3 minute read
COS-GMP
By Robert Low, Lead Management System Specialist
COS-GMP is Apex Global Quality’s cosmetics GMP standard, built as a clause-based re-imagining of ISO 22716 — restructured for clarity, expanded in areas the original standard left thin, and broadened to cover product categories ISO 22716 excludes, such as pet care. Section 3 opens the standard’s substantive requirements with documentation, and it is noticeably more detailed than the equivalent clause in ISO 22716, particularly around electronic systems.
This post is part of a series working through COS-GMP section by section. The series summary with links to every section is available at the end.
General controls. The organisation needs a documented procedure defining how documents are controlled, including a list of all controlled documents with current version numbers, methods for creating and authorising them, records of why changes were made, and a system for replacing updated documents and informing the people who need to know.
Control of documents. Every document needs, at minimum, a title, a unique reference, a version, an author, and an approval date. Documents need writing legibly, approved and dated before use, and properly managed through their lifecycle — prepared, updated, withdrawn, distributed, and classified, with obsolete versions actively prevented from being used.
Control of records. Records need to be legible, appropriately authorised, retained in good condition, and retrievable. Handwritten entries need to indicate what should be entered, use permanent ink, be approved and dated, and any correction needs to preserve legibility with the justification recorded. COS-GMP is explicit here in a way ISO 22716 is not — it specifically prohibits ambiguous declarations like unclear tick marks, and prohibits blank fields where “NA” should be used instead. Correction fluid is explicitly called out as unacceptable.
Electronic documentation. This is where COS-GMP goes considerably further than ISO 22716. Software used to support the GMP management system needs a documented validation plan, proportionate to risk, covering correct data entry, back-up systems for file alteration or corruption, protection against unauthorised access, and defined procedures for authorisation changes and system failure. Any electronic system controlling critical operations — document storage, stock quarantine status — needs restricted access and change control limited to authorised personnel. Where subcontractors manage IT activities, a signed, documented contract needs to define how that is handled.
The most common gap, particularly for manufacturers moving from paper-based or basic spreadsheet systems, is the electronic documentation validation plan. Many organisations adopt software for convenience without ever documenting a proportionate validation approach — meaning if a question is ever asked about how the system ensures correct data entry or prevents unauthorised changes, there is no formal answer beyond “the software does that.”
The second common gap mirrors ISO 22716 closely: outdated documents remaining accessible after a revision is approved, particularly physical copies that never get removed from work areas once a new version is released centrally.
Documentation underpins every other section in this series — training records under Personnel, hazard analysis records under Risk Control, and the various procedures referenced throughout GMP Safety & Quality Management. Document control software with genuine version control and access restriction is the practical mechanism for satisfying the more detailed electronic documentation requirements this section introduces.
This post is part of the Cornerstone COS-GMP series. See the full series summary with links to all 11 sections.