Tag Archives: audits

Craig Reeds, DNV GL

Six Ways to Prepare for a Cybersecurity Audit

By Craig Reeds
No Comments
Craig Reeds, DNV GL

In the food manufacturing industry, just as in any other industry, cybersecurity is very important. Your organization should be having cyber vulnerability assessments or penetration tests performed at least once a year. Like any big test you have taken in your life, this sort of assessment can be scary, but if you prepare for it, you can greatly improve the potential of passing the test. As you prepare for the assessment, there are six things you can either implement or do to make the result of this audit better for your organization.

  1. Do an inventory of what is connected to your network. You cannot expect to defend devices on your network that you are not aware of. Be sure when you perform this inventory that you include any device that connects to your network. Think past the routers, switches, desktop PCs, laptops and printers. What is connecting to your wireless network? Is your security system or HVAC system connected to the network? Creating a network device inventory can be difficult, but there are tools available to make it easier. Once you have created the initial inventory, your baseline, go back at least monthly to look for new devices or devices that are no longer connected so you can update your inventory.
  2. Determine what is running on all of your network devices. In the first step you inventoried the hardware—now we need to inventory what is running on each device. You can use tools such as Nessus to inventory the software on each computer as it scans the network to perform the device inventory. This is the quickest way to complete both of these steps. If there is old or unused software on a device, remove it. You need to document the operating system and application software on each device. This software Inventory should also be included in your baseline and verified/updated on at least a monthly basis.
  3. Use the Principle of Least Privilege. This is a very valuable cybersecurity concept. Never give a user or device more rights on the network than they/it need to perform their assigned tasks. Privileges are assigned based on roles or job functions. If a user is unable to download and install applications on their PC or laptop, you reduce the chance of a device becoming compromised. Many hackers, once in a network, move laterally through the network from machine to machine looking for information or vulnerabilities that can be used to give themselves more abilities on the network. If a hacker were to gain access to a user account or system with low privileges, it decreases the amount of damage they could do.
  4. Use Secure Configurations. All operating systems, web browsers and many other networked devices have secure configuration settings. One of the problems with doing this is that operating systems alone can have hundreds of settings to choose from. The Center for Internet Security provides benchmarks for just about every conceivable device. The CIS Benchmarks are distributed free of charge in PDF format to propagate their worldwide use and adoption as user-originated, de facto standards. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
  5. Set up a policy and procedure for applying security patches. New vulnerabilities are discovered every day and when these vulnerabilities are found, vendors release updates or patches to mitigate the vulnerability. Exploiting vulnerabilities is what a hacker lives for. An unpatched vulnerability can be almost an open door for a hacker to get into your computer or network. It is mind boggling to hear that some organization was hit with ransomware because they didn’t load a security patch that was released six to 12 months ago. When an application reaches end-of-support, the vendor stops releasing patches, and that should tell you that it is time to upgrade the software to the newest version or find another tool to perform that task. Never use unsupported software on your network. Speaking as an auditor, a fully patched network is impressive.
  6. Create an Incident Response Plan. Let’s face it, no matter what you do to protect yourself, something is eventually going to go wrong. Do you have a plan to continue operations if you lose access to your office building? Do your users know what to do if they receive or fall prey to a phishing e-mail? This process starts with performing a risk assessment. Once you have determined the potential risks, you then move on to determining how to mitigate the risks. You will need to create policies and procedures and then train the employees on them, so they know what to do.

By performing these six steps you will be protecting and strengthening your networks, your users, and trust me, you will impress the auditor. Also, it should be noted that these are not once and done steps—these are steps that must be repeated sometimes on a daily, if not at least on a monthly, basis.

Steven Burton, Icicle Technologies
FST Soapbox

Food Recall Strategies: What You’re Missing (And What You’re Risking)

By Steven Burton
No Comments
Steven Burton, Icicle Technologies

You’ve heard the horror stories of product recalls: The Peanut Corporation of America in 2009, Blue Bell ice cream in 2015, and Darwin’s Raw Pet Foods this year. Beyond the nightmare scenario, the truth is that food recalls are common—even for companies that take food safety seriously, train effectively and keep excellent records. Yet all of these things, when done properly and efficiently, go a long way to reduce the impact and severity of a recall.

