Food Safety as a Supply Chain Management Problem, with John Spink, Ph.D., Michigan State University
Supplier Certification in Today’s Supplier Quality Management Programs: A Discussion with Gary van Breda, McDonald’s; Jorge Hernandez, Wendy’s; and moderated by Kari Hensien, RizePoint; Sponsored by RizePoint
What Needs to Change in Food Safety Certification: A GFSI Panel Discussion moderated by Erica Sheward, GFSI
Auditing Update in the Age of COVID: FDA Standards and Regulations Alignment Pilot, with Trish Wester, AFSAP
This year’s event occurs as a Spring program and a Fall program. Haven’t registered? Follow this link to the 2021 Food Safety Consortium Virtual Conference Series, which provides access to all the episodes featuring critical industry insights from leading subject matter experts! Registration includes access to both the Spring and the Fall events. We look forward to your joining us virtually.
Managing the complexities of a management system is challenging for any food and beverage company, particularly for the team tasked with implementing the system throughout the organization. That is because every regulatory agency (e.g., FDA, USDA, OSHA, EPA) and voluntary certification (e.g., GFSI-benchmarked standards, gluten-free, organic, ISO) calls for companies to fulfill compliance requirements—many of which overlap. Supply chain and internal requirements can create further complications and confusion.
In today’s “New Era of Smarter Food Safety,” having a common system to organize, manage and track compliance offers an ideal solution. Dynamic tools are becoming available—systems that can manage employee training, pest control, laboratory testing, supply chain management tools, regulatory compliance and certification requirements, etc.
Unfortunately, these systems are often not set up to “talk” to each other, leaving company representatives to navigate many systems, databases, folders, and documents housed in many different locations.
The Solution: Compliance Management Systems
An integrated compliance management system (CMS) is intended to bring all these tools together to create one system that effectively manages compliance requirements, enables staff to carry out daily tasks and manage operations, and supports operational decision making by tracking and trending data that is collected daily by the team charged with implementation.
A CMS is used to coordinate, organize, control, analyze and visualize information to help organizations remain in compliance and operate efficiently. A successful CMS thinks beyond just access to documents; it manages the processes, knowledge and work that is critical to helping identify and control business risks. That may include the following:
Ensuring only authorized employees can access the right information.
Consolidating documents and records in a centralized location to provide easy access
Setting up formal business practices, processes and procedures
Implementing compliance and certification programs
Monitoring and measuring performance
Supporting continuous improvements
Documenting decisions and how they are made
Capturing institutional knowledge and transferring that into a sustainable system
Using task management and tracking tools to understand how people are doing their work
Enabling data trending and predictive analytics
CMS Case Study: Boston Sword and Tuna
In early 2019, Boston Sword and Tuna (BST) began the process of achieving SQF food safety certification. We initially started working with BST on the development, training and implementation of the program requirements to the SQF code for certification—including developing guidance documents for a new site under construction.
The process of attaining SQF certification included the development of a register of SQF requirements in Microsoft SharePoint, which has since evolved into a more comprehensive approach to overall data and compliance management. “We didn’t plan to build a paperless food safety management system,” explains BST President Larry Dore, “until we implemented our SQF food safety management program and realized that we needed a better way to manage data.”
We worked with BST to structure the company’s SharePoint CMS according to existing BST food safety management processes to support its certification requirements and overall food safety management program. This has included developing a number of modules/tools to support ongoing compliance efforts and providing online/remote training in the management of the site and a paperless data collection module.
The BST CMS has been designed to support daily task activities with reminders and specific workflows that ensure proper records verifications are carried out as required. The system houses tools and forms, standards/regulatory registers, and calendars for tracking action items, including the following:
Corrective and Preventive Action (CAPA)
Chemical Inventory/Safety Data Sheets (SDS)
Employee Health Check
Food Safety Meetings Management Program
Good Manufacturing Practices (GMP) Audit
Maintenance (requests/work orders/assets/repairs)
Nightly Cleaning Inspections
Sanitation Pre-Op Inspections
Thawing Temperature Log
Key Considerations for Designing a Successful CMS
An effective CMS requires an understanding of technology, operational needs, regulatory compliance obligations and certification requirements, as well as the bigger picture of the company’s overall strategy. There are several key considerations that can help ensure companies end up with the right CMS and efficiency tools to provide an integrated system that supports the organization for the long term.
Before design can even begin, it is important to first determine where you are starting by conducting an inventory of existing systems. This includes not only identifying how you are currently managing your compliance and certification requirements, but also assessing how well those current systems (or parts of them) are working for the organization.
As with many projects, design should begin with the end in mind. What are the business drivers that are guiding your system? What are the outcomes you want to achieve through your system (e.g., create efficiencies, provide remote access, reduce duplication of effort, produce real-time reports, respond to regulatory requirements, foster teamwork and communication)? Assuming that managing compliance and certification requirements is a fundamental objective of the CMS, having a solid understanding of those requirements is key to building the system. These requirements should be documented so they can be built into the CMS for efficient tracking and management.
