Forty minutes in
The audit was at a mid-tier CDMO in the Midwest. Nineteen sponsors across small-molecule and biologic fill-finish. A respected mid-market eQMS, selected three years ago after a careful evaluation that had taken six months and twelve internal stakeholders. Every sponsor evaluation in the past three years had passed before contract signature.
Forty minutes into the supplier audit, the sponsor's QA director set down her coffee and asked the CDMO's QA lead a question that, on its face, was routine: "Pull every CAPA from the last twelve months that touched our product. Only ours." The QA lead opened the eQMS, navigated to the CAPA module, filtered the list by sponsor, exported it to PDF, and slid the report across the table. The director didn't look at it. She said, "The query. I want to see the query."
The room got quieter. The QA lead said the export was the report the eQMS produces. The director said she didn't want the report. She wanted the SQL the application ran when she clicked the filter, the WHERE clause that hit the database. She wanted to see whether the records returned in her report were the only records the database had been asked for, or whether the application had read every CAPA in the system and presented the ones tagged with her company's name.
The QA lead said he would have to check with engineering. The director said she would wait. Then she opened the next page in her notebook and began writing.
What followed over the next nine days was the operational shape of a deficiency nobody had named during the original evaluation: internal calls between the CDMO and their eQMS vendor, three escalations to the vendor's product team, two attempts to reconstruct the query log from application traces, one deeply uncomfortable conversation between the CDMO's CFO and the sponsor's procurement team. Two months later the renewal conversation got harder. Six months later the CDMO began evaluating a different platform. The deficiency was architectural, not procedural, and the sponsor's QA director had recognised it forty minutes into a routine audit because she had been told by her own data team to look for it.
This post is about the distinction the QA director was looking for, the regulation that authorised her to look, and the records the CDMO's eQMS would have needed to produce for the audit to have ended differently.
The two SQL queries that look identical and aren't
The technical question the QA director was asking reduces to two implementations of the same CAPA list.
The first:
SELECT * FROM capa_records;
-- Application then filters out records where sponsor_id != current_sponsor.
The query reads every CAPA record in the database. The application layer is responsible for excluding the ones the user isn't authorised to see. A bug in the application code, a developer misconfiguration, an export-to-CSV endpoint that bypasses the filter, a debug page that doesn't pass through the same logic: any of these can leak the unfiltered result. When the sponsor's auditor asks to see the database query, what they see is a SELECT that returns everything, with the segregation handled in code the auditor cannot inspect.
The second:
SELECT * FROM capa_records WHERE sponsor_id = '<active-sponsor-id>';
-- The sponsor_id constraint is enforced at the framework boundary, not by application code.
-- The query cannot be issued without it.
The query can only reach records belonging to the active sponsor. The framework rejects any query that doesn't carry the scope. A developer cannot accidentally write code that reaches another sponsor's data, because the connection layer enforces the constraint before any query executes. When the sponsor's auditor asks to see the database query, they see the WHERE clause, and separately, they see the framework convention that makes it impossible to omit.
The two implementations are indistinguishable in a demo. They're indistinguishable in a sales conversation. They're indistinguishable in most procurement reviews. They become visible the moment a sponsor's auditor asks for the SQL. Sponsor evaluation has caught up to that distinction. Most vendor selection processes have not.
What 21 CFR §200.10(b) authorises
The QA director's question wasn't casual. She was acting on a clause that almost no CDMO eQMS marketing piece quotes. From 21 CFR §200.10(b):
"The Food and Drug Administration is aware that many manufacturers of pharmaceutical products utilize extramural independent contract facilities, such as testing laboratories, contract packers or labelers, and custom grinders, and regards extramural facilities as an extension of the manufacturer's own facility."
Read the last clause literally. If a CDMO is an extension of Pfizer's facility, and in the next batch an extension of BioMarin's facility, and the batch after that an extension of Novo's, then a record inside the CDMO's eQMS must read, to each sponsor's auditor, as if it were inside that sponsor's own QMS. Not a copy. Not a filtered view. An extension.
The architectural pressure this creates is the pressure every multi-tenant SaaS platform either solves or pretends to solve. The sponsor's QA director arrived with this clause behind her authority. She wasn't asking whether the CDMO had a CAPA system. She was asking whether the CDMO's CAPA records, when produced for her review, could pass as records inside her own facility's QMS. The SQL query was the test.