Unfortunately, many food manufacturers, although required to have a written recall plan, aren’t ready for the challenge. Without the proper systems in place, businesses needlessly risk their customers, reputation, revenue and future.

Risks Of Inadequate Recall Strategies

Resolving a recall can take years and potentially millions of dollars in fines, product shipping and disposal cost, production line downtime, lawsuits, and lost market share as consumers lose trust in the company. But there are two strategic errors that can amplify these consequences—and they both have to deal with traceability.

The first problem we frequently see is lot codes not being specific enough. Rather than breaking up production into discrete lot codes so the scope of recalls can be as limited as possible, some facilities just run the same lot code for many production runs. The record we have seen so far is three years! When a recall occurs,this results in a recall of massive scope that can easily bankrupt a company.

The second problem that is even more common is a lack of dynamic documentation. Assembling transactions using disconnected records from different departments can be time-consuming and error-prone. When you’re under pressure from regulators or auditors to connect the dots between an ingredient and customers through complex, multi-stage production processes using such a record system, it can cause stress and potential audit failures.

These two missing pieces make recalls larger, more time-consuming, and more expensive than necessary due to a lack of precise traceability. Let’s take a look at the two ways you can fill these gaps in your system and mitigate the consequences of recalls.

Get Specific with Ingredients, Suppliers and Lot Codes

Streamlining your product lines and packaging options lists is a straightforward way to reduce potential headaches in the event of a recall. The more products and packaging options with which you work, the more complex it will be to pinpoint and resolve food safety failures. Anyway, this type of housekeeping is beneficial as far too many companies have large lines where only a small subset of their products sell well at decent margins. Larger, more mature organizations tend to thin down their lines to optimize for profitability, and smaller companies can often benefit from doing the same.

The next strategy you can employ to mitigate the consequences of a recall is by being ultra-precise when it comes to your records and lot codes. The more narrowly you refine your lot coding system, the fewer items you’ll have to recall. Let’s look at a specific example of how this could have saved two companies millions of dollars.

In 2010, Hillandale Farms and Wright County Egg recalled about 550,000,000 eggs, one of the largest recalls in the history of the United States. Although the company was able to resolve the specific dates and facilities where the contaminated product originated, they had 53 million hens laying, so this level of resolution may not have been adequate enough. Had they implement traceability lot codes down to the hen house level, they may have been able to contain the recall.

Automate Your Traceability To Be Audit Ready, All The Time

The challenge of maintaining an overly broad product line or providing customized packages is that you create hundreds or thousands of variants in your products. When records are maintained manually, it becomes extremely difficult to manage recalls effectively. An Excel spreadsheet may keep a record of everything, but it’s certainly not dynamic or time-efficient when undertaking mass balance calculations.

The key here is to adopt software that you can incorporate into every department. Shipping, receiving, accounting, production—when all the records are kept in a central database, checking and updating those records becomes much easier. But the best systems don’t just centralize your collected data; they automate your data collection.

Dynamic documents automatically update each other. When a supplier changes, an ingredient lot gets swapped out, or products are shipped out, all the connected records for every department are automatically updated. No user mistakes, no failure to update the notes—just seamless, streamlined, auto-updating records.

There’s no better way to track complex production processes, control hazards, and collect all the necessary information necessary to breeze through audits than by using an automated system. With all your documentation interconnected, you don’t have to piece together the puzzle or play connect the dots—it’s all done for you, and that means you won’t waste millions on recalling products unnecessarily because you couldn’t pinpoint the exact path every ingredient took on the way to the customer.

Recalls are detrimental in every way, but they happen, so don’t get caught off guard. A little bit of proactive technology will go a long way in keeping your business afloat if you ever do face the nightmare of a recall.

