COA Design: How to Build a Certificate of Analysis That Passes Audits
Learn how to design a Certificate of Analysis that satisfies regulators, clients, and auditors — with step-by-step guidance and common formatting pitfalls to avoid.
A well-designed Certificate of Analysis is more than a printout — it's a legally defensible document that communicates sample disposition to clients, regulators, and internal QA teams. This guide walks you through building a COA that's accurate, audit-ready, and easy for any reviewer to interpret.
Before You Start: Prerequisites
Before opening a template or configuring a LIMS, confirm the following:
- Know your regulatory scope. ISO 17025, FDA 21 CFR Part 11, state cannabis regulations, and USP standards each impose different required fields. Identify which apply to your lab before designing anything.
- Have approved method references on hand. Every test result on a COA should trace back to an approved SOP or published method (e.g., AOAC 2012.23, USP <467>).
- Define pass/fail specifications in writing. A COA cannot flag a result as "Pass" or "Fail" unless the acceptance criteria are documented and version-controlled.
- Confirm your signature authority list. Most regulated COAs require a named, qualified reviewer signature — not just a login timestamp.
Step-by-Step: Designing Your COA Template
Step 1: Lock in the header block.
The header should uniquely identify the document and the sample without ambiguity. Required fields:
- Lab name, address, and accreditation number
- COA document number and revision
- Sample ID, client name, and lot/batch number
- Date received, date tested, and date issued
Step 2: Build the results table.
Group results by test category (e.g., Potency, Heavy Metals, Microbiology). For each analyte, include:
- Analyte name
- Result with units (e.g., 14.2% THC, not just "14.2")
- Limit of quantitation (LOQ) and limit of detection (LOD) where applicable
- Specification or action limit
- Pass / Fail / OOS disposition
- Method reference
Step 3: Add traceability fields.
Each result row should link to the instrument run, analyst, and reagent lot used. This matters the moment an audit question arises. If your LIMS auto-populates these fields from the sample record, you reduce manual transcription risk significantly.
Step 4: Write a clear disposition statement.
Avoid vague language like "Results attached for your review." Instead, use a definitive statement:
"All analytes tested meet the specified acceptance criteria. This batch is released for distribution."
Or, if any result is OOS:
"Sample lot 2024-HM-0047 contains cadmium at 0.38 ppm, exceeding the 0.20 ppm action limit. This batch is placed on hold pending investigation."
Step 5: Apply version control and electronic signature.
Every issued COA needs a version number and an audit trail showing who approved it, when, and from which IP or workstation. If you're under 21 CFR Part 11, electronic signatures must meet specific authentication requirements — a name typed into a text field does not qualify.
Common Mistakes to Avoid
Mistake 1: Reporting results without units. "14.2" means nothing without context. Always include the unit (%, mg/kg, CFU/g) adjacent to the numeric value.
Mistake 2: Omitting the LOQ. A result reported as "ND" (not detected) is meaningless unless the reviewer knows the detection threshold. Always include LOD or LOQ for each analyte.
Mistake 3: Using a live template with no version control. If your COA template is a shared Word document, anyone can edit it. Template changes must go through change control and be reflected in the document revision history.
Mistake 4: Issuing a COA before OOS investigation is closed. If any result triggered an OOS flag, the COA cannot be finalized until root cause is determined and documented. Labs using a LIMS like Aliquora can enforce this with workflow locks that prevent COA generation while an OOS record is open.
Mistake 5: Inconsistent analyte naming. "Delta-9 THC," "d9-THC," and "THC (delta-9)" are the same thing — but inconsistent naming confuses clients and creates problems during data aggregation or regulatory review. Standardize nomenclature at the method level.
Frequently Asked Questions
What information is required on a Certificate of Analysis?
At minimum, a COA should include the lab's name and accreditation number, sample ID, client information, analyte results with units and specifications, method references, test dates, and an authorized reviewer signature. Specific requirements vary by regulatory framework (ISO 17025, FDA, state cannabis rules).
How long should a lab retain issued COAs?
Retention requirements depend on your regulatory context. ISO 17025 recommends a minimum of five years; FDA-regulated labs often require longer. Store COAs in a system that prevents post-issue alteration and preserves the original audit trail.
Can a COA be amended after it's issued?
Yes, but only through a formal amendment process. The original COA should be voided with a dated notation, and a revised COA issued with a new version number explaining the change. Never overwrite the original record.
What's the difference between a COA and a COC (Certificate of Conformance)?
A COA presents actual test data and results. A COC is a declaration — typically from a manufacturer — that a product meets specified requirements, without necessarily including raw test data. Labs issue COAs; suppliers often issue COCs.
How do I handle a COA when one analyte passes and another fails?
The overall disposition reflects the most restrictive result. If any analyte is OOS, the batch disposition must reflect that — typically "Hold" or "Reject" — even if all other results pass. Never issue a "Pass" COA for a batch with an open OOS finding.
Related reading
LIMS Best Practices for Small and Mid-Size Labs
Practical LIMS best practices for small and mid-size labs — covering sample tracking, OOS workflows, audit trails, and COA generation to strengthen QC operations.
Read COA GenerationCOA Design: Common Pitfalls and How to Fix Them
Poor certificate of analysis design costs labs audits and customer trust. See how Meridian BioAnalytics overhauled their COA process and what changed.
Read OOS InvestigationsOOS Investigation Procedures: A Phase-by-Phase SOP Guide
Master out-of-spec investigation procedures with a technically rigorous, phase-structured SOP covering root cause analysis, CAPA, and regulatory requirements.
Read