COC – Certificate of Conformity

DISCLAIMER: This blog post solely represents my own opinion based on experience, my own opinions and/or interpretations.

What’s in the name?

COC (Certificate of Conformity)

A certificate of Conformity or COC is a statement of a supplier which says that the product delivered meets your predefined specifications and/or the specifications of known standard(s). It’s a way of saying ‘our product was made in accordance with your required specification’

COA (Certificate of Analysis)

is a document issued by Quality Assurance that confirms that a regulated product meets its product specification. They commonly contain the actual results obtained from testing performed as part of quality control of an individual batch of a product.It’s a way of saying ‘ the material or product I’ve supplied has been analyzed to a certain standard or procedure and here are the results’.

Are they sufficient?

In my opinion, I would not solely rely on a COC as evidence that the delivered products were manufactured according to your predefined standards. An audit should be performed on the supplier or OEM to verify the quality management system and the capability to test your product throughout the manufacturing process (incoming, in-process, and finished product stages).

Search for data?

A COC provides little data for evaluation of the delivered product, it just states that the product is conforming to your specifications and/or standard’s specifications.

A COA (Certificate of Analysis) would provide more useful data. The COA includes the actual specifications agreed upon or at least the confirmation that the specifications fall within the agreed upon range. The COA also provides information about known deviations in the manufacturing process and possible contaminants.

What would the regulatory body want?

The regulatory body (FDA, FAMPH, Health Canada…) would rather see a COA than a COC. A COC is sufficient when you can provide substantive evidence that your supplier quality management process is sufficient to ensure the accuracy of the certificate.

How do you develop a COC?

Company style document

The COC should be drafted in a document that bares the company style (logo, color…).


Following information should be provided but is not limited to :

  • Title (e.g. Certificate of Conformity with EU IVD Medical Devices Directive 98/79/EC))
  • Certificate ID;
  • Customer details;
  • For attention of (contact information customer, usually the QA responsible);
  • Applicable standards (e.g. ISO, safety standards…);
  • Article details (e.g. Article reference, quantity, description, client reference, batch ID, Serial No., Test report ID…);
  • A declaration that the manufacturer complies with the predefined specifications and standards;
  • Production site details;
  • Approved and released by section;
  • Signoff(s).

General Example COC


Mock Recall

DISCLAIMER: This blog post solely represents my own opinion based on experience and/or interpretations.

Mock Recall


A mock recall is an exercise in which the process for executing a recall is demonstrated in a theoretical setting.

The mock recall process should be linked to the field actions process.


Motto ‘Practice makes perfect’

Mock recalls are routine exercises conducted by manufacturers, distributors and other trading partners in the supply chain to assess their recall process’ effectiveness and responsiveness.

Ultimately, mock recalls are about mitigating risk and measuring your ability to react to an emergency event with as much precision as possible.


Mock recalls are often described as most valuable practice and should in my opinion be part of your internal audit plan. Based on the criticality of the process I would advice to perform a mock recall once a year or every two-years depending on your internal audit process. If however, your company was involved in an official recall in that timeframe that documentation and exercise can be used to verify the effectiveness and responsiveness of the process.

Recall Team

The first thing you should do is designate a recall team and make it clear who will be responsible for each task in the process.

The recall team will participate in the activities associated with the mock recall process.

A recall team consists mostly out of:

  • Recall coordinator;
  • Qualified Person (if required);
  • QA representative;
  • Other required stakeholders.

Recall Coordinator

The coordinator is responsible for the documentation related to the recall, initiation of the recall request, identification of corrective actions for any deficiencies and/or observation.

Qualified Person (if appropriate)

The qualified person will help identify the release date(s), impacted clients, quantities shipped, and retain sample quantity and location.

QA Representative

The QA representative will help identify the release date(s), impacted clients, quantities shipped, and retain samples.

Will try to resolve all issues discovered during the mock recall exercise and document them in the related documentation for knowledge management and ensure that appropriate corrective actions are taken.

Other stakeholders

Will provide the necessary input.