Steven Burton, Icicle Technologies
FST Soapbox

Six Best Practices To Make Audits Stress-Free

By Steven Burton
No Comments
Steven Burton, Icicle Technologies

Your next audit is already on its way. Now that many regulatory bodies and certification agencies are no longer required to give you a heads-up about upcoming audits, it’s completely up to you to stay on top of compliance, recordkeeping, and a myriad of other tasks on a day-to-day basis. And without that buffer of warning from auditors, falling behind can be more detrimental than ever.

Let’s walk through some effective practices that keep you ready for an audit at a moment’s notice, make the process go smoothly once the auditor arrives, and get rid of some unnecessary stress all along the way.

Connect All Departments to an Online Database

When it comes to collecting and moving data from one department to another, there’s nothing as inefficient as disconnected documents. Not only are they a strain to keep organized in big filing cabinets or file folders, but they take a long time to create, share and edit. It seems cliche to harp on this point in 2018; yet, many food safety coordinators have a purely manual system.

By connecting your entire company to an online database, you enable different departments to organize, share and update documents in seconds, rather than minutes. This level of connectivity can shave time off dozens of tasks per day, which ultimately leads to hours or days of extra productivity over the course of a year. When you adopt a system that updates connected documents in real time, you won’t have to make manual changes to multiple documents for small changes.
If you want to get extra efficient, the real trick to this best practice is to find software that you can incorporate into every department. Then, as people go about their normal jobs, the information they collect is automatically uploaded to the central database.

Utilize the Internet Of Things to Streamline Data Collection

These days, it’s possible to connect almost every piece of equipment to the Internet of Things. Even if your machinery doesn’t have measurement tools built-in, there are almost certainly additional tools you can install to create that functionality.

Having your equipment feed data directly into your central database is faster than manually collecting information and eliminates the risk of human error when it comes to data entry. Thanks to that simple degree of automation, already standard in large parts of the global economy, you can also use system dashboards and alerts that let you know when something’s off, like the temperature in the freezer or the production speed of equipment on the floor.

Don’t Settle for Uninspired Internal Audits

Many food safety coordinators are so focused on specific issues that they forget to take steps back to look at the situation from a bird’s eye view. When the time for an internal audit comes around, they do it with one eye on the audit and one eye on the next fire that needs putting out.

Lazy internal audits are not only noticeable to external auditors, they keep you in the dark about what’s really happening in your facility. Here are a few ways you can ensure your internal audit empowers you rather than slows you down:

  • Schedule the internal audit ahead and make it immovable
  • Plan out your scope, objectives and process to establish momentum and direction
  • Dedicate your full attention to running the audit and managing relevant staff
  • Report your findings in detail and discuss with necessary employees
  • Schedule and verify corrective actions

A well-performed internal audit is a powerful way to regroup, refresh goals and stay on track.

Train All Employees for Go-Time

Do you know which employees an auditor is allowed to interview? Any of them. No person is disqualified from interviews, which means every employee needs to be well trained on food safety procedures. While most facilities only train employees until they know the basics of food safety for their department, going above and beyond here can have some major gains.

Consider the perspective of the auditor. When they are asking your employees questions, they’re not just trying to complete a basic inspection. They want to see signs that you haven’t done the bare minimum, but that your employees are immersed in a food safety culture, that they have been receiving training long-term, and that food safety is a fundamental value of your company.

When auditors get the sense that your employees are up-to-speed, things tend to go a little smoother, stress levels lower, and the auditor becomes less suspicious.

Give Food Safety Coordinators the Appropriate Authority (and Budget)

One issue that many facilities run into is an unempowered food safety coordinator. When that person discovers ways to improve or correct operations or employees that are not following protocol, he or she is often unable to take the appropriate action.

Hazards aren’t the only things that need corrective actions from time to time. Sometimes employees need to face consequences for compromising the production area with food or for haphazardly completing safety-related tasks. Other times, employees don’t have the necessary software or equipment to perform their job well and even though their managers may be aware, they don’t allocate the appropriate budget to improve the situation. In order for any company to thrive, standards must be enforced by relevant leaders; and there’s no one better to call the shots on food safety than the designated coordinator.

