Quality Agreement – Sponsor/CMO Expectations

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • External Manufacturing Governance & Compliance • QA, Regulatory, Manufacturing, Supply Chain

A Quality Agreement is the legally binding governance document between a sponsor/MAH (brand owner) and an external manufacturer (CMO/CDMO) or critical supplier that assigns who does what, by when, and to which standard to ensure compliant, reproducible product for patients and customers. It sits alongside the commercial supply contract, but it is not about price or volume; it is about the quality system: change control, deviations and CAPA, validations (Process Validation, PPQ), records (eBMR, LIMS/ELN), data integrity (21 CFR Part 11, Annex 11), audits, complaint/recall management, and distribution quality (GDP). A tight agreement prevents ambiguity, shortens batch release, and keeps both parties inspection‑ready under GMP or device/food standards like ISO 13485 and 21 CFR 211.

“A quality agreement is a RACI for compliance: one page to see who owns every control that protects patients and product.”

1) What a Quality Agreement Is—and Is Not

Is: A binding assignment of quality responsibilities and communication pathways covering the entire lifecycle—from raw materials and Goods Receipt and Incoming Inspection to Pack & Ship—with explicit regulatory anchors and system expectations (e.g., 21 CFR 211, ICH Q10).

Is not: A price/terms document, a forecast/S&OP plan, or a substitute for validated controls. The commercial supply agreement manages economics; the Quality Agreement governs how compliant product is consistently made, tested, labeled, and released under GMP and GDP.

2) Roles & Responsibilities (RACI) Across the Lifecycle

A robust agreement includes a RACI or matrix assigning ownership for:

• Quality system governance: Policies, Document Control, training, Internal Audit, APR.
• Materials & suppliers: CoA verification, sampling, Component Release, and escalation via SCAR.
• Manufacturing & IPC: execution in MES, adherence to effective MMR/MBR, and IPC/SPC discipline.
• QC & lab: method transfer/validation, LIMS/ELN controls, OOS/OOT handling.
• Validation: PV, PPQ, utilities/equipment IQ/OQ/PQ, Cleaning Validation, and CPV.
• Release & distribution: batch review, Lot Release, Finished Goods Release, storage (FEFO/FIFO), and transport under GDP.
• Labeling & traceability: Labeling Control, Label Verification, Serialization, GTIN and SSCC, COO/COI declarations.
• IT/OT & records: validated systems (CSV), audit trails, data retention, access controls, and disaster recovery.

3) Core Clauses—The Minimum Content

While formats vary, high‑performing agreements consistently include:

• Regulatory scope & standards: Applicable laws and guidance (e.g., 21 CFR 210/211, ICH Q10, and where relevant ISO 13485).
• Document hierarchy: Which procedures control (sponsor vs. CMO), how conflicts are resolved, and governance under Document Control.
• Communication & meetings: Routine quality councils, escalation paths, and contact rosters.
• Changes: Joint MOC/Change Control with notification thresholds, including formal NoC timelines.
• Investigations & CAPA: Ownership for deviations/NC, NCR/NCMR, OOS/OOT, and CAPA effectiveness checks.
• Validation responsibilities: PV/PPQ plans, equipment IQ/OQ/PQ, Cleaning Validation, and ongoing CPV.
• Release & disposition: Criteria and records for Lot Release, status control (Quarantine/Hold/Release), and shipment authorization.
• Labeling & serialization: Artwork approval, verification, GTIN/SSCC rules, and serialization data exchange.
• Records & data integrity: System validation (CSV), audit trails, e‑signatures, and retention/archival.
• Audits & performance: Audit rights, response timelines, and KPIs (e.g., OTIF, deviation cycle time).
• Complaint/recall: Intake, triage, investigation, field action decision, and notification windows under GDP.

4) Data Integrity & Electronic Systems

Modern agreements must codify how the parties protect electronic records and ensure reconstructable history:

• Unique users, meaningful e‑signatures, and immutable audit trails under Part 11/Annex 11.
• Validated systems (CSV) and data exchanges (e.g., EDI, EPCIS) with change control.
• Single source of truth for eBMR, LIMS, and WMS status, including integration error handling and backups.
• Retention, retrieval SLAs, and export formats per Data Retention & Archival.