While you may not build everything from the start, defining the ultimate desired end state will allow for development to proceed so every module is aligned under the CMS. Understand that building a CMS is a process, and different organizations will be comfortable with different paces and budgets. Establish priorities (i.e., the most important items on your list), schedule and budget. Doing so will allow you to determine whether to tackle the full system at once or develop one module at a time. For many, it makes sense to start with existing processes that work well and transition those first. Priorities should be set based on ease of implementation, compliance risk, business improvement and value to the company.
Finally, the CMS will not work well without getting the right people involved—and that can include many different people at various points in the process (e.g., end user entering data in the plant, management reviewing reports and metrics, system administrator, office staff). The system should be designed to reflect the daily routines of those employees who will be using it. Modules should build off existing routines, tasks, and activities to create familiarity and encourage adoption. A truly user-friendly system will be something that meets the needs of all parties.
Driving Value and Compliance Efficiency
When thoughtfully designed, a CMS can provide significant value by creating compliance efficiencies that improve the company’s ability to create consistent and reliable compliance performance. “Our system is allowing us to actually use data analytics for decision making and continuous opportunity,” said Dore. “Plus, it is making remote activities much more practical and efficient”.
For BST, the CMS also:
Provides central management of inspection schedules, forms, and other requirements.
Increases productivity through reductions in prep time and redundant/manual data entry.
Improves data access/availability for reporting and planning purposes.
Effectively monitors operational activities to ensure compliance and certifications standards are met.
Allows data to be submitted directly and immediately into SharePoint so it can be reviewed, analyzed, etc. in real time.
Creates workflow and process automation, including automated notifications to allow for real-time improvements.
Allows follow-up actions to be assigned and sent to those who need them.
All these things work together to help the company reduce compliance risk, create efficiencies, provide operational flexibility, and generate business improvement and value.
SQF Q&A with Shawna Wagner, CP-FS, Food Sector Technical Manager, North America
SQF Auditor of the Year 2019
FSSC 22000 Q&A with Isabella D’Adda, DNV GL Global Food & Beverage Manager
BRCGS Q&A with Veronica Ramos, DNV GL Lead Auditor, BRCGS Auditor of the Year 2020 award winner
Can we have 100% remote audits?
Shawna Wagner (on SQF): SQF does permit conducting an audit at 100% using ICT. Audits using ICT are not mandatory. This option must be a last resort option, as full onsite and the 50/50 blended option (50% onsite and 50% remote) shall be the first options. A feasibility assessment with a certified organization is needed to verify that a full remote audit is an effective and practical option. An SQF Fully Remote Audit only applies to announced re-certification and/or surveillance audits of the SQF Food Safety and/or Quality Codes. It does not apply to initial certification audits or unannounced re-certification audits.
SQF Fully Remote Audit certification can be applied to the following SQF Codes:
SQF Food Safety Code for Food Manufacturing
SQF Food Safety Code for Storage and Distribution
SQF Food Safety Code for Manufacture of Food Packaging
SQF Food Safety Code for Primary Production
SQF Quality Code
Isabella D’Adda (on FSSC 22000): Yes, 100% remote audits are now allowed also for FSSC 22000. On the 5th of October, 2020 FSSC published a new document called “Full Remote Audit Addendum” that explains the conditions and the rules for conducting FSSC 22000 audits fully remotely. This document is valid and applicable only, when a certified organization cannot be accessed due to a serious event – as in the case of a pandemic.
The FSSC 22000 full remote audits are completed using Information and Communication Technology (ICT); these will be accredited audits, which will not be recognized by GFSI – the transparency of the certification process is always granted, that’s why the certificate that will be issued after these kind of audits will have a specific reference that a Full Remote Audit was conducted.
Before conducting a 100% remote audit, a certification body must evaluate an impact of the serious event on the current certificate and certification status, and conduct a feasibility assessment with the certified organization in order to verify that a full remote audit is an effective and practical option.
The FSSC 22000 full remote audits can be done when annual announced surveillance/periodical or recertification audits cannot take place on-site. But not for Stage 2 Initial audits. Note: even during the 100% Remote audits, auditors need to spend about 50% of the time on documents and records evaluation, and the rest of the audit time on performing video plant tours and interviews.
The addendum to the standard called “FSSC 22000 Annex 9” is still valid in cases where a certification body and an organization agree that it is more appropriate and effective to conduct an audit in two steps: document review and interviews with key personnel remotely, using information and communication technology (ICT), then audit implementation and perform verification of the food management system on-site, with a time-lapse between the two steps.
In the case of the first certification, the FSSC 22000 Annex 9 can be applied and the whole stage 1 audit can be conducted remotely, while the subsequent stage 2 audit will be conducted on-site at least within 6 months after stage 1. For all other audits, according to Annex 9, part of an audit can be conducted remotely, and the rest of the activity completed onsite, considering that the onsite audit cannot have a duration less than 1 day and shall be at least 50% of the total audit duration.
