Tag Archives: audit

Roberta Wagner, Director, Office of Compliance, for the Center for Food Safety and Applied Nutrition at FDA

How is FDA Surveillance Keeping Pace with FSMA Changes?

By Sangita Viswanathan
No Comments
Roberta Wagner, Director, Office of Compliance, for the Center for Food Safety and Applied Nutrition at FDA

Proposed rules under the Food Safety Modernization Act will mandate more inspections, more testing, and better risk-based profiling of food products – both sourced domestically and imported. How is FDA planning to keep pace with these changes? Roberta Wagner, Director, Office of Compliance, for the Center for Food Safety and Applied Nutrition at FDA, provided some insights, while speaking at the recent Food Safety Consortium, organized by Food Safety Tech

Section 201 under the Food Safety Modernization Act requires the Food and Drug Administration to designate food facilities at high-risk and non high-risk facilities, and accordingly, establish minimum frequency of inspection of these facilities. While high-risk facilities will have to be inspected by FDA once every three years, facilities deemed non high-risk will be inspected once every five years. Wagner described that the following factors have been considered so far for determining if a domestic food manufacturing facility is determined to be high-risk or otherwise:

  • Whether the facility has been involved in a Class 1 outbreak or recall;
  • Whether the facility has a history of non-compliance (based on Official – Action Indicated (OAI) or Voluntary Action Indicated (VAI) data);
  • If the facility has had any significant violations;
  • Future data considerations (see below);
  • Type of activity the facility is involved in; and
  • Date of last inspection.

Future data for consideration of high-risk and non high-risk categorization will include:

  • Inherent risk factors at product level (for instance is the product bakery goods, or seafood/ fresh produce etc);
  • Has the facility been linked to an outbreak, recall or adverse event (if so the risk profile gets elevated);
  • If any sample testing (product or environmental) is positive;
  • If there’s a history of customer complaints;
  • Robustness of QA/QC programs and 3rd part audit reports;
  • Financial viability of the company; and
  • Food safety culture of the facility/ company.

Foreign facility inspections

Under FSMA, FDA has also been mandated to increase the number of inspections the agency does on foreign facilities, to ensure the safety of imported foods. Wagner explained that FDA currently conducts about 1200 foreign facility inspections a year to determine if those facilities meed FDA regulations. With FSMA rules, FDA will have increased authority to conduct such inspections of foreign faciligies, and look at Foreign Supplier Verification Programs, and Voluntary Qualified Importer Program records, adds Wagner.

Under the new regimen, FDA has been mandated to conduct at least 600 foreign inspections during the first year of FSMA rule implementation. And the target is to double this number every year, for the next five years, taking it to 19,200 inspections by Year 6. Wagner feels this is an impractical number as FDA does not have the resources to do so many foreign inspections. “If we get the Foreign Supplier Verification Program under FSMA rule right, we effectively place the responsibility for ensuring safety of imported foods on the food industry and importers. FDA cannot, and should not be doing this,” she explains.

Risk-based foreign facility site selection

FDA will also adopt a risk-based approach to select foreign facilities for further inspection. This approach will consider:

  • Food safety risk associated with the sector or commodity;
  • Risk associated with manufacturing process;
  • Compliance history of facilities associated with an industry sector commodity in a given country or region (for instance, look at refusal rates for products denied try into the U.S. by country);
  • Quantity or volume of imported product from country or region;
  • Robustness of food safety system in the country; and
  • Portion of resources retained by the facility for compliance, follow up inspections and emergency response situations.

Based on this FDA will continue to diversify the product that it considers high risk, for instance dairy, baby food, candy… Wagner added that economically motivated adulterated continues to be a concern and cause for focus on food products such as oils, honey and dietary supplements.

Wagner also talked about Predictive Risk-based Evaluation for Dynamic Import Compliance Targeting or PREDICT, a risk management tool used by FDA to efficiently and effectively make entry admissibility, decisions that prevent entry of adulterated, mis-branded or otherwise violative imported goods into the U.S., while expediting the entry of non-violative goods. Based on risk scores allocated to different products, this computerized tool targets entries of highest risk for further scrutiny, including field reviews and sampling.

She explained that this dynamic tool, which constantly adapts to different risk situations and products, provides automatic data mining and pattern recognition, provides automated queries of FDA databases including facility registration information, and thus, allows for risk-based allocation of FDA resources.