Establish a Company-Wide Food Safety Culture

When it comes down to it, companies that value food safety thrive. Companies that consider food safety an annoying task to check off the list—they’re the ones that run into extra trouble.

Building food safety into your company’s system of values starts at the very beginning with how you train your new hires. It continues on into how you provide ongoing training even to experienced employees. It’s not an item on the list of meeting topics; it’s a value that underscores the entire agenda.

In order for this approach to be successful, it has to start at the top. Facility owners and managers that value food safety will organically pass that on to the people below them. But when the upper levels can’t be bothered with food safety, the entire organization struggles to hold onto it as a value.

Some of these best practices you can start working on tomorrow; others will take time to implement. Embedding these into your company can be a long road, so keep your eye on the prize: A safe, efficient food safety program that impresses auditors and keeps things running smoothly.

Manik Suri, CEO and co-founder, CoInspect
Retail Food Safety Forum

Rodent Poop, the Olympics and Food Safety Inspections that Work

By Manik Suri
3 Comments
Manik Suri, CEO and co-founder, CoInspect

Another day, another potentially brand damaging story—just ask Little Caesars. On February 7, the health department closed down an Indianapolis-based location because customers found some rodent feces on their pizza—it was clearly a food safety violation, and pretty disgusting. Meanwhile on the other side of the planet, athletes prepared their entire lives to compete in the Olympics. More than 100 people contracted Norovirus around the Olympic sites in Pyeongchang, where the athletes were in danger of getting a violent, contagious stomach illness that would derail their dreams and prohibit them from competing.

We live in a world that eats out, and if we don’t develop new techniques to protect customers in restaurants and food service settings, more people are going to get sick (or worse) from foodborne illnesses. The current food safety process is broken, and needs to be fixed in restaurants nationwide and globally.

At Google, Larry Page has spent two decades managing the speed of a search result for the company’s core service. From 1997 forward, Page has obsessed about the right results as fast as possible. When has Google ever been slow? People use the search engine daily because it always works.

For restaurants to grow and thrive, they need habit formation from fickle consumers. Habits are formed when restaurants deliver on their value proposition slice after slice, burger after burger, and salad after salad. So what is your organization doing to make sure that every meal is extraordinary— not only delicious, but also safe? What are you doing to prevent Norovirus and other foodborne illnesses?

Well, you’re probably not studying the data to create better processes. A 2017 survey of the top 500 restaurant chains found that 85% use paper logs or spreadsheets as their core technology for safety, quality and standards management. Paper logs, line check clipboards or homemade Excel sheets on a laptop are inefficient and ineffective systems to manage something as critical as food safety.

Many restaurants have upgraded their mobile ordering software and relaunched their menus on LED screens, but still make employees use clipboards to conduct food safety line checks and QA audits. This devalues the importance of their food safety operating protocols. Restaurant teams are comprised mostly of millennials and Generation Z— the mobile generations. They expect to be trained, do work and solve problems with their phones. But when their employers train with paper manuals and complete work with paper forms, it’s a huge disconnect for them.

Moreover, how did people at Little Caesars HQ in Detroit have insight into that recent incident in their Indianapolis store? What operating data do they have to examine? What line checks happened in store on the day in question? When was their last third-party food safety audit? What corrective actions were taken? That information would be hard for them to know, if, like the vast majority of restaurant chains, they were not collecting and analyzing data with modern tools.

Upgrading your operating technology so that your people have digital tools is not expensive. Software is much more affordable today because of the software-as-a-service revolution and the extraordinary computing power and proliferation of mobile devices. An emerging ecosystem of safety and software companies is ready to take your facilities into the 21st century. But the C-Suite has to decide it wants to empower its employees to do their best work and commit to having real-time data that is actionable and accurate.

