PDF and structured payload from the same authoritative LIMS data avoids the dual-source-of-truth problem.

USP is piloting a Digital Specification (DS) initiative that publishes machine-readable specs which a CoA generator can consume directly. Early adopters can prove method version, acceptance criterion and result-against-spec at the parser level rather than at human review.

1. OOS values present in the LIMS audit trail but absent from the CoA.
2. Specification version on the CoA does not match the version in force at release.
3. Analytical method has drifted from its validated state — values technically non-compliant.
4. Supplier CoA accepted without the periodic in-house verification required by 211.84(d)(2).
5. Identity test for a dietary ingredient delegated to the supplier without a 111.75(a)(2) exemption.
6. CoA signed by an analyst who also ran the test — independence broken.
7. Reprocessed chromatogram on the CoA with the original integration deleted.
8. Lot number on the CoA does not exactly match the lot number on the BMR/BPR.
9. Expiration or retest date missing from a CoA for a material that has one.
10. CoA stored only as a printed PDF — the LIMS audit trail is not retained for the predicate-rule period.

In V5 a CoA is not a document an analyst types up — it is rendered from the LIMS test results, the active specification version, and the lot record. The PDF is a representation; the record of record is the structured data plus its audit trail.

• Specifications are version-controlled and approved with two e-signatures. The CoA always renders against the version in force at the lot's release.
• LIMS test results are captured at the instrument where possible (HPLC, GC, balance), with the analyst's authenticated user_id and an immutable audit trail.
• Out-of-spec results auto-generate an OOS investigation record; the CoA cannot be signed until the OOS is resolved with a documented disposition.
• Supplier CoAs are stored against the lot in the supplier-doc table; V5 tracks the periodic in-house verification cycle and flags lots accepted under an expired qualification.
• Finished-product CoA generation is a two-component e-signature step. The signer must be qualified and independent of the analyst who ran the test (independence enforced at the database tier).
• The PDF is rendered Worker-safe with @react-pdf/renderer and stored in the regulated-reports bucket keyed by tenant id. The structured CoA payload (JSON) is available for EDI 863 or customer-specific schemas.
• Retention applies to the structured data, the audit trail, the chromatograms and the rendered PDF for the full predicate-rule period.

See below for regulator-grade answers to the questions buyers ask most often about CoA management.