5 Tips for Conducting a Successful Internal Audit

By Michael Biros
No Comments

A strong internal audit program will help drive continuous improvement, promote a food safety culture within the organization, and help improve the external audit score.

Beyond achieving compliance with the SQF program requirements, internal audits help drive continuous improvement and can facilitate a food safety culture throughout all levels of an organization. Gary Smith, Senior Technical Director at SAI Global, discusses 5 key factors to successfully conducting an internal audit.

What is the SQF Standard: Item 2.5.7 Internal Audit?

This requirement includes methods and responsibilities for scheduling and conducting internal audits to verify the effectiveness of the SQF system including facility and equipment inspections, PRPs, food safety plans, food quality plans, and regulation controls. Companies must have an internal audit schedule with scope and frequency and records of internal audits, corrections, and corrective actions. The internal audit must be conducted by staff trained in internal audit procedures and the audit results must be communicated to relevant management.

In the SQF program, a major nonconformance indicates a systematic failure where an element is failing or not existing. Some common major nonconformances include not having a schedule of internal audits, having verification and validation activities defined but not having an internal audit program, not having a facilitator for an internal audit program assigned, and having the internal audit only cover GMPs, but not the SQF system. Some of the minor nonconformances include not having an internal auditor training for the lead auditor, not defining how results are to be communicated to leadership, not taking corrective actions for internal audits, or not having records of corrective actions.

5 Keys to Success

  1. Reach out to leadership. Work with your leadership to define objectives of the internal audit program with management to facilitate management commitment. Build the internal audit program with management objectives. Remember, it’s not the QA’s program certification, it’s the entire company’s.
  2. Formalize the audit process. Set an audit schedule and keep to it. Assign an audit team with responsibilities. Use an audit checklist. Develop an audit plan. Conduct interviews during the audit. Conduct opening and closing meetings with staff.
  3. Communicate well. Regularly provide updates to leadership at routine meetings. Provide the audit plan and checklist to auditees one week prior to the audit. Take photos of good practices and nonconformances. Provide the audit results in a timely manner.
  4. Manage internal audits as its own program. Have standard operating procedures describing the responsibilities and procedures. Have the facilitator be trained as a lead auditor and appropriate training for all team members. Include as many people as possible in the audit team from all departments within the company.
  5. Use corrective action management program for all internal audit findings. Keep an internal log of all your internal nonconformances. Use root cause analysis to understand why nonconformances occur and include internal audit findings, regulatory audit findings, nonconforming products, and customer complaints in the corrective action management plan.

A strong internal audit program will help drive continuous improvement. It will help promote ownership of the entire SQF system and promote a food safety culture within the organization. Lastly, a strong internal audit program can improve the external audit score.

For more information, see this archived webinar: SQF 5 Tips for Conducting a Successful Internal Audit 

Barbara Levin, SVP of Marketing & Customer Community, SafetyChain Software

What is True Food Safety Audit Readiness… and How Can Automation Help?

By Sangita Viswanathan
No Comments
Barbara Levin, SVP of Marketing & Customer Community, SafetyChain Software

Barbara Levin, Senior Vice President and Co-Founder of SafetyChain Software, shared her thoughts during a recent interview with Food Safety Tech

Food Safety Tech (FST): Why are food safety audits such a hot topic of conversation?

Barbara Levin: Audits are a critical component of any food safety plan, and I’ve never heard food safety and quality assurance (FSQA) folks disagree with that assumption. But between regulatory, 3rd party standards such as GFSI, customer and internal audits – most of which are still very manual processes – audit preparation and response have become a huge manual burden that can be highly disruptive to operations. And while all audits has some commonalities, each has its own specific requirements as well, adding to the challenge. 

In conversations with our clients at SafetyChain, we have heard of companies that have as many as 300 audits a year! So it’s a struggle to manage these audits while also having to get product out on time, within operational Key Performance Indicators, and of course meeting safety and quality requirements. This is why we’re also hearing more about technology solutions that can help companies be audit ready. But whether or not a particular solution is right for your company depends on how you define audit readiness. 

FST: Before we discuss the definition of audit readiness, you mentioned that each type of audit has its own requirements – can you highlight some of these?