Having mobile ordering software and LED screens for menus is helpful and valuable. But food safety is the most important component of every restaurant (and other food service companies). It is imperative that the food service industry embraces digital solutions to elevate their food safety standards. Without proper food safety standards, any organization could face a crisis like Little Caesars and the Olympics recently experienced. All it takes is one tainted meal to harm your guests—and your brand.

Eurofins and Orion Assessment Partner to Expand Auditing and Certification Services

Eurofins Food Safety Systems and Orion Assessment Services have announced a partnership that will expand their auditing and certification services on a global scale.

“The partnership will allow Eurofins to broaden their BRC Global Standards and GFSI scheme auditing resource base and provide them additional expertise in BRC to utilize. It will also allow Orion Assessment Services to operate under the Eurofins accreditation for BRC, SQF and FSSC 22000 schemes,” according to a Eurofins news release. “As a certification body, this collaboration will enhance the standards currently offered through Orion Assessment Services’ accreditation for ISO 17065 and ISO 17021, as well as offering brand new opportunities in the various GFSI schemes, for both existing and new clients internationally.”

Food Safety Supply Chain panel 2017

Registration Open for 4th Food Safety Supply Chain Conference

By Food Safety Tech Staff
No Comments
Food Safety Supply Chain panel 2017

Do you trust your suppliers? What about your supplier’s suppliers? Strengthening the links within your supply chain can be a challenging task, but it is necessary with FDA, and FSMA, recognizing the risk that exists.

Key topics, including vulnerabilities, inspections & audits, traceability, supplier verification, transportation, and recalls will be addressed at the 4th Food Safety Supply Chain conference from June 12–13 in Rockville, MD. The event will be held at the U.S. Pharmacopeial Convention.

This year’s agenda will be posted by March 1. In the meantime, the following are some topics covered at last year’s event:

Industry Experts Weigh in on Supply Chain Issues

Import Safe Food, Stay Out of Trouble with FDA

 

Lance Roberie, D.L. Newslow
FST Soapbox

Can You Defend Your Food Safety Plan?

By Lance Roberie
1 Comment
Lance Roberie, D.L. Newslow

As a food safety plan manager, do you ever get asked these questions regarding your food safety plan: What was your thought process for making this decision? Why do you do it this way? How do you answer this?

And, do you ever answer with one of the following statements:

  • I’m not sure? What do you mean?
  • That’s the way it has always been.
  • Our customer asked us to do it that way.
  • That’s what our last auditor recommended.
  • We make a low-risk product.

If this is one of your answers, defending your food safety plan may be a challenge. There is a major shift taking place in the world of food safety. With the implementation of FSMA Preventive Controls, the widespread adoption of GFSI audits, along with advanced technologies such as rapid pathogen and allergen detection, whole genome sequencing, and transparency efforts such as Blockchain, as well as with the increasing use of social media and access of information via the internet, food industry professionals are more educated and informed than ever before and ready to challenge your every move. As a food safety plan manager, you and your team must be ready! Being prepared to defend your food safety plan can be the difference between a recall and a routine audit. If you cannot fully explain the reasoning behind your decision-making, then how will you be able to prove that you are in complete control and are being proactive against food safety hazards? It will not be easy.

You must be ready to defend each and every part of your food safety plan. You must be able to defend questions and challenges with certainty and facts. Every decision made in your hazard analysis should be written down and backed with factual evidence whenever possible. Even the “none identified” areas should be backed by strong reasoning if no other factual evidence is available. You can use the data that you collect daily to help justify your decisions. Data collected from your prerequisite programs (ATP swab results, allergen cleaning validations, GMP audit findings, pest control trends, etc.) and food safety plan (CCP’s, validations, verifications) is all support for your decisions. Have this on file and ready to review when necessary.

If something looks out of the ordinary in your plan, make sure you can fully explain it and can back it with solid justification. If not, auditors, regulators, customers, etc. may start to become suspicious, which can lead to unwanted questions. You will then oftentimes start to get suggestions for change based on others’ individual expertise. Regulators may make “strong suggestions” for changes, for instance, and some people will just go along with it to avoid the pushback or because they simply don’t have a better solution. If this happens, soon your plan is no longer yours—it’s everyone’s. Some of these suggestions may be good, but is it really the right change for your plan? If not, it will often make the plan less rational and often difficult to defend.