What the auditor pulled next
The QA director's notebook, by the end of the morning, covered eight requests. Each was a different segregation probe, and each required a record the CDMO's eQMS could produce in seconds or could not produce credibly at all.
| # | Auditor's request | eQMS record-type required | Segregation property tested |
|---|---|---|---|
| 1 | "Pull every CAPA from the last twelve months that touched our product. Only ours." | Per-sponsor CAPA query | Query scoped at framework boundary, not filtered at presentation |
| 2 | "Show me the query you ran." | Database query log / ORM trace | Demonstrate scoping, not filtering |
| 3 | "Pull the training matrix for operators assigned to our product line." | Per-sponsor training record export | Training assignments scoped to sponsor-product, not CDMO-wide |
| 4 | "Show me three deviations from our batches and their effectiveness checks." | Per-sponsor deviation records with linked effectiveness | Deviation records carry sponsor scope; bidirectional linking |
| 5 | "Walk me through one cross-functional change-control decision that affected shared equipment." | Change-control record with per-sponsor impact assessment | Change record names every affected sponsor and their disposition |
| 6 | "Show me the validation package for the workflow that produced this record." | Per-sponsor IQ/OQ/PQ extract | Validation evidence boundary scoped to sponsor's workflows |
| 7 | "Pull the audit trail for record #X. I want to see who accessed it and what they did." | Per-record access audit trail | Audit trail captures every access including cross-sponsor read attempts |
| 8 | "If your platform vendor issues a release tomorrow, what's our change-control disposition?" | Per-sponsor vendor-change-control record | Vendor releases trigger per-sponsor change-control entries |
Eight requests. Each one a probe. Each one survivable by an eQMS that treated sponsor identity as a scoping boundary, and unsurvivable by an eQMS that treated sponsor identity as a metadata tag. The CDMO's QA lead produced the records he could, and noted for follow-up the ones he could not. By the end of the morning, the director had a picture of the system precise enough to write the finding she was going to deliver to her own quality committee.
ICH Q10 §2.7, read against the morning's requests
The regulatory framework behind the QA director's questions is ICH Q10 §2.7, Management of Outsourced Activities and Purchased Materials. The clause names four verbs the sponsor's pharmaceutical quality system must extend across to the contract acceptor: assess, define, monitor, review. Each verb corresponds to an eQMS record-type the CDMO must produce per sponsor.
Assess (suitability and competence) lands as a supplier qualification record visible to the sponsor inside the CDMO's vendor file. Define (responsibilities and communication) lands as the per-sponsor quality agreement record with its scoped RACI matrix and audit-rights provisions. Monitor (performance) lands as a per-sponsor performance dashboard showing deviations, CAPA cycle time, on-time delivery, scoped to the sponsor's batches only. Review (periodic re-qualification and management review inputs) lands as a per-sponsor section of management review inputs that aggregates without leaking other sponsors' performance.
The QA director's eight requests during the audit's first ninety minutes were, in effect, an operational probe of those four record-types. Could the CDMO produce her company's supplier-qualification view in real time? Yes. Could it produce her company's performance dashboard with scoped trend data? Mostly. Could it produce the management-review-input section showing the CDMO's review of her company's performance separately from other sponsors? Not without manual reconstruction. The CDMO failed cleanly on the third probe and partially on several others, and the QA director's notebook captured the partial failures with the precision of someone who has seen them before.
The phrase EU GMP Chapter 7 turns on
EU GMP Chapter 7 on Outsourced Activities, in force since January 2013, restates the accountability boundary §200.10(b) names from the EU side, and at §7.16 adds one phrase the corpus consistently underestimates: all records related to the outsourced activities should be kept by, or be available to, the Contract Giver.
Available to is the architectural phrase. In a CDMO's eQMS, available to the contract giver means the sponsor can request and receive a complete export of records related to their product, in a format their own QMS can ingest. It means the sponsor can log into a scoped audit portal that shows their records only, with the audit-trail completeness their own internal system would show. It means the sponsor's records retain on the sponsor's clock, not the CDMO's, so a sponsor whose regulatory retention is twenty-five years gets twenty-five-year retention regardless of the CDMO's commercial retention policy.
None of these capabilities are met by sponsor tagging. Each is a distinct engineering requirement. The QA director's eight requests, taken together, were a verification that those capabilities existed at the framework boundary, not at the marketing slide level.
