A valid GMP certificate from your contract manufacturing organisation feels like a solid foundation. But from an MHRA inspection perspective, it is significantly incomplete. Here is why:
- A GMP certificate confirms the site was compliant on the day it was inspected. It says very little about what is happening today.
- It tells an inspector nothing about whether your company is actively governing the relationship.
- When an MHRA inspector asks about your CMO, the certificate is one of the first things they acknowledge and one of the last things they rely on.
What inspectors are actually evaluating is whether you – as the MAH or sponsoring company – have independent oversight of that site’s compliance, whether you understand the risks specific to your products being manufactured there, and whether your quality system would catch a problem before it reached a patient.
Read More: Generic Drug Companies and Signal Detection: Why You Can’t Copy Your Originator’s PV System
What the MHRA Is Actually Assessing
The MHRA’s inspection approach rests on one principle: the MAH is responsible for the quality of its products, unconditionally. That responsibility cannot be contracted out. The CMO manufactures on your behalf. The obligations remain yours.
Inspectors are not auditing your CMO during your inspection. They are auditing your oversight of your CMO. The questions they are working through include:
- Does this company have a Technical Agreement with its CMO that accurately reflects current operations and assigns responsibilities clearly?
- Has this company conducted its own audit of the CMO within a risk-appropriate timeframe?
- Does this company have access to relevant batch documentation, deviations, OOS results, and change notifications from the CMO?
- Does this company have a process for reviewing and approving changes at the CMO that could affect product quality or regulatory compliance?
- When the CMO has a problem, does this company find out promptly, and does it have a process for assessing the impact on its own products?
None of these questions are answered by a GMP certificate. They are answered by your quality system, your supplier management programme, and the documented evidence of how that relationship has been managed over time.
The Technical Agreement Gap
The Technical Agreement – or Quality Agreement – between an MAH and its CMO is one of the most frequently cited weaknesses in MHRA inspections involving contract manufacturing. The pattern is consistent:
- Agreements are drafted at the outset of a manufacturing relationship, reviewed once when a product is licensed, and left unchanged for years.
- Meanwhile the actual arrangement evolves: analytical methods are transferred, batch sizes change, new packaging lines are introduced, subcontractors are added, QP arrangements are revised.
- None of these changes are reflected in the Technical Agreement, which ends up describing a relationship that no longer accurately exists.
When an inspector compares the Technical Agreement against what actually happens in practice and finds discrepancies, this is not a minor administrative finding. It signals the absence of a functioning governance framework for the most critical third party in the quality system, and it almost always leads to a deeper examination of every other aspect of CMO oversight.
To avoid this:
- Review the Technical Agreement at least annually and following any material change to the manufacturing or testing arrangement.
- Version-control it with documented approval from both parties.
- Ensure QP responsibilities are precisely defined and match the current arrangement, not a historical one.
Why Your Audit Programme Is the Heart of the Matter
A GMP certificate demonstrates that an independent authority has inspected the site. It does not substitute for your own audit programme, for one fundamental reason:
- A regulatory inspection assesses the site against general GMP standards.
- Your audit should assess the site against the specific requirements of your products, your processes, and your regulatory commitments.
These are different exercises with different objectives. Your audit of your CMO should be asking product-specific questions:
- Are the process parameters for your specific products being consistently applied?
- Are the cleaning validation studies covering contamination risks relevant to your formulation?
- Are environmental monitoring trends in areas where your products are manufactured showing anything that warrants attention, even without a formal OOS or deviation?
- Is the training currency of operators working on your products being maintained?
A site that is broadly GMP-compliant may still have specific vulnerabilities that only your product-focused audit will surface. To build an audit programme that satisfies inspection expectations:
- Document a written risk assessment justifying your audit frequency, distinguishing between, for example, a sterile injectable CMO and a secondary packaging operation.
- Grade findings by severity within your audit report.
- Track CAPA responses from the CMO within your quality system and verify closure independently, rather than accepting the CMO’s assertion that actions are complete.
- Review and approve the risk assessment periodically. Inspectors will ask for it.
Change Control: The Area Most Likely to Catch You Out
Change control failures at the CMO interface are the most common source of serious MHRA findings, because they combine two risk factors: they are frequent, and they often have direct product quality or regulatory implications the MAH was unaware of.
The core risk is this:
- Certain manufacturing changes require prior regulatory notification or approval before implementation.
- If your CMO implements such a change without notifying you in time, you may have commercially distributed batches manufactured under conditions that deviate from your approved marketing authorisation.
The responsibilities are joint but asymmetric:
- The CMO is responsible for notifying you of changes.
- You are responsible for having a system that ensures those notifications reach you, are evaluated for regulatory impact, and are managed through your change control process before implementation.
- You cannot rely on the CMO to understand the dossier implications of manufacturing changes for your specific authorisation. That assessment must happen within your organisation.