The following are tips to help you avoid this situation.

  1. Meet with your food safety team regularly. Go through each part of your food safety plan and figure out how to answer the “why’s”. Why are things done this way? Why did we decide if this hazard was significant or not? Have annual reviews to make sure your plan is still functioning as originally intended and review new industry trends to be proactive regarding new potential hazards.
  2. Write a process narrative. Writing a process narrative documenting what happens at each step of your process and explaining your “thought process” for making decisions is a great support tool. It gives your team a chance to elaborate on the “justification” column in the hazard analysis, providing more decision-making details without crowding the hazard analysis form.
  3. Gather supporting documents. Scientific studies, guidance documents, expert opinions, etc. are vital pieces to have in your supporting documents library. Make sure it is appropriate for your individual products and the documents are from reputable sources, such as FDA, USDA, universities, process authorities, etc. Oh, and don’t forget about history! A reputable supplier with a long track record of safe product, a low history of recalls for the products you produce, etc. can help justify your decision-making.
  4. Conduct Internal Audits. Having an internal audit schedule and well-trained internal auditors help with finding inconsistencies within your program and allow you to make corrections before outside parties find these issues.
  5. Prepare. Have a “mock audit” and prepare for questions that are commonly asked during audits. Practice your answers and make sure you have supporting evidence when needed. Stay up-to-date with industry trends, especially common audit non-conformances.
  6. Be organized. It’s great to have all the supporting documents that you need, but if you cannot find them, then you just as well have nothing.
  7. Be confident. People, especially experienced auditors and inspectors, can quickly sense fear and lack of confidence. This often prompts more questions. Knowledge is power, and knowledge also builds confidence. Simply put, the more knowledgeable you are about your food safety plan, the more confident you will be when someone is trying to test you.
  8. Continuously Improve. It’s understandable that mistakes will be made. However, the next logical question you will be asked is: What did you do about it? Remember, for every nonconformance you find in your system, there should be a correction or corrective and preventive action to address it. It must not simply restate the problem, but legitimately correct the issue. This will give regulators, auditors, customers and anyone else looking at your system confidence that you are in control and can provide a consistently safe product.
3M Food Safety

From Culture To Compliance: The Link Between Food Safety Culture & Audit Preparedness

3M Food Safety

On Tuesday, December 5th, 3M Food Safety and Neumann Risk Services will host the final part of a 4-part webinar series on the Food Safety Modernization Act (FSMA). A special panel discussion of food safety experts will provide insight into how a robust food safety culture can positively impact audit preparedness and signal a culture of compliance.

Attendees will learn what a strong food safety culture looks like and how it can help comply with FSMA and the Safe Quality Food (SQF) Code. The free webinar will be recorded at the 2017 SQF International Conference in Dallas on November 9. It will conclude with a live Q&A for attendees and be offered on-demand to webinar registrants.

The first three webinars are currently available for on-demand listening at the 3M Health Care Academy, and each presents the opportunity to learn about the challenges companies are facing in operationalizing FSMA rules. The webinars offer real-world insight into how companies streamline implementation and execution of food safety plans, supply chain programs and other FSMA-driven programs.

Melanie Neumann, Neumann Risk Services
Melanie Neumann Neumann Risk Services, LLC

Melanie Neumann, president, Neumann Risk Services, a Matrix Sciences Company, will be moderating the panel discussion. Panelists will include:

  • Bill McBride, principal and managing director of Foodlink Management Services and SQFI Asia Pacific representative
  • Dr. Lone Jespersen, principal and founder, Cultivate
  • Dr. Martin Wiedmann, Gellert Family professor in food safety, Cornell University
  • Dr. Jay Ellingson, corporate director of food safety and quality assurance, Kwik Trip, Inc.

