CoCCertificate of Conformance

A Certificate of Conformance (CoC) — sometimes called a Certificate of Compliance, Conformity, or Conformity to Specification — is a signed statement from a supplier that the lot or batch supplied conforms to the agreed specification or purchase order. Unlike a Certificate of Analysis, it typically does not include per-attribute test results — it is an attestation, not a data report.

CoCs are widely used for off-the-shelf components, packaging materials, hardware, fasteners, labels, cartons, and any item where the supplier's quality system is trusted and the spec is straightforward ("this carton meets drawing X rev Y", "this label meets artwork file Z, version 4"). They are the right tool when the spec is clear, the supplier is qualified, and the cost of per-lot testing outweighs the risk.

A CoC is a regulated record in every quality system. ISO 9001 §8.4 expects you to control externally provided products; a CoC is one of the most common evidence types for that control. Pharma (21 CFR 211.84), supplements (111.75) and medical devices (820.50) have additional rules layered on top — covered in the sections below.

The two are not interchangeable. A CoC where a CoA is required is a finding. A CoA where a CoC is fine is overkill but harmless. Some quality agreements require both: a CoA from the manufacturer plus a CoC from the distributor confirming the CoA matches the lot delivered.

• Supplier name, address and (if applicable) DUNS / GLN / regulatory establishment number.
• Customer name, PO number, and customer part number.
• Product description, supplier part number, GTIN (where assigned).
• Lot / batch number and the quantity supplied under that lot.
• Date of manufacture and (where applicable) expiry / retest / shelf-life date.
• Reference to the specification, drawing or material standard conformed to, including the revision in force at the time of manufacture.
• Statement of conformity — explicit language that the lot meets the referenced specification.
• Signature of an authorised representative of the supplier — name, title, and date.
• Date of issue.
• Optional but increasingly expected: country of origin, batch traceability reference back to the supplier's MRP / MES, and reference to any sub-contracted operations.

Pharma — 21 CFR 211.84

Under 21 CFR 211.84, a pharma manufacturer cannot rely on a supplier's CoA or CoC alone for the identity of an active or excipient — at minimum, identity must be confirmed in-house through an appropriate test (typically IR / NIR / HPLC depending on the material). The CoA or CoC can substitute for other attribute testing (assay, purity, residual solvents) only after the supplier is qualified through audit and ongoing validation.

Dietary supplements — 21 CFR 111.75

For dietary supplements (21 CFR 111.75), the rule is similar — at least one identity test must be performed in-house even with a supplier CoA or CoC on file. The qualified person performing the identity test must be documented, and the test methods must be validated for the specific component.

Medical devices — 21 CFR 820.50

For medical devices (21 CFR 820.50), purchasing controls require that suppliers be evaluated and that incoming product meet specified requirements — a CoC alone may be acceptable for low-risk components if supported by supplier qualification and documented purchasing data. For critical components (those that affect device safety or performance), the device manufacturer typically requires both a CoC and either incoming test or third-party verification per the supplier-control SOP.

Food (FSMA Preventive Controls / GFSI)

Under FSMA Preventive Controls (21 CFR 117) and any GFSI-recognised scheme, a CoC is part of the documented supplier verification programme. Where a supplier-controlled hazard (allergen, pathogen, mycotoxin) is identified, a CoC alone is generally insufficient — verification activities (audit, in-house test, third-party COA) are also required.

ISO 9001:2015 §8.4

ISO 9001 requires the organisation to determine and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers. A CoC is one of the most common pieces of evidence; the depth of additional verification is risk-based and documented.

A CoC programme only works if the underlying supplier qualification works. A signature from an unqualified supplier on a CoC is worth less than the paper it's printed on. Defensible supplier qualification has four moving parts:

1. Initial qualification — audit (on-site, remote, or paper-based depending on risk), questionnaire, capability assessment, regulatory licence verification, samples tested against spec, financial-stability check.
2. Quality agreement — a written agreement covering specification, change-notification (PCN), recall obligations, sub-contracting rights, CoA/CoC requirements per material, retain-sample policy, and audit access.
3. Ongoing monitoring — non-conformance trend, on-time-in-full performance, periodic CoA re-verification, complaint handling.
4. Periodic re-qualification — typically every 1–3 years depending on risk, more frequent if the trend deteriorates.

V5's supplier portal lets suppliers upload CoAs and CoCs against your POs directly, with structured fields so the lot number, dates and spec reference are captured automatically — no PDF parsing at receiving, and no copy-paste from email.

• Generic CoCs that do not name the lot — useless for traceability.
• Treating CoC as sufficient for materials that legally need a CoA + identity test (pharma APIs, supplement actives).
• Filing CoCs in email rather than against the inventory lot they describe.
• Not noticing when a CoC arrives without a required signature, or with an electronic signature that has no certificate behind it.
• Letting suppliers downgrade from CoA to CoC silently without re-qualification (often happens with second-source materials).
• CoC references a specification revision that is no longer current — meaning the supplier manufactured to an obsolete spec.
• CoC signed by a name that nobody at the supplier can identify when challenged.
• Letter of conformance covering "all product supplied" with no lot enumeration — a single signature pretending to cover an indefinite future.

1. Sample a finished-product lot. Walk back to every raw / component lot it consumed. For each, demand the CoA or CoC.
2. For each CoC, verify the lot number matches the goods-receipt and the inventory transaction.
3. Verify the supplier is on the approved supplier list, current, with an in-date qualification on file.
4. Verify the specification reference on the CoC matches the current released specification at the time of receipt.
5. Verify the signature is a real person whose authority to sign is documented (delegation list, signature register).
6. Verify that any non-conformance noted on the CoC was triaged through your NCR / deviation process before lot release.
7. For pharma / supplements: verify the in-house identity test was performed and signed off.