Veronica Ramos (on BRCGS): The rules have been changing recently for the BRCGS standards. These rules are published in the Position Statement BRCGS 078, 080 and 086 (www.brcgs.com) – and these are applicable only for already certified sites. Currently, all certified sites, whose certificates can be affected due to COVID-19 in respect to travel restrictions and internal rules of receiving external visitors to the sites, can opt to any of the following three options:
Request a certificate extension for six months with a COVID-19 risk assessment (see Position Statement BRCGS 072);
Request their re-certification audit with the “blended audit” modality (see Position Statement BRCGS 080) – where a remote audit (using ICT electronic systems) is combined with an on-site audit for re-certifications;
Request the new temporary modality to conduct 100% of an audit remotely (according to the Position Statement BRCGS 086).
This is only applicable for announced audits. It is considered that the best option is to conduct a regular on-site audit or to go with the blended audit option, because an auditor can have a better opportunity to confirm the level of compliance on-site. The on-site audit part should be of at least 1.0 day duration, while the remote part shall not exceed 50% of the total audit duration. Note: full (100%) remote re-certification audits must replicate the exact methodology of a regular audit, including plant tours and interviews, however, it must be first verified that electronic devices and communication means can be used successfully. Also, one should be aware that 100% remote audits are not GFSI benchmarked, but are accredited. Please contact your lead auditor or certification body for more information.
What can be audited during the remote portion?
Wagner (on SQF): For SQF we would focus mainly on Module 2 items, such as Food safety policy, Management Reviews, Approved Supplier Program, Specifications, Validations, Verifications, and Training for the 50/50 blended audit. The 100% remote audit shall include all steps associated with an SQF Systems audit including the opening and closing meetings and discussion and agreement on non-conformities.
D’Adda (on FSSC 22000): When an audit is 100% remote, the whole activity will be done using an appropriate ICT. The audit will follow the same format and organization as an on-site one and, in any case, an auditor must be able to complete the full audit against all FSSC 22000 requirements: also during these audits a possibility to do interviews with personnel must be granted, an appropriate site inspection of all production areas, facilities, storage and external areas must be completed, implementation of PRPs must be verified, documentation must be evaluated with involvement of all management and staff, who manages the food safety system.
A fully remote audit can be conducted only, when a site is operational, and production is taking place.
For FSSC 22000 fully remote audits, it is advisable to provide supporting information to an auditor before an audit takes place. Documentation, such as site maps, updated flow diagrams, a list and overview of OPRPs/CCPs, any changes, caused by a serious event, and any other supporting information regarding the production process will be useful during an audit.
For audits done 50% remotely and 50% on-site there is the following process: during the remote part, focus will be on the ISO 22000 components of the FSSC 22000 scheme and interviews with management and key personnel. An auditor will review documents and procedures, check management review with specific focus on FSMS objectives and key process performance indicators, HACCP plan, internal audits, complaints and recalls, and how these were managed, focusing on key changes since the previous audit (applicable in the case of periodic audits and re-certification).
Ramos (on BRCGS): During the remote part of a blended audit focus should be on the information included in the documents and records: an auditor would need information on implementation and maintenance of the requirements since the last audit (meaning that samples of records, which could be requested, could be for the last twelve months). Most of the BRCGS standards are color coded, clearly indicating, which are the expected requirements to be audited against on-site, and which can be audited against remotely (e.g. management review, internal audits, complaints, recalls, etc.). But as mentioned before, everything will need to be audited, if the option selected is 100% remotely.
Who should attend the remote portion?
Wagner (on SQF): We would look at this audit no differently than as if we were onsite. It would be recommended that whichever employee is responsible for the section being audited that they attend. Employees could also be interviewed during a remote audit. This should be discussed with key personnel at the opening meeting.
D’Adda (on FSSC 22000): During remote audit both management and involved key personnel shall be available to support the auditor in his/her activity. Companies should cooperate and provide adequate resources to ensure the audit is conducted successfully.
Ramos (on BRCGS): During a remote audit both management and involved key staff shall be available to support the auditor in his activity.
What documents should we have ready for the remote portion?
Wagner (on SQF): Documents would be the same as if it were an onsite audit. All documentation should be made readily available to the auditor during the time of the remote portion and/or onsite portion of the audit.
D’Adda (on FSSC 22000): The documents that should be available for the remote audit are the same, as the ones requested for ISO 22000 implementation, like context analysis, food safety management system with its defined scopes, products and processes that are included and the objectives of the FSMS, food safety policy, HACCP Plan, management review, updated internal audits and all procedures that a company has documented, which are necessary for the effectiveness of their food safety management system.
Ramos (on BRCGS): All types of documents in their latest updated version shall be readily accessible. It is up to an auditor to request documentation, which is required to fulfil the objectives of an audit within its scope. Documents could be manuals, procedures, work instructions, templates of records, and actual records.