The webinar will take place on Tuesday, December 5 at 1:00 p.m. Central Standard Time. To sign up for the webinar, click here.

Patricia Wester, PA Wester Consulting

Q&A On FSMA Audits: A Conversation With AFSAP CEO Patricia Wester

By Food Safety Tech Staff
No Comments
Patricia Wester, PA Wester Consulting

As a trade association for auditors and the auditing industry, AFSAP has researched the various references to audits found in all of the FSMA rules, and monitored the steps taken across the auditing community to meet these requirements. In this Q&A, we sit down with Patricia Wester, chief executive officer of AFSAP, to talk FSMA audits, criteria for supplier audits, preventive controls and FDA guidance. She will be running the Pre-Conference AFSAP Food Safety Auditing Fundamentals Course at this year’s Food Safety Consortium.

Background on the AFSAP and FSC Alliance

In July 2016, GFSI announced they would re-open the Guidance document revision process so that FSMA’s requirements could be considered for inclusion. When the final GFSI Guidance document was released, it included most of FSMA’s requirements. At this point, the Schemes still had to accommodate these changes, which were then provided to the CB’s. Depending on the Scheme, a CB also had to consider including content to address any FSMA related gaps. In the end, these audits could take more than a year to reach the market, and depending on the individual site’s renewal period, it could be many more months before a supplier was actually audited.

Patricia Wester moderated the Plenary Panel “What’s Next for Audits”
and running the
Pre-Conference AFSAP Food Safety Auditing Fundamentals Course at the
2017 Food Safety Consortium November 29 – December 1, 2017 in Schaumburg, IL.

Recognizing the need to inform the market, the inaugural Plenary Panel on Auditing, moderated by AFSAP’s Patricia Wester was presented at the 2016 Food Safety Consortium meeting. Dr. Ostroff opened the discussion to share FDA’s perspective on the use of audits for FSMA. His remarks were followed by representatives from GFSI, Schemes and CB’s as each described their role and recent activities to meet the new regulatory requirements, and provide insight into the timelines involved.

Dr. Ostroff has agreed to join us again for the 2017 meeting, and will participate in the Plenary Panel “What’s Next for Audits” as Industry, Retailers and the auditing community prepares for the accredited certification audits necessary for VQIP.

FoodSafetyTech: How are audits used in FSMA?

Patricia Wester: In the Third Party Audit rule, FDA outlines an accredited certification program for imported food that applies in 2 specific situations. The first applies to any imports FDA designates as “a high risk food” and the second is the use of certification audits for importers in The Voluntary Qualified Importer Program, (VQIP). Under VQIP, participating importers are required to source their products from suppliers that are certified under the FDA program.

In addition to the certification audits for VQIP and high-risk foods, audits are one of the options for supplier verification activities under the human and animal food preventive controls rules. When the hazard analysis identifies a raw material has a serious hazard, (SAHCODHA hazard), that ONLY the supplier controls, a supply chain preventive control is required, and the supplier verification activity must be an onsite audit. FDA allows some flexibility here, the audit can be a second or third party audit as long as it meets the requirements listed in 117.435, and is performed by a qualified auditor as defined in 117.3. These requirements are applicable to audits used to verify foreign suppliers (FSVP) as well as domestic suppliers.

FST: Don’t GFSI Scheme audits meet the criteria for Supplier Audits?

Wester: FDA allows the use of any audit that meets FDA’s criteria for audit content. This includes second party audits executed by employees of the receiving facility and third party audits, including GFSI audits, as long as they meet the requirements for audit criteria and are performed by a qualified auditor.

FDA acknowledges that the GFSI Auditor Competence provisions are consistent with the Agency’s findings, but that recognition does not extend to the audit criteria/content of GFSI audits.

In fact, any audit program in use prior to the publication of FSMA’s rules would probably need to be updated for these new requirements. GFSI, the Schemes, the CB’s, and others involved in the delivery of audits have likely all updated their audits to eliminate the major gaps, however, there are still some key FDA requirements that remain unmet.