Clarity on systems prevents finger‑pointing when an inspector asks to “show the story” of a batch, label, or shipment.

5) Materials, CoA, and Component Release

Because inputs drive outputs, define how the parties control materials:

• How Goods Receipt, Dock‑to‑Stock, and Quarantine are enforced in WMS.
• Sampling/acceptance (statistical plans), CoA verification, and Component Release criteria.
• Supplier issues escalation via SCAR and linkage to MRB for impact disposition.

6) Manufacturing Execution & In‑Process Control

Define execution discipline and evidence:

• Use of MES with effective‑dated MMR/MBR and captured eBMR.
• Enforcement of IPC, alarms, and SPC control limits; handling of excursions.
• Equipment status and qualification ties to IQ/OQ/PQ; cleaning holds under Cleaning Validation.

Manufacturing deviations trigger timely investigation, MRB review, and, if needed, rework under controlled instructions—not ad‑hoc fixes.

7) Laboratory Controls, OOS/OOT, and Method Management

Set expectations for method transfer/validation, data review, and forensics:

• Analytical method responsibilities and MSA where applicable.
• LIMS/ELN use, peer review, and calculation verification; chromatographic evidence (e.g., HPLC).
• OOS and OOT pathways, including escalation to the sponsor and impact assessment.

8) Packaging, Labeling & Traceability

Label risk is patient risk. Agreements should lock down:

• Artwork ownership, change approval, and template control per Labeling Control.
• At‑line Label Verification, including fail‑intent scans.
• Global identifiers and logistics unit labeling (GTIN, SSCC) and Serialization event exchange via EPCIS.
• Regulatory declarations (COO/COI) and country‑specific content where required.

9) Validation & Ongoing Verification

Define who authors, approves, executes, and archives validation:

• Process Validation strategy and success criteria; run numbers for PPQ.
• Equipment/utilities IQ/OQ/PQ responsibilities and re‑qualification triggers.
• Ongoing CPV with SPC rules and data sharing cadence.
• Computerized systems under CSV and guidance from GAMP 5.

10) Change Control & Notification of Change

Nothing tests a partnership like change. Agreements should specify:

• What constitutes a change (method, material, equipment, software, label, site).
• Impact assessment, risk tools, and routing through MOC/Change Control.
• Formal NoC timing and content, including regulatory impact and validation/re‑OQ plans.

All approved changes must cascade into controlled documents and configurations under Document Control.

11) Deviations, CAPA, SCAR & MRB

When things go wrong, roles must be crystal clear:

• Deviation initiation and timeline targets; joint review for product impact.
• Supplier failures escalated via SCAR with closure and effectiveness measures.
• Material disposition via MRB and trace to lot genealogy.
• Complaint intake and recall roles under GDP.

Every investigation should close the loop with CAPA and feed systemic learning into APR and audits.

12) Audits, KPIs & Performance Management

Define audit rights, readiness, and measurable performance:

• Audit cadence (for‑cause, routine) and response timelines tied to Internal Audit practice.
• Quality KPIs: OTIF, deviation/OOS cycle time, first‑pass yield, right‑first‑time in eBMR, CAPA effectiveness, and KPI review rhythm.
• Annual review touch‑points for trends in APR.

These metrics de‑risk regulatory exposure and drive continuous improvement across sites and products.

13) Warehousing, Distribution & Handover Quality

Distribution is part of quality: codify responsibilities for storage and shipment quality under GDP.

• Warehouse status control in WMS (Quarantine to Released), bin rules (Locations/Topology), and FEFO/FIFO.
• Pick/pack interlocks—Directed Picking, label checks—and compliant handover at Dock Loading.
• Order fulfillment expectations aligned to Pack & Ship, including documentation and scan trail.
• Traceability standards and data exchange (EPCIS, SSCC).