Levin: Let’s begin with what all of the audit types have in common – which fall in to four areas: 

  • First, you have to say what you do – all of your SOPs, PRPs, GMPs, HACCP/HARPC components, etc. 
  • Second, you have to verify that you do what you say. 
  • Third, you have to validate that it works. 
  • And last, you have to ensure that everything is documented. 

On top of these commonalities, each audit type has some specific requirements. For example:  

With regulatory audits, USDA can ask for pre-shipment reviews, while FDA can do unannounced audits with just a two hour notice.  

  • With the GFSI schemes, you have to have an approved vendor program and be able to demonstrate management commitment and continuous improvement. And of course everyone is talking about the upcoming SQF unannounced audits, which, I personally think, is something that the industry should embrace.
  • With customer audits, it’s not just about safety, but also quality attributes such as weight, moisture or salt content to name just a few.
  • And internal audits can be the hardest of all as many of the above elements, among others, can get combined. 

FST: Given this wide range of requirements, what then, do you mean, when you say “true audit readiness?”

Levin: When you hear people talk about audit readiness, and audit automation solutions, the conversation is often focused on documentation – the ability to produce electronic records. And this is of course an important component of being audit ready. But in my view, true audit readiness goes far beyond documentation. It should also mean that you have the tools and processes in place to ensure that you actually PASS your audits with flying colors! It means that food safety systems have been consistently and diligently followed across all facilities; you have a robust supplier compliance program; non-conformances are caught at the earliest point possible, and CAPAs have been put in place; you have easy access to data for continuous improvement; and everything is documented. In other words, it’s not enough to just show that the paper has been gathered for the audit – but that you are doing the right things for food safety every single day. And if we’re talking about audit automation technology – these solutions should support all of these components.

FST: How can companies assess if they’re truly audit ready?

Levin: Here are some basic questions FSQA teams should ask themselves:  

  • Are we 100 percent sure that all SOPs, CCPs, PRPs, GMPs, etc., are current and being carried out, and that we can easily access verifying documentation?
  • Do we have a robust supplier compliance program to ensure vendors are meeting our safety and quality requirements? Can we easily access all of those records?
  • Are we getting non-conformance alerts in a timely manner to take corrective/preventive actions before product goes in to commerce? Can we easily access proof of CAPAs?
  • Do we have easy access to all of the data required for trending, hazard analysis and continuous improvement? 

There can be three answers to these questions: Yes, No and Hmmmmm. If you’ve had one or more No’s or Hmmms… chances are you may not be as audit ready as possible. 

FST: What are then the challenges to being truly audit-ready?

Levin: I would list the biggest challenges with being audit ready as falling into four key areas:

  1. The volume of forms, records and paper that needs to be current, managed, easily accessed and actionable – meaning the data from these records can be trended for continuous improvement;
  2. Ensuring that all food safety programs are being carried out correctly and consistently – including the ability to catch problems at the earliest point possible, put a corrective/preventive action in place and make sure that all of that is documented;
  3. Management of supplier compliance (are you sure your suppliers are following all of your requirements?) and approved vendor program management; and
  4. The amount of time it takes to prepare for audits – especially as unannounced audits become more prevalent. 

FST: How can automation help with these challenges?

Levin: Technology solution that helps companies be audit ready must go beyond document management. They have to integrate supplier/vendor management; food safety and quality program management – HACCP and HARPC programs, for example; process management and workflow; GFSI program compliance; and, of course, ensure that all records and documentation is available in a central repository for trending, continuous improvement and of course audit readiness.

These solutions should automate, streamline and improve FSQA. And the final result has to be that actionable data – across all products and facilities – that allows you to find ways to improve processes, put preventive controls in place and make continuous improvement an inherent part of company’s overall food safety culture. Audit readiness then becomes the benefit – not just the goal. 

If you are using a cloud based FSQA automation solution – with roles-based security – automation can provide the kind of transparency and visibility that can actually reduce the amount of audits a company has by allowing suppliers, auditors and customers to view various slices of data. For example auditors might see non-conformances and the documented CAPA; a customer could see a finished product review; and a supplier can see that their Certificate of Analysis was received and met specifications. That’s a true change in traditional culture, but we’re seeing it more and more. 