Can we send documents ahead of time?
Wagner (on SQF): It is not required that documents be sent ahead of time, although in some cases this could be helpful for the site and the auditor. Information that is sent ahead of time would be confidential and not audited until the actual audit.
D’Adda (on FSSC 22000): It is not required to send documents ahead of time, however all documents must be prepared and available for the planned audit dates, remote or onsite. There are some organizations, which want to share information in advance and show potentially useful examples, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Thus, this information will be handled as confidential. As a representative of a certified organization, one should know that during an audit, it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfill objectives of the audit.
Ramos (on BRCGS): It is not required to send documents in advance, however there are some organizations, who want to share information beforehand to demonstrate examples, which might be useful during an audit, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to the key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Such information will be handled as confidential. As a certified organization, one should know that it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfil the audit objectives, during an audit.
Is my information confidential?
Wagner (on SQF): All information that is sent shall be confidential and follows DNV GLs Information Security Policy.
D’Adda (on FSSC 22000): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information in accordance with the DNV GL’s Information Security Policy.
Ramos (on BRCGS): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information, in accordance with the DNV GL’s Information Security Policy and confidentiality agreements signed with customers.
When does the onsite portion need to happen?
Wagner (on SQF): The onsite needs to happen within 30 days of the remote portion. Both audits must occur within the 60-day audit window for SQF.
D’Adda (on FSSC 22000): In the case of fully remote audits, there won’t be an onsite auditing activity, and it will be completed using ICT equipment. In the case of an audit done partially remotely and partially on-site: FSSC has defined that the maximum timeline between a remote audit and the on-site portion shall be 30 calendar days. In the case of a serious event, this timeline can be extended to 90 calendar days, but only after a documented concession process and risk assessment have been completed by a certification body. Serious events that could lead to a postponement of the onsite portion of an audit are pandemic emergencies like Covid-19, legal proceedings, prosecutions, affecting food safety or legality, public food safety events (e.g. public recalls, calamities etc.), natural disasters (e.g. floods, fire, earthquake), war or political instability and other serious situations, like malicious hacking.
Ramos (on BRCGS): It is expected that in a blended audit the remote part is conducted first and then the on-site part, however, if logistics require that the audit is conducted in the reverse order, this is acceptable as well. The second part of a blended audit needs to happen within the following 28 calendar days, allowing enough time for a site to do a non-conformity closure (when applicable), and a re-certification decision can be issued before the expiration date of the current certificate. In exceptional justifiable circumstances, a certification body may request a concession from BRCGS for a maximum of 90 days. In the case of a 100% remote audit, the full audit shall be conducted as scheduled on consecutive full days.
3M Food Safety has received the AOAC Research Institute’s Performance Tested Method Certification for its Petrifilm Rapid E.coli/Coliform Count Plate. Introduced in February, the rapid microbial test helps food and beverage processors detect the presence of E.coli and other coliform bacteria. The test can recover E.coli and distinguish it from other coliforms within 18–24 hours.
The AOAC PTM designation validated the count plate as an equivalent alternative to FDA and ISO standard references to enumerate these bacteria. The evaluation was performed by an independent lab on food and environmental surfaces that include raw and pasteurized dairy products; raw and prepared meat; poultry and seafood; fresh fruit and product; and baby food, pet food and flour.
3M Food Safety is also pursuing MicroVal validation in accordance with ISO 16140-2.
Eurofins Food Safety Systems and Orion Assessment Services have announced a partnership that will expand their auditing and certification services on a global scale.
“The partnership will allow Eurofins to broaden their BRC Global Standards and GFSI scheme auditing resource base and provide them additional expertise in BRC to utilize. It will also allow Orion Assessment Services to operate under the Eurofins accreditation for BRC, SQF and FSSC 22000 schemes,” according to a Eurofins news release. “As a certification body, this collaboration will enhance the standards currently offered through Orion Assessment Services’ accreditation for ISO 17065 and ISO 17021, as well as offering brand new opportunities in the various GFSI schemes, for both existing and new clients internationally.”
This year is being described as “the year of FSMA compliance,” as many compliance dates for the various FSMA rules fall in 2017. As one might expect, the FSMA law and rules include many aspects of the established Global Food Safety Initiative (GFSI) standard; however, there are also differences in how they are applied to create better food safety enforcement.
At the most basic level, GFSI is an industry conformance standard for certification, while FSMA is a compliance regulation that must be met. However, both work together to ensure companies are effectively managing food safety.
The GFSI is facilitated by the industry network of The Consumer Goods Forum. It provides a very solid foundation and supporting objective of “safe food for consumers everywhere”.
GFSI was originally established based on a growing pattern of food safety outbreaks throughout the international marketplace. This led to the proactive development of GFSI standards as an alternative to the more limited and less effective customer audits in place at the time. An important part of this outcome was that CEOs in the food industry—not a regulatory body—determined the need to address food safety through the GFSI food safety standard.