The cross-sponsor change-control question
The most under-served question in CDMO eQMS coverage is the one the QA director asked sixth: when a process change affecting shared equipment is requested by one sponsor, what happens to every other sponsor's in-flight batches, open deviations, training records, and validation status?
A worked example. Sponsor B asks the CDMO to change the cleaning verification protocol on a fill line shared with Sponsor A and Sponsor C. The change enters the CDMO's change-control workflow. In an eQMS that handles cross-sponsor isolation properly, three things happen automatically.
The impact assessment names every affected sponsor. Sponsor A's quality team receives a notification, not "a change happened" but the specific change, the rationale, the proposed verification, and the disposition options of concurring, objecting, or requiring additional verification before the change takes effect on Sponsor A's batches. Each sponsor's response is recorded against the change record, so that six months later Sponsor A's auditor can see the change, see her company's disposition, and see who at her company approved it. And cross-sponsor visibility is bounded: Sponsor A's auditor sees that Sponsor B initiated a change and that Sponsor A had a disposition, but not Sponsor B's product details, batches, or commercial timing.
This balance (shared equipment, segregated context) is enforceable in an eQMS that treats sponsor identity as a scoping boundary. It is not enforceable in an eQMS that treats sponsor identity as a metadata tag, because the disposition records will simply not be produced at the right granularity.
When the case files arrived
The CDMO in the audit narrated above wasn't the subject of an FDA action, and the QA director's findings didn't become public. But two warning letters issued in the months around that audit read, in retrospect, as enforcement-side analogues of the same architectural deficiency.
The Catalent Indiana warning letter (#718189), issued 20 November 2025 after an inspection conducted between 23 June and 14 July 2025, records twenty-plus deviations for mammalian-hair contamination in or around vial-stopper regions, affecting multiple drug products and multiple customers, both before and after Novo Nordisk's acquisition of the site. More than five media-fill batches have been terminated since November 2023, and at least two of those terminations were not captured as deviations at the time they occurred. Investigations, FDA wrote, were used "to support batch release decisions rather than to challenge whether the process remained under control." The site was classified OAI; Scholar Rock, whose apitegromab fill-finish ran at the affected facility, disclosed that OAI classification to investors in September 2025 alongside the Complete Response Letter FDA issued for apitegromab — a letter that cited the facility and raised no other approvability concern.
That detail, multiple products and multiple customers, reads in most coverage as a contamination problem. It is also a segregation problem. If you are Scholar Rock's QA director, what record in Catalent's eQMS told you, with proof, that the deviations associated with your batches were yours, and not bleed from another sponsor's investigation queue or from a CDMO-wide contamination signal incompletely partitioned across sponsors? If you are Novo Nordisk, inheriting the same line at acquisition, what record told you that the open CAPAs you were assuming were the ones bearing your name?
A second case followed in early 2026. Simtra BioPharma Solutions received Warning Letter #720436, dated 3 March 2026, for its Halle facility, following an inspection in September 2025. The letter records forty-seven microbiological detections between June 2023 and September 2025, fourteen of them above limits, plus an integrity-test failure followed by a passing test eighteen days later with multiple batches manufactured on the line in between. Multiple sponsors share that aseptic line. The same segregation question applies.
Neither letter is the eQMS architecture's fault. They're Quality Unit, contamination-control, and aseptic-process failures. But the segregation question they leave behind (whose record, exactly, captured the impact on each sponsor's batches, and whose record was missing) is the question every CDMO's eQMS now has to answer for every sponsor's next audit.
Twelve RFP questions for sponsors evaluating a CDMO's eQMS
The eight requests the QA director made during the audit's first ninety minutes generalise into twelve questions any sponsor can ask before signature. Each points to an eQMS record-type and a specific architectural property.
- Show me the query that returns my CAPAs only. Demonstrate it's scoped at the framework boundary, not filtered at presentation time.
- Show me the audit trail for a record from twelve months ago. Confirm record integrity, retrieval time, and the access log including cross-sponsor read attempts.
- Walk me through the training matrix for the operators assigned to my product. Demonstrate scoping to my product line, not a CDMO-wide matrix filtered down.
- Show me the validation package extract for the workflow that produced this record. Per-sponsor sub-package, not the CDMO's full validation document.
- Show me one change-control record where my product was affected by a shared-equipment change. Demonstrate per-sponsor impact assessment, per-sponsor disposition, and per-sponsor audit trail.