Food companies need to remember that auditors do not expect to see that everything thing was perfect all the time. But what they do want to see is that a problem was found in a timely manner and that it was fixed before the product went into commerce. Bottom line? Automation can help food and beverage companies say what they do, do what they say, make sure it works and make sure it’s documented and actionable. And when all of this information is easily organized by the type of audit – and cloud-based – companies can be audit-ready on-demand! 

Click here to read Barbara Levin’s paper on how to be audit ready, on-demand with Food Safety Chain Management Systems.

Ask the Compliance Expert: Unannounced Audits

By Sangita Viswanathan
No Comments

Do you know when your next unannounced audit will be? And can a site refuse entry to an auditor? In this Q&A, Jane Pappin of Cert-ID provides some answers.

Food companies are now handling and preparing for increased number of inspections and audits. Food safety rules under the Food Safety Modernization Act have proposed unannounced audits of food facilities as a way to include another level of security to ensure that these facilities are compliant with the various standards. Such audits, regulators hope, will give a more realistic picture of compliance, rather than facilities appearing to comply just the day of the inspection.

Food companies that have been abiding by all the requirements of the specific food safety standard don’t have to do anything differently than what they have been doing all along, says Jane Pappin, Certification Director at Cert-ID: “If they have a strong food safety and quality management program in place, have been conducting regular internal audits, and gap analysis etc., they shouldn’t have anything to worry about. The auditor is not going ask anything that they would be unprepared for,” she adds.

We present below excerpts from a Q&A with Pappin.

Q: How will my site know if our next audit is unannounced or not?

A: SQF has indicated that the Certification Body (CB) is responsible for telling the site when their unannounced audit will be. As the CB is charged with reminding the site of their upcoming renewal audit approximately three to five months in advance of the re-audit due date, the site could be informed then.

Once the site is told when their unannounced audit will be, there is opportunity to negotiate black-out dates – these are only for days when the site will not be in production. The unannounced audit will always take place within the site’s renewal audit window, which is from 30 days before the site’s re-audit due date (which is listed on your certificate) to 30 days after the re-audit due date. 

A site must have one unannounced audit per three-year cycle. For those sites already certified, their first unannounced audit will take place either in 2014 (from July 3 to Dec 31), 2015 or 2016 and they will be informed by their CB which year it will be in. Their second unannounced audit will take place in either 2017, 2018 or 2019, and so on. Once your unannounced audit year is determined, this will be recorded in SQF’s Reliance Database. Even if you change CBs, this information will go with your facility’s profile and your unannounced audit year will not change.

Q: What happens if the auditor arrives for the unannounced audit and the site refuses entry?

A: The ramifications of disallowing the auditor entry to your facility are far reaching: First, you will still be charged for the visit, including auditor expenses. Second, your facility will immediately be put into suspension. Third, an announced audit must now take place no later than 30 days from the date you denied entry to the auditor. If this doesn’t happen, your certification will be withdrawn. Fourth, because you were put into suspension, you will also be required to have a surveillance audit six months after the 30 day audit. Fifth and last, your next audit will then be your unannounced audit.

Bob Savage, President and Founder of the HACCP Consulting Group

FSQA: Creating HACCP Excellence

By Michael Biros
No Comments
Bob Savage, President and Founder of the HACCP Consulting Group

For a successful Food Safety and Quality Assurance program, there must be management commitment and measurable expectations set. Senior management has to be committed to the program. They are the foundation for everything in food safety. They have to provide resources to develop and implement the plans across different departments as well as provide for training and encourage communication, advises Robert A. Savage, President and Founder of The HACCP Consulting Group.

Sharing some lessons learned from decades of HACCP implementation experience, Savage spoke at a recent webinar on FSQA: Creating HACCP Excellence, presented by SafetyChain Software. We present excerpts below. 

A few years ago, there was a very serious Salmonella outbreak in peanut butter. It appears that company shopped around for negative salmonella results and then shipped the product. It’s a worst case scenario, but in this case, short term profitability at the expense of food safety resulted in the over 600 illnesses and a few deaths as well as the bankruptcy of the company, described Savage.

Role of GMPs in Creating and Minimizing CCPs

Without good GMPs, facilities tend to have more CCPs than necessary. There has to be a good balance between GMPs and CCPs. When companies understand the the relationship between HACCP, GMPs, and CCPs, typically the HACCP plan would not have more than 3 or 4 CCPs and everything else is covered by GMPs. 