Process: Raw Material

  • The recall coordinator must pick a random Raw Material.
  • Identify all the batches produced on-site with the selected raw material lot and record them in the related documentation.
  • Select preferable two batches and record them into the related documentation. The batches selected should be on the market at the time of the mock recall.
  • Create a recall notification letter containing the product identification and batch numbers.
  • The notification letter must be communicated to the quality representative and Qualified Person (if appropriate).
  • Verify the reception of the notification letter with electronic or paper-based signing.
  • The quality representative in close cooperation with the Qualified Person (if appropriate) will identify the release date(s), impacted clients, quantities shipped, and retain sample quantity and location.
  • A theoretical reconciliation is made (full batch/lot traceability should be verified).
  • A root cause investigation for the mock deviation leading to the mock recall is performed and an action plan to prevent recurrence is defined.
  • The mock recall coordinator and quality representative must resolve all issues discovered during the mock recall exercise and document them in the related documentation for knowledge management and ensure that appropriate corrective actions are taken.

Failure Mode and Effective Analysis

DISCLAIMER: This blog post solely represents my own opinion based on experience and/or interpretations. As a former Subject Matter Expert Quality Risk Management and trainer in one of the pharmaceutical big 5 companies I have extensive experience in performing and guiding failure mode and effect analyses.

EPISODE – 1 In this series I will give an in-depth view on the different risk assessment techniques, starting with FMEA. The FMEA series will contain 5 episodes.

Failure Mode and Effect Analysis (FMEA)


FMEA is used to define, identify, and eliminate known and/or potential failures, problems, errors… from the system, design, process, and/or services before they reach the customer.



The FMEA technique was developed by army reliability engineers in the late 1950s (9 november 1949 to be exact) to study problems that might arise from malfunctions of military systems.

FMEA Types

Generally, four types of FMEA can be distinguished, they all gave their own focus and objective:

  • System or concept FMEA: A system FMEA focuses on potential failure modes between the functions of the system caused by system deficiencies;
  • Design FMEA: A design FMEA focuses on failure modes caused by design deficiencies;
  • Process FMEA: A process FMEA focuses on failure modes caused by process or assembly deficiencies;
  • Service FMEA: A service FMEA focuses on failure modes (tasks, errors, mistakes) caused by system or process deficiencies.


The quality of the product and/or services must be a company’s number one priority in order to achieve customer satisfaction (focus of ISO, FDA and other standards/legislation) by reducing known or potential problems. FMEA will map the way to continual improvement.

Potential benefits are:

  • Helps to select the best design;
  • Helps in determining redundancy;
  • Increases the likelihood that potential problems will be detected;
  • Establishes a priority ranking for implementing improvements;
  • Helps identify and eliminate potential safety concerns.


A FMEA is best started as early as possible, as soon as a reasonable amount of information is known about the product, process, service, design… the FMEA should be started. Typically an FMEA is started as soon as the project was approved and a preliminary design was approved. You should never wait for all the information to be available.

An FMEA process should start:

  • When preliminary design of new products, processes, systems, or services are finished;
  • When existing products, processes, systems, or services are changed (update existing FMEA(s) or start FMEA(s) when there is none available);
  • When new technology is used/found for existing products, processes, systems, or services;
    When improvements are considered.
  • After the FMEA process is started, the FMEA documentation becomes living documentation meaning it’s a true dynamic tool of improvement.


An FMEA is never truly finished, the documentation will become static when the system, process, product, or service is discontinued.


Information may include:

  • Drawings;
  • Flow Charts;
  • Pictures;
  • Video;
  • Error or incident data;
  • Nonconformities;
  • CAPA (Corrective and Preventive Actions);
  • Post market surveillance data.
  • Outputs

The primary output of FMEA is a list of failure modes, the failure mechanisms and effects for each process step. Information is also given on the causes of failure and the consequences.
Outputs may include:

  • List of potential failure modes ranked by risk probability number;
  • List of recommended actions to avoid the potential failure modes;
  • List of recommended actions that could identify the potential failure modes on time.


FMEAs should be performed by a cross-functional and multidisciplinary team and cannot be performed on an individual basis.

A multidisciplinary team is best comprised of, but not limited to:

  • Operator(s);
  • Engineer(s);
  • Project Manager;
  • Quality Representative;
  • Customer(s).

A team is always defined for a specific project and there cannot be a predefined universal team that will perform all assessments in a company.


FMEA Process

The FMEA process is a time consuming process but it’s worthwhile. There are no specific length or time limits, the length and time is defined by the experience of the team, objectives, and complexity of the process, product or system in scope.

FMEA Sessions

In my experience it’s best to organize short sessions of maximum 3 hours with a short break included. People tend to lose their focus after one hour and half. I’ve been in 8 hour long sessions and I can only state that I’ve achieved more in the 3 hours sessions than I ever would in a complete workday session.

Next Episode (2/5) will focus on the FMEA process itself.