- Show me a deviation record that included my batches and walk me through the linked CAPA, effectiveness check, and closure decision. Demonstrate bidirectional linking scoped to sponsor.
- What happens to my open records if you onboard a new sponsor next month? Demonstrate per-sponsor segregation survives new tenant onboarding.
- What happens to my open records if your platform vendor pushes an unscheduled release? Demonstrate per-sponsor change-control event for vendor releases.
- How is my retention policy enforced if it differs from your CDMO-wide retention? Demonstrate per-sponsor retention boundary.
- Show me a worked export I can ingest into my own QMS — including all linked records. Demonstrate per-sponsor structurally complete export.
- Walk me through your most recent quality-agreement renewal. Demonstrate per-sponsor quality-agreement record-keeping discipline.
- If FDA asks for inspection access tomorrow under §200.10(b), what records does your eQMS produce for my product specifically? Demonstrate readiness for the inspection request that treats the CDMO as an extension of my facility.
Score each response one through five. A response that walks the architecture and produces the evidence in minutes is a five. A response that requires engineering to build a custom export is a two. A response that involves the words "we tag records by client" is a one.
Ninety days later
The CDMO from the opening narrative is operating today on a tightened renewal. The sponsor's QA director is preparing to lead a similar audit at another CDMO in their supplier panel next quarter, with the eight questions and the SQL probe now formalised inside her firm's supplier evaluation procedure. The architectural distinction she was acting on (scoping at the framework boundary versus filtering at presentation time) has not yet entered the standard procurement playbook of most sponsors. It will, and when it does, the CDMOs whose eQMS treats sponsor identity as a metadata tag will discover the distinction at renewal time, not at vendor selection time.
The CDMO eQMS market sells compliance and transparency and collaboration. Sponsors are starting to pay for segregation that survives an audit. The first ninety minutes of the audit decide which of those things the sponsor thinks they bought. There is no fix at audit time. There is only the fix that should have been there at vendor selection time, three years earlier.
The QA director sets down her coffee. She asks for the query. The next sentence belongs to the architecture, not to the CDMO QA lead. Whether the architecture answers cleanly is the entire post.
Complere fit
This post reduces to one question — is the boundary a scope or a tag — so a vendor publishing it owes you its own answer in the same terms, including the part that isn't flattering.
The isolation boundary is a database, not a column. Every Complere tenant runs in its own physical database with its own credentials. Records do not sit in shared tables behind a tenant_id column, so there is no WHERE clause to forget: a query that loses its scope has no other tenant's rows to reach. When the auditor asks to see the query, the answer is not a SELECT that read everything and filtered afterwards — it is a connection that was never pointed at anyone else's data.
The scope is enforced at the framework connection, before any query runs. Entering a tenant context switches the application's database connection for the life of the request. Developers do not annotate each query to stay in bounds; the connection is the bound. The same decision carries down the stack rather than stopping at the database — cache entries are tenant-scoped, background jobs carry tenant context and are re-tenanted on the worker before they execute, and each tenant's files live in their own storage bucket.
The audit trail is a record, and it exports. Every controlled-record transition — created, reviewed, signed, approved, published — is written to an append-only audit trail at the application layer, per record type, inside that tenant's own database. It exports, including as PDF. That is request #7 on the QA director's list, answered without a call to engineering.
Validation is included, not licensed separately. The validation pack ships with the platform on day one, CSA-first with CSV depth on demand — so the "show me the validation package for the workflow that produced this record" request is answered from a package you already have rather than a bespoke document someone has to assemble.
Where the line sits — and it is the whole point of the post. Complere's isolation boundary is the tenant. A sponsor is not a tenant. If a CDMO puts nineteen sponsors inside one Complere tenant, then sponsor identity inside that tenant is precisely what this article warns about: a metadata field, applied at presentation time. Everything above is true of the boundary the framework actually knows about, and claiming it reaches one layer further down would be the exact move the QA director's SQL question is designed to catch.
So the honest deployment answer for a CDMO that intends to survive that question is a tenant per sponsor: each sponsor's records in their own database, under their own credentials, with the CDMO's quality staff working across them. That is a real shape, and it is the one worth walking through. What we are not going to do is dress a tag up as a boundary because the demo screen looks the same either way — which is the distinction the whole post is about, and the side of it we would rather be asked to prove.