With its beginning as a benchmarking organization, GFSI has since evolved throughout the food supply chain as a strong means for achieving global food safety. It is now established, growing, and improving across the primary supply chains within the global food market.
As such, much work to address food safety has been accomplished by GFSI over the past sixteen years. In fact, the industry-driven aspect of GFSI along the food supply chain has led many companies to achieve levels of food safety comparable to those required to achieve FSMA compliance. Based on its collaboration of food safety experts, GFSI provides for a significant evolution of food safety programs and supports those requiring FSMA compliance.
During a similar timeframe, the United States identified food safety as a major concern for the public. In the 1990s, a growing number of food outbreaks from biological contamination continued to spread, prompting the addition of controls within both the USDA and FDA. These brought the mandated requirement for Hazards and Critical Control Points (HACCP) and supporting Good Manufacturing Practices (GMPs) to specific industry sectors. However, these efforts were measured to have limited effect, as the outbreaks continued.
By the early 2000s, the public concern for food safety continued, and the FDA was determined to make changes. Along with Congress, the FDA commissioned research into the underlying issues that were resulting in the growing number and severity of food outbreaks. This research was being conducted and analyzed just as GFSI was determining its final group of benchmarked standards. At the same time, GFSI was positioned to be advanced into the U.S. market by food industry leaders, including Cargill, McDonalds, Walmart, Kroger, Coca Cola and Wegmans.
The outcomes from the FDA studies determined that the GMPs (in existence for the past 40 years) were not effectively implemented across the U.S. food industry. Further, the studies indicated that the ability to prevent food safety issues through specific controls would provide a means for reducing the number of foodborne illness.
This effort led to the development of FSMA, which passed in January 2011. Additional FSMA rules have since been published, starting in September 2016. The FSMA rules represent a rewrite of the existing FDA food safety regulations. However, with the FSMA law taking several years to roll out, the existing FDA laws remain in effect until they are replaced. These actions expand the FDA’s jurisdiction now and until full compliance of FSMA.
Bringing GFSI and FSMA Together
The presence of GFSI in the United States, as well as the GFSI certification of many suppliers to U.S. food importers, provides for a synergy between the GFSI standard and the FSMA law being enforced throughout the United States and its foreign suppliers. GFSI’s global focus provides the structure to adapt and meet many of the FSMA requirements, with the ability to expand to all FSMA requirements.
As one would expect, the FSMA law and rules include several aspects of the GFSI standard; however, there are many differences in how each is applied to encourage better food safety enforcement that must be considered. For instance, GFSI has the advantage of providing the time to develop programs, and thousands of companies are certified to the various programs under the standard. Conversely, FDA is implementing FSMA compliance over several years, with 2017 being a big year for compliance (based on the rules’ published dates, company size and industry segment).
In this new order of food safety in the United States, those companies that have achieved GFSI certification should have an advantage over those who do not, provided they can align their GFSI programs with the FSMA law requirements. There is also a benefit to starting with FSMA and moving to a GFSI certification.
Existing GFSI certifications provide an established framework, with many of the program requirements similar to those required by FSMA. For example, personnel are required by both to establish HACCP and Food Safety Plans, as well prerequisite procedures (PRPs) and current-Good Manufacturing Practices (cGMPs). The challenges are ensuring the complete development of these food safety procedures to guarantee they meet both GFSI and FSMA requirements.
As another example, personnel requirements are similar but different under FSMA and GFSI, which calls for training, updating and qualifying resources. Ultimately, advanced HACCP training under GFSI provides the means for establishing a Qualified Individual under FSMA, but it requires expanding the training to include FSMA Preventive Controls and procedures. The resulting plan is the food safety plan that can be based on HACCP but with the proper additions to meet FSMA requirements.
Global Food Safety Conference
The upcoming Global Food Safety Conference (February 27 – March 3 in Houston, Texas) provides an opportunity for those seeking compliance to FSMA or certification to a scheme within the GFSI Standard to get a deeper understanding of food safety. With 2017 being the year of FSMA compliance, it is very appropriate that the Global Food Safety Conference be held in the United States this year. The conference will provide U.S. companies attending, as well as foreign supplier of products to the U.S. market, an educational opportunity and forum to reach out to experts from industry, government, and academia to better understand these two key areas for food safety program development. Some of the topics to be addressed at the conference include the following:
Food safety management commitment and corporate governance
Required training of food safety roles, including management, staff and operations
Specific requirements of the documented food safety program or written programs under FSMA
FDA requirements of the past and existing requirements prior to FSMA and the relationship of these as comparable to GFSI
Implications for FDA enforcement under FSMA of these previous requirements and program requirements that may need to be formalized under FSMA
The proof of evidence with supporting records required by FSMA that may be addressed in part by existing or GFSI-level food safety programs
How to adapt a FSMA-level food safety plan and preventive controls cGMPs from existing programs, including GFSI, or develop these to function with existing programs
Levels and numbers of qualified individuals, qualified auditors and competent sanitation for oversight and management of FSMA food safety plans
Management reanalysis and update of the written FSMA programs to ensure compliance and readiness for inspection by FDA FSMA investigators
Process used to ensure compliance with FSMA Preventive Controls and the other FSMA rules being issued in 2017 and 2018, including Foreign Suppler Verification, Sanitary Transportation and Intentional Adulteration
Kestrel has been a long-time advocate of GFSI, performing site certification program development support for hundreds of companies. We have served as a GFSI Stakeholder, Technical Working Group participation, and panelist at previous GFSI Global Food Safety Conferences. We look forward to seeing you at the 2017 GFSI Global Food Safety Conference and to helping you navigate GFSI conformance and FSMA compliance requirements.