To manage this effectively:
- Include a clear change notification clause in the Technical Agreement, specifying categories of change and minimum notice periods for each.
- Assign internal ownership for assessing CMO change notifications for dossier impact within a defined timeframe.
- Maintain records of every CMO change notification received and your documented response. If those records do not exist, an inspector’s inference is that the process does not exist.
Batch Disposition and QP Oversight
For UK-licensed products, the Qualified Person must certify each batch before release. Regardless of where the QP sits formally – with the CMO, a contract QP service, or the MAH itself – the MAH needs visibility of the information on which QP certification is based. This means the MAH should be receiving and reviewing:
- Batch manufacturing records
- Certificate of analysis data
- Deviation summaries affecting the batch
- Any out-of-specification investigations relevant to that batch
Receiving only a certificate of conformance and a release recommendation is not sufficient. A QP certifying a batch without access to the underlying quality data is operating outside the regulatory intent of the QP role, and an MAH that has built its system to receive only the headline output has created a quality oversight gap that an inspector will notice.
The Technical Agreement must define:
- Precisely what documentation the CMO will provide to the MAH for each batch.
- The timeline for providing it.
- The process for resolving queries before the QP proceeds to certification.
When the CMO Has a Problem: Your Response System
How your company responds when the CMO reports a deviation, an OOS result, or a recall-triggering event is one of the clearest indicators of whether your quality governance is real or nominal. The MHRA expects the MAH to have a defined process that includes:
- A triage mechanism for determining whether a CMO deviation affects your products specifically.
- An escalation pathway to your QP and regulatory team where dossier or patient safety implications are possible.
- A documented response record showing the assessment made and the conclusion reached for every quality event notification received.
Companies that cannot produce this evidence are telling an inspector that their quality system ends at the boundary of their own building. That is not a position that survives inspection scrutiny when manufacturing is outsourced.
The Virtual Pharma Challenge
For virtual or asset-light pharmaceutical companies, the challenge is particularly acute. These companies may have no manufacturing capability, no internal QC laboratory, and a very small quality team, with their entire commercial operation built on a network of CMOs, contract testing laboratories, and third-party service providers.
The regulatory expectation does not reduce in proportion to company size. A virtual pharma company with a two-person quality team is held to the same CMO oversight standard as a company with a fifty-person quality department. The difference is the approach. Legitimate options for resource-constrained companies include:
- Remote auditing, where appropriate and documented with a risk-based rationale.
- Risk-based audit scheduling that concentrates resource on highest-risk sites and activities.
- Shared audit programmes with other MAHs using the same CMO, where privacy and confidentiality can be managed.
- Robust use of quality metrics shared by the CMO as an ongoing monitoring mechanism between formal audits.
What is not legitimate is treating the GMP certificate as the primary oversight mechanism and relying on nothing going wrong between inspections.
Building an Oversight Framework That Satisfies MHRA Expectations
A robust CMO oversight framework has the following components, all of which must be evidenced:
- Supplier qualification and ongoing approval: documented risk assessment of each CMO, initial qualification evidence, and an annual review of ongoing compliance status including the CMO’s inspection history and any regulatory action taken against the site.
- Current Technical Agreement: reviewed and updated within the last twelve months or following any material change, with clearly assigned responsibilities for GMP activities, QP certification, change notification, deviation reporting, and batch documentation provision.
- Risk-based audit programme: written risk assessment justifying audit frequency, reports with graded findings, CAPA tracking to verified closure, and escalation of critical findings to senior management and the QPPV where pharmacovigilance implications exist.
- Change control interface: documented process for receiving, evaluating, and responding to CMO change notifications, with records of each notification received and the regulatory impact assessment completed.
- Batch oversight: defined batch documentation package reviewed before QP certification, with a query resolution process and deviation assessment built into the standard release workflow.
- Quality metrics monitoring: agreement with the CMO on which metrics will be shared and at what frequency, with a process for trend review within the MAH’s quality system, not simply filed for reference.
- Deviation and recall response: defined notification timelines in the Technical Agreement, internal triage and assessment process, escalation pathway, and a record of every quality event notification received and the MAH’s documented response.
How Quality & Vigilance Can Help
At Quality & Vigilance (Q&V), we support pharmaceutical and biotech companies across the UK and EU in building CMO oversight frameworks that hold up under MHRA inspection scrutiny, not just on paper but in practice. We can help with:
- Independent gap analyses of existing CMO governance arrangements.
- Technical Agreement review and remediation against current operations.
- Risk-based audit programme design and execution.
- Inspection readiness preparation where contract manufacturing is central to your quality system.
- Proportionate, sustainable oversight solutions for virtual and asset-light companies.
Reach us at qualityvigilance.com or call +44 7474 964491.