14) Records, Retention, Training & Security

Agreements should codify:

• Record formats and storage, retrieval SLAs, and retention/archival periods.
• Training responsibilities and qualification of personnel performing GMP work.
• Business continuity for critical systems and data exports.
• Confidentiality and access protocols during audits and investigations.

When an inspector asks for a three‑year‑old eBMR or label proof, this clause ensures it can be retrieved quickly and intact.

15) Metrics That Demonstrate a Healthy Partnership

• Right‑First‑Time (RFT): eBMR first‑pass review pass rate, linked to MES discipline.
• Deviation cycle time: detection to closure; percent with verified effectiveness.
• Change velocity: approved changes closed on time via MOC/Change Control.
• Supplier quality: SCAR count and recurrence rate; MRB scrap/rework trend.
• Release lead time: batch completion to Lot Release/Finished Goods Release.
• Distribution quality: GDP deviations per 1,000 shipments; label scan non‑read at dock.

Make KPI review part of the agreement’s governance so insights turn into improvements, not just slides.

16) How This Fits with V5 by SG Systems Global

V5 Solution Overview. The V5 platform operationalizes Quality Agreements. Configuration is versioned, evidence is attributable, and cross‑module interlocks (identity, status, signatures) are testable and reportable—ideal for demonstrating shared controls to regulators and customers.

V5 QMS. In the V5 QMS, you encode the agreement into workflows: Approval Workflow for procedures, joint MOC/Change Control, deviations/CAPA, and supplier escalations via SCAR, all under Document Control with audit trails.

V5 MES. The V5 MES ensures effective‑dated MBR/MMR, captures eBMR with audit trails, enforces IPC/SPC, and integrates lab/warehouse records so batch review by exception aligns with the agreement’s release expectations.

V5 WMS. The V5 WMS enforces status discipline (Quarantine → Hold → Released), Directed Picking, label/serialization verification (GTIN, SSCC), and compliant handover at Dock Loading—turning agreement text into scanning rules and hard stops.

Bottom line: With V5, the agreement is not a PDF—it is a living control system. The same interlocks you promise auditors are the ones that run every lot, label, and shipment.

17) FAQ

Q1. How is a Quality Agreement different from a supply agreement?
The supply agreement covers commercial terms (price, volume, forecasts). The Quality Agreement governs quality system responsibilities—documents, changes, batch review, labeling, CAPA, audits, and distribution quality—under GMP/GDP expectations.

Q2. Who “owns” investigations and CAPA?
Ownership depends on where the failure occurred. The CMO typically leads manufacturing/lab investigations; the sponsor approves impact to product and market and can raise a SCAR. Both parties align on root cause, CAPA, and effectiveness checks.

Q3. What changes require formal notification?
Any change that can affect product quality, regulatory filing commitments, labeling, serialization, equipment/utility qualification, or validated systems. The agreement should point to NoC windows and the joint MOC/Change Control process.

Q4. How detailed should labeling and serialization clauses be?
Very. Specify artwork ownership, version control, at‑line verification, GTIN assignment, SSCC rules, and serialization event exchange (e.g., via EPCIS), including rework/decommission scenarios.

Q5. How often should the agreement be reviewed?
At least annually or when significant changes occur (process, equipment, labeling, site, regulation). Use the APR or joint quality council to review KPIs and drive updates through Document Control.

Q6. What if audit findings reveal gaps in the agreement?
Log a deviation, evaluate patient/product risk, implement interim controls, and revise the agreement via MOC with updated procedures and training. Verify effectiveness at the next Internal Audit.

Related Reading
• Core System & Records: GMP | ICH Q10 | 21 CFR Part 11 | Annex 11 | CSV | Document Control | Audit Trail (GxP)
• Execution & Release: MES | eBMR | Lot Release | Finished Goods Release | GDP
• Changes & Issues: MOC | Change Control | NoC | Deviation/NC | CAPA | SCAR | MRB
• Label & Traceability: Labeling Control | Label Verification | GS1 GTIN | SSCC | Serialization
• Warehouse & Handover: WMS | Warehouse Locations | Dock Loading | Pack & Ship