Now that the first of the FSMA compliance dates have passed, let’s look back at the past year of training new PCQIs, their questions and concerns from classes as well as the perspective from our FDA friends (yes, really!) who attended our workshops. We have learned so much, it is hard to narrow it down to only five things—but if we look at the issues that arose, the following five proved to be recurring themes throughout 2016.
5. Don’t Scrap Your Current Plan
Many clients have approached us and said they were planning to throw their current food safety and/or HACCP plan in the trash and start from scratch. Please don’t do this! Companies that care about quality and food safety already have effective quality management systems in place. It would be a disservice to the company and the general public for all these time-tested plans to go straight into the bin. It is more realistic to take a look at the current system in light of the new regulation and ask yourself if there are any gaps that can be addressed. This brings us to the next point.
4. Education Is Key
A compliant system cannot be developed without an understanding of the requirements. Although FSMA is derived from the basic principles of HACCP, there are key differences, and not all of them in the direction of less regulation. It is important to understand not only the updated Good Manufacturing Practices and Preventive Controls for both Human and Animal food, but also the Foreign Supplier Verification Program, Sanitary Transportation and the Produce Rule (if they apply). Although the FDA-recognized curriculum for some of these companion regulations have not yet been released, some independent training providers are offering workshops to help fill the gap while the FDA and FSPCA are working on the official curriculum. (Comment on this article for more information via email).
3. “You Must Evaluate If You Need It” Is Not the Same as “You Don’t Need It”
Some training providers have told their attendees that they can scrap many of their current systems because FSMA is less stringent than GFSI-approved schemes. Your certification body for FSSC 22000, SQF or BRC does not care one whit how stringent FSMA is (as long as you are compliant with its requirements, as local regulatory compliance is a key factor in GFSI approval). FSMA will not change expectations related to the GFSI-approved food safety schemes. It is also misleading to think that because FSMA is flexible, FDA regulators will not have expectations of excellence when they arrive at food processing facilities. This law gives regulators the power to take legal actions to address many infractions they have seen over the years but have been powerless to stop; the flexibility may well be a double-edged sword in that regard. Ensure that all decisions are based on data and records exist to validate any claims.
Being audit-ready at any moment can be a daunting task, but pest management is one aspect of your audit that you can ace if you’re doing the right things. Pest control can account for up to 20% of your score, so taking it seriously can give you a huge boost the next time an auditor comes to your facility.
There are two components needed to help ease the stress of a third-party audit: An Integrated Pest Management (IPM) program and proper documentation.
IPM programs focus on incorporating green prevention and exclusion tactics into your facility’s ongoing sanitation and facility maintenance strategies, only using chemical solutions as a last resort. FSMA established that these tactics should be used when dealing with food safety issues and that thorough records should be kept to document the risk-based prevention efforts. This gives food manufacturing facilities even more of a reason to employ an IPM program.
A strong IPM program already has documentation built into it, as tracking pest activity and monitoring results over time are crucial steps to implementing the most effective pest prevention techniques for your business. Every IPM plan is tailored to your facility’s needs, so it needs to be dynamic and adaptable over time as new technologies emerge and your business needs change. Having the ability to show documentation of these changes and their positive effects will get you off to a great start on your next audit in showing your risk-based prevention food safety plan. If you do not already have an IPM program in place, speak with your pest management provider about establishing one.
Auditors like to see IPM programs in place because it means your business is taking a proactive approach and keeping detailed records.
Think about it like this: If the auditor is the judge and there’s no jury, would you ever walk into a court case without any evidence to prove your innocence? Of course not! So you wouldn’t want to walk into an audit without any documentation either.
In other words, document everything. Facilities must prepare and implement written food safety plans that identify potential risks to food safety, enumerate the steps and processes that will be executed to minimize or prevent those dangers, identify and implement monitoring procedures, keep detailed records of the food safety program, and list actions that will be taken to correct problems that do arise. If you’re doing all of this, you’ll make an auditor’s life that much simpler and improve the chances of receiving a high score.