Best practices for HACCP management must be committed from the beginning and throughout the process. GMPs should be in place prior to even beginning to revamp the HACCP plan. Multidisciplinary HACCP teams, including QC, QA, Lab, Sanitation, Product Development and Sales, experts, should contribute to the process in developing the plan. Having a multidisciplinary team helps with achieving buy-in or company-wide commitment to the plan. 

Companies have been pretty good with monitoring, but there’s still some confusion between verification and validation. Verification is a check of the checkers. When CCPs are identified and monitored, verification is making sure that the company says what it’s doing and is doing what it says. Validation asks if the company has the right CCPs and how can they prove it. 

Best Practices for Audit Prep

USDA regulated plants have routine inspections to verify what the companies do on an everyday basis. Separate from these routine inspections, USDA also performs food safety assessments which can take days or weeks to complete. Companies under USDA jurisdiction should do their own food safety inspection to prepare for these FSIS audits. FDA regulated plants may go months or years between inspections. These facilities should have third party audits such as SQF or other audits. 

GFSI schemes have taken hold in the US and around the world. The popular one in the U.S. is SQF. Companies that meet SQF standards should have no problem meeting new FDA FSMA regulations.

What Constitutes a Successful FDA Audit?

By Sangita Viswanathan
No Comments

From the proposed third party accreditation rule, to GFSI audits, and needing more trained and experienced auditors, the process of auditing food facilities is undergoing a sea-change. What is the impact going to be on food companies, auditors, and the auditing process?

In a recent FSMA Fridays webinar, sponsored by SafetyChain Software, an expert team from The Acheson Group, comprised of Melanie Neumann, J.D., M.S., VP and Chief Financial Officer; Jennifer McEntire, Ph.D., VP and Chief Scientific Officer; Anne Sherod, M.S., Director of Food Safety and Valerie Scheidt, MBA, CP-FS, Director of Food Safety, answered key questions on conducting successful FDA audits. We present some excerpts below.  

How does the FSMA third party audit accreditation rule impact the audit process?


The purpose of the third party accreditation and certification audit is to issue a certificate for high risk foods or the voluntary qualified importer program. The main foundation of the standards that FDA is setting will come from the human preventative controls rule, the animal preventative controls rule, and the produce safety rule. Some standards may also come from the sanitary transportation rule and food defense rule. FDA will be appointing an accreditation body and this accreditation body will approve and monitor certifying bodies (CB). These CBs can be private companies or private individuals who will be authorized by the accreditation body to perform the audits and issue those certifications. 

Foreign governments can also be approved by FDA to act as a CB. Right now only New Zealand is approved and FDA is looking at approving Canada. We don’t anticipate any other country to be approved in the near future.;

Certifying bodies will have strict conflict of interest and reporting requirements to FDA. CBs must report to FDA within 45 days even if they’re just performing a consultative audit. They must also report to FDA if they see an issue that could lead to a Class I or Class II recall and they have to report to FDA before they report to the company that they are auditing.


Will a GFSI audit satisfy FSMA audit requirements?

GFSI audit requirements do not match the FSMA audit requirements, but they are not too different. Several of the schemes are very similar, and each scheme owner is making a concerted effort to become FSMA compliant. If an auditor is doing a GFSI audit, they do not need report to FDA before the company. The FSMA requirements of avoiding conflicts of interest, record keeping, and training may deter GFSI auditors from becoming Certifying bodies under FSMA. Unless FDA offers an incentive, there will be a shortage of FSMA CB auditors. 


What are the elements of a successful audit?

The number one goal of an audit is to identify risk. The audit needs to accurately describe the non-conformances against the audit standard to give your quality and operations team reliable and actionable data so they can mitigate that risk. The relationship between the auditor and the facility should be a partnership, add value, and build trust. The facility should learn from the auditor and the auditor should understand what the facility is doing to mitigate risk and promote food safety. Continuous improvement takes the feedback from the non-conformances and evaluates them against the organization’s goal around risk. Whether the results are from an announced, unannounced, internal, second, or third-party audit, continuous improvement is critical, and this requires commitment from management and will help the facility become audit ready. 


How can I ensure my auditor is up to the task?

