top of page
  • Writer's pictureScott McGrail M.Sc. PMP

A Good Foundation: Regulatory Compliance in the Cosmetic Industry

Are you involved with cosmetics and are unsure of your related regulatory requirements? Does hearing about ISO 22716, US FDA 21 CFR Part 11, or ICH Q7 make you anxious? Are VMP, IQ, OQ, PQ acronyms that haunt you at night? Even if you aren’t in the business of active pharmaceuticals, there are regulatory requirements and good manufacturing practices that you need to abide by if you are working with non-prescription drugs.

Examples of non-prescription drugs:

Acne therapies (topical)

Medicated skin care products

Antidandruff products


Antiseptic skin cleansers

Sunscreen products

Athletes foot treatment

Throat lozenges

Diaper rash products

This blog will focus on the computer systems (hardware, software, process, and procedures) that support your operational successes. One of the key strategic approaches that should be undertaken in any compliance or validation project is to properly approach the risk assessment of the relevant process(es). This is tied to multiple aspects of your organization, namely where it is located, where it distributes its products, what product are carried, and what areas of your supply chain have direct impact on patient safety, product quality, and data integrity. The purpose of the current text is not to discuss, in an exhaustive manner, compliance in the cosmetic industry, rather, it is intended to look at the impacted areas tied to computer system validation of the systems that support the supply chain where cosmetic products (non-prescription and natural health) are applicable.

It Is Important to Recognize That No Computer System Alone Can Be Considered to Be Pre-validated

Firstly, it is important to recognize that no computer system alone can be considered to be pre-validated as delivered or that individual systems can be burdened with the responsibility of meeting all applicable regulations. It is actually a blend of system and documentation that will enable a holistic approach allowing an organization to confidently claim compliance. Policies, procedures, and work instructions all play an integral piece in your ability to establish, maintain, and repeatedly demonstrate control of your operations. The current text will not dive too deeply into documentation as it has been addressed by my colleague, please refer to Essential Validation SOPs. That being said, when documentation is prepared, it should be done so in a manner that is in line with your organization’s digital culture, something that can be respected and adhered to. If and when you are audited, you will need to demonstrate that you have the appropriate documentation in place, and that you, as an organization, respect and adhere to said documentation. It doesn’t help anyone for you to prepare an elaborate procedure that will never be successfully followed. Create appropriate and realistic documentation that align with your actual reality. At the end of it all, you must be able to demonstrate that you understand your procedures, that you are in control, and that your data and its integrity are intact.

Create Appropriate and Realistic Documentation That Align With Your Actual Reality

For the sake of this current text, we are going to assume that you have your documentation in place, if so, it is time to look at the system portion of your operations. For discussion’s sake, let’s say you are updating your enterprise resource planning (ERP) or warehouse (information) management system (WMS), and need to validate them as you are carrying a product that has been assigned a Drug Information Number (DIN), say a product line of sunscreen. Your organization is also distributing a number of other cosmetics; however, they are not considered to be subject to the same regulatory requirements. The scope of the validation exercise will be around that one product carrying a DIN. Regardless of if your role is in fabricating, packaging, labelling, testing, distributing, or importing cosmetics, you are still equally subject to being compliant and it is your responsibility to maintain control of your respective portion of the product’s lifecycle.

3rd-Parties Supporting Your Operations Should Be Considered an Extension of Your Organization

There are a few scenarios that may present themselves at this point, one being a new system that is being implemented and configured to meet your current and future needs, and the other if you are leveraging a prior system but you have added a regulated product to your supply chain. In that later case, a retrospective validation would be required, whereas a standard validation (prospective) of the ERP/WMS would be applicable in the greenfield scenario. Regardless, these are large efforts which are not always easily managed with the internal team of your organization. There may be a strategic need to seek help from outside service providers. If you are receiving support in your Computerized System landscape, those 3rd-parties supporting your operations should be considered an extension of your organization, and should therefore demonstrate the same controls that you, the Drug Establishment License Holder, would need to maintain and follow. They need to be able to show their competence and reliability.

You Will Need to Demonstrate That the Systems Are Fit for Intended Use

Regardless of who implements, configures, and maintains your computerized systems, you will need to demonstrate that the systems are fit for intended use, something done through validation and qualification. This effort is commensurate with the level of risk that the system is assigned, (e.g., Non-Configurable, Configurable, or Customized, Open or Closed system), which will establish the nature of the required testing, as well as the level of documented test evidence that is collected and maintained. Following ISPE’s GAMP®5 methodology, you will need to plan out your validation, assess the risk associated with your systems and the product lines that it supports to effectively justify your approach, and subsequently test with associated evidence collection, for you to be able to release your system for approved production use.

Computerized System Validation Is Something That Must Be Engrained in Your Digital Culture

Once the initial (or retro) validation has been completed, you are unfortunately not out of the woods yet as you must ensure that the system is operated and maintained appropriately. Are the security measures properly setup in your system? Are system audit trails and activity logs robust and enabled? Unalterable? Are personnel properly trained to use the system effectively? Are system changes documented and assessed? Is data that is collected and maintained, periodically verified throughout the period of their retention? For any electronic records or electronic signatures, they must adhere to Annex 11: GUI:0050, although it is strongly recommended to ensure that they comply with the more stringent US FDA Code of Federal Regulations Title 21, Part 11, in combination with EudraLex’s Annex 11.

As you can see, regardless of your industry, computerized system validation is not a one-and-done type activity, it is something that must be engrained in your digital culture to ensure that these critical systems are managed for the duration of their active life, in a controlled fashion, and that we remember the key point; are we absolutely sure that patient safety, product quality, and data integrity are all being taken into account?

Scott McGrail M.Sc. PMP
Scott McGrail M.Sc. PMP

Chief Operations Officer (COO) at InnovX Solutions

Scott McGrail is a seasoned veteran in software development, implementation, and validation projects and is well-versed across multiple industries, including the regulated space that houses pharmaceutical, medical device, and cosmetic manufacturing and distribution. He is passionate about operations and process improvement, facilitating change, and empowering teams' knowledge transfer.


bottom of page