When working to get audit-ready, you’ll want to have the following forms of documentation ready to go:
Proof of Training and Certification
Even though you know that your pest management professional is properly trained and certified, your auditor does not. Keep documentation on hand at your facility, as auditors may want to see one or more of the following documents:
A copy of the valid registration or certification document
hysical, written evidence that your pest management provider has been properly trained to use the materials necessary for your IPM program
Evidence of training on IPM and Good Manufacturing Practices (GMPs)
Proof of Service and Material Changes
A strong IPM program changes as new technologies emerge and your business’s needs shift over time, so be sure to have detailed documentation of these changes as they occur. It’s also important to note the reasons for making changes. Auditors will be looking for written documentation for even the smallest of changes to your IPM program, so take careful notes as your program adapts along with your business.
It can also help to assign specific roles to your employees. This not only will give employees clear direction on how they can contribute to your IPM program, but it can also help your case with an auditor by showing that your facility is maintained by an entire team rather than just a few people. Teamwork is a key part of any IPM program, so be prepared to show how your team runs effectively.
Pest Sighting Reports That Correspond with Corrective and Preventive Actions
When there is a pest sighting in your facility, record it immediately. Keeping records of sightings will help ensure that steps are taken to improve and show accountability to an auditor. Once action is taken, record exactly what was done and the results of the counteractive efforts. That way, you’ll have a paper trail that shows an auditor that for every pest problem, your pest management provider came up with a proactive pest solution that resolved—or is working to resolve—the issue.
After taking corrective action, continue monitoring the issue over time and note any developments in order to help prevent the issue from reoccurring. Creating a trend report that keeps track of which pests your facility is dealing with over time can help, too, as it will help you determine which pests are the most problematic. Your provider can help build such a report.
Records of Pest Monitoring Devices and Traps with Corrective Actions
Pest monitoring devices and traps are great for giving insight into areas around your facilities that are most susceptible to pests. Along with these devices, however, you’ll need to show the following information to an auditor:
When and how often the monitoring devices and traps were checked
The type and quantity of each pest found
Corrective actions taken to reduce pest activity and prevent further issues
Work with your pest management provider to gather all of this information, as it is usually the technician who works on these devices regularly. Being able to give an auditor the full picture can certainly help you on your inspection as it demonstrates attention to detail throughout your entire facility.
Annual Pest Management Assessments and Resulting Actions Taken
With most IPM programs, your pest management provider will thoroughly inspect your facility annually to identify areas that can be improved. Many auditors require these annual check-ups, and they will be looking for proof that these facility assessments occurred and that action was taken as a result that led to positive changes. Year-over-year improvement is important, so measure your success against the areas of improvement specified in these annual inspection reports. That way, you can meet the objectives prior to an audit.
These annual inspections give you a chance to look back and see the progression over the years. If there are any pest issues that pop up year after year, make them a priority in order to show that your program is trending in the right direction.
This proactive approach to pest management will help protect your business from pests and the inherent risks, as well as help give you a better chance of receiving an excellent score on your next audit.
So don’t be afraid of an audit the next time one comes around. With a strong IPM program in place and detailed documentation over the course of the year, there won’t be an exorbitant amount of preparation needed. Stay organized and keep all of the above-mentioned documents together and on-site to keep things simple for both you and your auditor. All of these elements will help your facility receive a strong score and be audit-ready at a moment’s notice.
Food Safety Tech recently sat down with experts from Eurofins to discuss FSSC 22000. According to Kristopher Middleton, technical manager at Eurofins, and Kim Knoll, food safety systems national sales manager at the company, there are still quite a few companies (especially in North America) that are unfamiliar with the ins and outs of the certification scheme. In a Q&A with FST, Middletown and Knoll break down the basics of FSSC 2000, along with explaining some of its benefits.
Food Safety Tech: How is the trend with FSSC 22000 evolving?
Kristopher Middleton: The scheme started in 2009 based on a demand for people wanting to have an ISO-based certification within the GFSI benchmarking process. When the program came out, it trended toward larger companies that already had ISO-based certifications, mainly ISO 22000 and ISO 9001. The FSSC 22000 scheme is the fastest growing GFSI benchmarking scheme currently. It’s not just for large multinational companies; a lot of smaller suppliers are seeking certification to this scheme. The foundation continues to expand its scopes to become a true farm-to-fork certification program.
FST: Is FSSC 22000 also appropriate for a single site or for a company with fewer than 50 employees?
Middleton: The certification doesn’t discriminate based on facility size—nor footprint or number of employees. It’s ideal for any company that has a robust food safety management system and manufacture products that fall within the FSSC 22000 scope of certification. This currently includes manufacturers of perishable animal products (feed and food), perishable vegetable products, products with a long shelf life, biochemical products (i.e., food ingredients, vitamins, biocultures, etc.), manufacturers of food packaging, and primary production of animal products.