FST: So, even though audit programs have been updated for FSMA’s new requirements, they are still missing some of FDA’s requirements? Why didn’t they just add everything?

Wester: In most cases, it appears to be due to a misinterpretation of the audit criteria that underpins all FDA’s audits. FDA’s audits focus on assessing a suppliers compliance with “applicable food safety regulations, the HACCP and/or Food Safety Plan and the plan’s implementation”. The Preventive Controls for Human Food Rule states the audit requirements in Subpart G:

§117.435 states:

If the raw material or other ingredient at the supplier is subject to one or more FDA food safety regulations, an onsite audit must consider such regulations and include a review of the supplier’s written plan (e.g., Hazard Analysis and Critical Control Point (HACCP) plan or other food safety plan), if any, and its implementation, for the hazard being controlled.

We (FDA) have revised phrasing to state “and its implementation” to emphasize that implementation of the plan is distinct from the plan itself (e.g., § 117.126(c). (The PCHF Final rule preamble)

Similar phrasing such as “any applicable FDA regulations” is used elsewhere when FDA discusses audit criteria, such as FSVP and VQIP and the Third Party Certification Audit rules. Further, the PCHF rule, §117.190 provides a comprehensive list of “Implementation Records” that can be used as a guide to understanding what meets this element of the FDA’s requirement.

The auditing community and Industry have assumed the regulatory reference was limited to the FSMA regulations, such as Preventive Controls for Human or Animal Food or the Produce Safety final rules), and has focused on those regulations to update their audit programs. Other FSMA regulations, such as Intentional Adulteration and Sanitary Transport, could easily be considered part of the requirement, so there are a few audit options that include those rules.

FST: What about products that are exempt from the Preventive Controls Rules?

Wester: Audits for products that are exempt from the PCHF (human Food) rule, such as Juice and Seafood HACCP, are probably available under a general HACCP format, but they may not include the level of detail required under FSMA, and would have to specifically requested when arranging a supplier audit.

Audits for other PCHF exempt products, such as bottled water or low acid canned foods, would be audited using a general food safety audit, with the specific product treated as a product category under that audit. Once again, these audits lack the product specific regulatory content and implementation details required by FSMA.

The question becomes, which FDA regulations (beyond FSMA) apply to an audit used for regulatory compliance and how much detail in the audit is necessary?

In other words, what is the full scope of regulations needed for the audit, and what are the audit criteria? Is it just FSMA or does it go further?

FST: Where does one look for this information? Does FDA offer any guidance about the scope of the audit?

Wester: The CFR, or Code of Federal Regulations is the starting place for regulations. Finding the regulatory information would not be difficult, Title 21, CH 1 Parts 1-1499 include FDA’s food regulations. In addition each part can have multiple subparts etc.

Given the sheer quantity of regulations, and that some are product specific while some are not, developing different audits for all of the possible regulatory combinations would be a daunting task and enormously costly. Remember, every auditing company will have to go through this process.

There are FDA references to scope and criteria in several responses to comments:

Audit Criteria means the set of policies, procedures or requirements used as a reference against which audit evidence is compared. During regulatory and consultative audits, accredited third-party certification bodies will examine compliance with applicable food safety requirements of the FD&C Act and FDA regulations within the scope of the audit. In consultative audits, the third-party certification bodies also may be conducting an examination to determine conformance with applicable industry standards and practices.

The applicable requirements that accredited third-party certification bodies and their audit agents will use relate to the food safety standards under the FD&C Act, such as the adulterated food provisions in section 402 of the FD&C Act and the provisions on the misbranding of food allergens in section 403(w) of the FD&C Act. The applicable requirements of the FD&C Act and FDA regulations would depend on the type of eligible entity being audited. Other examples include labeling requirements and the CFR citations listed under scopes.

Certainly, more detail than this is needed, and AFSAP is working to engage all parties, including FDA, in collaborative discussions to resolve these questions and concerns. The auditing community will need to address these issues in the near future, and industry should be vigilant to understand the requirements and make sure any audits used for FSMA are compliant.