An auditor will pick one or two finished-product lots and follow this trace end-to-end. If any link is weak — missing CoC, mismatched lot number, expired supplier qualification, missing identity test — the finding will be cited at the system level, not the lot level.

Electronic CoCs are now the norm for any supplier with a modern QMS. They count as electronic records under 21 CFR Part 11 and EU Annex 11 when used to satisfy a regulated requirement. The same data-integrity expectations apply — the e-signature must be uniquely attributable to the signer, the record must be tamper-evident, and the audit trail of any changes must be preserved.

Where a supplier sends a PDF CoC by email, treat the PDF as a controlled record once attached to the lot in your QMS. Do not allow the lot record to point at a mailbox attachment that can be deleted or modified — pull it into the QMS and lock it.

You qualify the supplier (audit, history, capability), agree the spec and what documentation accompanies each shipment (CoA per lot, CoC per lot, both, neither), then accept CoCs against that agreement. Periodic re-qualification keeps it honest. The CoC is the routine evidence; the periodic audit is the trust-but-verify check. Without the audit, the CoC is just a piece of paper.

In risk-based supplier programmes (ISO 9001, GFSI, ICH Q9), the depth of verification scales with the risk of the material. A label that's miscoloured is annoying; a label with the wrong allergen statement is a recall. A CoC alone is fine for the first; the second needs CoC + sample-on-receipt verification.

Many components arrive with a CoC from a distributor or contract manufacturer rather than from the original maker. The regulatory expectation does not stop at your immediate supplier — the supplier-control loop must reach back to wherever the spec-affecting operation actually happened. A distributor's CoC saying "we re-packed product manufactured by X" is acceptable only if X is also on your approved-supplier list with a current qualification, and your quality agreement with the distributor mandates pass-through of the original manufacturer's CoA where the regulation requires one.

The pattern that survives audit:

1. Map every sub-contracted operation per supplier — packing, sterilisation, irradiation, blending, particle-size reduction, labelling. Each one shifts the spec.
2. Qualify each sub-contractor that performs a spec-affecting operation, even if you transact only with the prime supplier. The quality agreement must give you the right to audit them, or evidence that the prime has audited them on a defined cadence.
3. Require the prime supplier's CoC to reference (by name and lot) any sub-contracted operation performed on the lot, plus pass-through of the sub-contractor's CoA where the regulation requires test data (e.g. sterilisation cycle records for medical devices, contract-analytical CoAs for pharma actives).
4. Treat unannounced changes in sub-contractor as a Permanent Change Notification (PCN) trigger — if the prime supplier swaps the sub-contractor without notifying you, the supplier qualification is in breach and lots produced after the switch are unauthenticated.

The most common failure mode is a distributor with three or four upstream sources rotating silently — each lot legitimately conforms to spec, but no two lots come from the same upstream chain, and no individual upstream is qualified by the receiving site. The first complaint that has to trace back to a specific upstream operation exposes the gap.

Goods-in is where the CoC programme either works or fails. A workflow that prevents release of an undocumented lot is non-negotiable; a workflow that captures the CoC into the lot record at the moment of receipt makes every downstream trace one click rather than one hour. The minimum sequence:

1. Scan the inbound delivery: PO matched, supplier confirmed against approved list, qualification in date.
2. Capture lot number, quantity, date of manufacture, expiry from the case / pallet label (GS1-128 preferred).
3. Attach the CoC (and CoA if required by spec) to the lot record at the point of receipt. The system blocks the put-away transaction until the document is present and the lot number on the document matches the goods-receipt.
4. Validate the spec revision quoted on the CoC against the current released spec — out-of-date references route the lot to NCR for QA decision before release.
5. Validate the signer against the supplier's signature register where one exists (most quality agreements maintain one for high-risk materials).
6. For materials needing in-house verification (pharma identity per 211.84, supplement identity per 111.75, medical-device incoming inspection per 820.80), the lot stays quarantined until the verification is signed off.
7. Lot status moves from received-quarantined to released only on QA disposition with electronic signature and timestamp.

The hard cases are not the missing CoCs — those quarantine cleanly and force a phone call. The hard cases are the CoCs that arrive complete but contradict your incoming verification: supplier says identity confirmed; your IR scan disagrees. Supplier says assay 99.4%; your retest says 97.8%. Supplier says lot Z; your label says lot Z-A. The workflow for these:

• Quarantine the lot immediately; do not consume any of it pending resolution.
• Open an NCR with the lot, the CoC, the contradicting evidence, and the disposition options (use as-is with documented justification, return to supplier, rework, scrap, deviation to use under exceptional conditions).
• Notify the supplier formally within the timeframe agreed in the quality agreement (typically 5 business days for routine, 24 hours for safety-critical).
• Run an independent confirmatory test (different analyst, different instrument, ideally different method) before concluding the supplier's CoC is wrong.
• Document the resolution and feed it into the supplier's performance file — recurrent discrepancies drop the supplier's qualification score and may trigger a for-cause audit.
• If the issue is systemic (multiple lots, same defect), invoke the recall clause of the quality agreement and treat as a market-withdrawal candidate even if the lots are still in your warehouse.

The audit-defence asset here is the trend report: discrepancies per supplier per year, broken down by category (identity / assay / quantity / lot mismatch / spec-revision mismatch). A trend that is flat or improving demonstrates the supplier-quality programme works; a trend that is rising and clusters on one supplier is the auditor's lead-in to questioning re-qualification frequency.