The key thing about FSSC 22000 certification is that it is not a terribly prescriptive food safety scheme, when compared to others that are available. You will be successful with FSSC 22000 certification if you are confident and knowledgeable about your own food safety management system, and you have appropriate justification or validation for the method in which your programs have been implemented, as well as validation for the controls of your food safety hazards.
FST: Are there quite a few companies that have not heard of FSSC 22000 or are not aware that it is a GFSI-recognized scheme?
Middleton: Since ISO 22000 was not terribly popular here in North America, it didn’t catch on right away. It was more so overseas that it caught on. However, within the past two years the scheme has become increasingly popular here, especially among companies that have other ISO standards already implemented (i.e. ISO 9001, 14001, 18001,etc), where it relates to occupational health and safety, environmental, and quality. The reason for that is the FSSC can easily intertwine with that entire management system program so that it all works together versus having separate programs in place.
Kim Knoll: I’m having a lot of conversations with smaller manufacturers who are brand new to GFSI. Many of them are being asked by their customers to achieve a GFSI benchmarked certification and are in the early stages of researching scheme options. Some of these companies are surprised to learn that FSSC 22000 is a viable option. Like other certification schemes, Eurofins lends support to companies planning to pursue FSSC 22000 through training courses, consulting services, pre-assessments and ultimately certification services. Even though FSSC 22000 is a newer scheme, auditor availability is not an issue.
FST: What are the key differences between FSSC 22000 and the other GFSI schemes?
Middleton: Probably the most apparent difference with FSSC compared to other GFSI benchmark schemes is the fact that your certification lasts for three years, not one year. The reason for that is that it’s not a product-based certification like the others, it is a process-based certification and it uses the accreditation standard of ISO 17021 not ISO 17065. It also uses ISO 22003 for direction to the certification body for the conducting of the audit. That doesn’t mean that sites won’t be audited annually; it just means that once the certificate is granted, it’s good for three years.
Another key difference is that there is no true pass or fail within the audit. It’s a conform or not-conform audit. The decision to certify is based off the findings from the auditor and their recommendations, as well as the decision from a technical review meeting at the certification body. It requires the effective closure of a particular non-conformance or satisfactory plan being submitted for the closure of those non-conformances before the actual certificate can be granted. So that’s a bit different, because you can just submit plans for your non-conformances [instead of] actually showing that everything has been completely resolved. That being said, if a facility isn’t able to hold or get a certificate, if there’s an imminent food safety threat noted during an audit—if there’s an issue, such as a potential recall or contaminated goods, the ability to be granted that certificate is not feasible.
FST: Can you walk us through the auditing and certification process under FSSC 22000?
Middleton: Like any of the standards out there, you can get a pre-assessment, which is not necessarily part of the certification activity. The certification activity starts at a Stage 1 audit within this scheme (also known as a document audit within other schemes). It’s an evaluation of a facility’s food safety management system document to determine if they’re valid. The process does not include an entire evaluation of the implementation of the program, just simply that the programs are adequately designed and meet the requirements that are in place.
Next there’s a Stage 2 audit (sometimes referred to a facility audit) that is conducted no more than six months after the Stage 1 audit. The Stage 1 audit will identify the areas of concern—programs that might not meet exactly what the specifications required within the standard, which would become non-conformances in a Stage 2 audit (also called a facility audit or certification audit).
The Stage 2 audit is the full evaluation of the implementation of the program that was reviewed in the Stage 1 audit. Following completion of the audit, effective closure of non-conformances is required. This closure can either be [related to] major non-conformances, CAPA or root cause analysis. You have to supply evidence that the non-conformance is properly eliminated and will not recur, and this evidence must be supplied to the certification body and the auditor for review.
Any other non-conformances (also known as minor non-conformances) must have corrective action plans. Companies need to state how they plan on resolving the issue. They will be “closed” but left open for the next audit, which has to occur within one calendar year (known as a surveillance audit). The term “surveillance audit” within this standard is different from some of the other standards. Within some of the other standards, a surveillance audit is not a yearly activity—it is done within the year of certification. The surveillance audit within this standard is a yearly audit that is required to meet the requirements of GFSI. It’s also a requirement within [ISO] 17021 and [ISO] 22003 that surveillance audits are conducted. The GFSI requirement changed the surveillance audit within the ISO world because they used to do a sampling audit, which progressed to a full-blown audit. Your whole food safety management system will be evaluated, which is slightly different from ISO 22000 surveillance audits.
After that audit is conducted, you have another surveillance audit in the following calendar year. Within those surveillance audits, if any minor non-conformances or non-conformances from the previous audit are still present, they are upgraded to major non-conformances and [companies] would have to implement a full corrective action plan, root cause analysis, etc. and then determine the solution.
Once the second surveillance audit is conducted, the following year will be your recertification audit, which is simply another facility audit. It’s not a document audit—you don’t have to do Stage 1 audits after that initial one. This recertification audit occurs prior to your certificate expiring.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.