Most audits use checklists. This goes for both the auditor and the audited. The checklist provides a standardized list of what’s expected and adds an element of order and control to the audit. It also allows for an effective way to quantify metrics. 

However, using a checklist alone can lead to minimum risk finding. The auditor needs to find a balance between being strategic and prescriptive. In order to be effective, audit protocols need to be periodically reviewed and updated. This is especially relevant with FSMA and holds true for internal and third-party audits. Check to see if the auditor’s checklist is pre-FSMA or post-FSMA. Ask the auditor when was the last time that they reviewed and updated their audit protocols. 


Will we have enough good auditors to meet the need?

No, we already don’t have enough good auditors. The implications of this are that we may get substandard audits from substandard auditors. The current model isn’t working and we need a new approach. Currently, most auditors have extensive prior experience working in industry and often become auditors after they retire.

We are creating auditors not through structured training. This model is not sustainable and has limited growth potential. It will not provide the level of training required for GFSI or FDA third party certification requirement. We need a training program for auditors who come right out of school. We need people to go to school for food safety and be able to become an auditor after graduation. Food safety needs to be incentivized at the university level. There should be a bachelors degree in food safety auditing. We need structured training and developmental opportunities for folks earlier in their career rather creating auditors at the end of their career.

Top 10 GFSI Non-conformances, and How to Avoid Them

By Michael Biros
No Comments

Are you ready for audit? Gary Smith, Director of training and improvement solutions at SAI Global, talks about the top 10 GFSI non-conformances for SQF & BRC audits.

1. Business Continuity Plan Components/Annual Testing and Review

Many companies do not know what a business continuity plan is. It is not a recall and performing a mock recall will not count as an annual test and review. It is the continuing of business with a disruption in the supply chain. What are your plans for a key supplier going out of business or being affected by a natural disaster? If there is a fire or accident at one of your facilities, how are you going to ensure that your customers will still get delivery of your product? 

2. Food Safety Plan

HACCP has been around for years, but this is still a major area of focus. HACCP must be implemented and individuals must be properly trained in HACCP. All Critical Control Points (CCPs) must be validated. Review supporting documents during annual check. Is the flow chart current? Is the hazard analysis still correct? Question your employees during your internal audit. Get your employees used to and comfortable with answering questions about the food safety plan. 

3. Equipment and Utensil Condition

Utensils (scoops, shovels, belts, etc), equipment, and all food contact surfaces must be designed and in good condition so as not to be a food safety risk. Implement a foreign material control plan. Have a preventative maintenance schedule. Focus the internal audit program on equipment, not just employees. Use a flashlight when conducting internal audits. Train, empower, and reward production employees to identify equipment defects. Do not have temporary repairs. 

4. Allergen Management

Allergens are the number one cause of recalls. You must have a good allergen control program and this program must be validated. Identify ingredients as allergens at receiving and have a label inspection program. Specific allergen proteins must be validated with surface testing and product testing. Allergens must be listed as hazards in hazard analysis with the control as the allergen management program. 

5. Internal Audit

Have a strong internal audit program that emphasizes proactive solutions to avoid non-conformances. Manage non-conformances with a corrective action program. Take photos of all findings during internal audits. Make the process as formal as possible. Dress like the auditor would and ask employees questions. 

6. Condition of Walls, Doors, Floors, and Ceilings

Tape, cardboard, and construction plastic sheeting must not be used as these surfaces cannot be cleaned. Doors and windows must be properly closed. 

7. Product Traceability and Mock Recalls

If an auditor asks you about a product, you must be able to list all the raw materials, where they came from, and how they were processed to create your product. Keep the recall team current. Have procedures for a mock recall and always perform it. Make the mock recall a real test. Include ingredients and packaging in all traceability programs. Perform product trace exercises during the internal audit. 

8. Records

Make sure that your records are legible, authorized, and that demonstrated activities are taken. 

9. Procedures for Product Disposition when Calibration is Out

This is a new standard. Companies are now required to have documented procedures in place for when calibration equipment is down. 

10. Stay Vigilant!

If you’ve achieved food safety certification, congratulations! However maintaining certification takes commitment and dedication. Be sure to maintain a strong food safety culture within your organization. Communicate well across all levels of the company. Have a strong internal audit program and don’t be afraid to identify issues and focus on corrective action management.