GFSI has just released a new benchmarking requirements version that was developed for food safety certification schemes. Following stakeholder input, Version 7.1 intends to reflect changes happening in the market. The new version includes the addition of clauses for each scope under Food Safety Management requirements, including purchasing from non-approved suppliers and compliance with food safety legislation.
The previous version, Version 7, was released in February and introduced requirements to combat food fraud, incorporate unannounced audits, and increase transparency in the benchmarking process. It also included a new scope of supply chain food brokers and agents.
Compliance to FSMA requires companies to meet existing program requirements and new ones being published or face regulatory consequences. A part of FSMA also requires that companies follow established food safety plans, which includes GFSI certification.
With these changes, GFSI-level programs must integrate into an aligned Food Safety Management System (FSMS) and strategy. Key considerations include sustainability, multi-year planning, effective organizational structures and expectations, well-defined roles and expectations, compliance, and business objectives.
The value of GFSI certification depends on how the company uses its organizational resources to maximize return on investment, while meeting the changing FDA requirements. Effective management of a GFSI-certified FSMS can have a significant impact on FDA/FSMA compliance. The risk of not meeting established programs while implementing new FSMA programs must be measured, and attention must be given to addressing FSMA compliance, while maintaining established programs.
Complying with FSMA Food Safety Programs
The implementation of FSMA-compliant programs requires having an established GFSI FSMS and demonstrating conformance with one’s own policies. Programs must be maintained and improved as the FSMA requirements are developed and implemented. Each of the GFSI schemes has been vetted to meet a significant level of FDA/FSMA requirements—a key benefit to these industry programs.
Developing a compliant FSMS with proper alignment of your existing programs to FSMA must be assessed. For example, companies with more than 500 employees must include requirements in their programs for the FSMA Preventive Controls rule, which is set for compliance September 19, 2016. In this regard, registered food facilities must evaluate and implement preventive control provisions and meet the requirements by the approaching deadline. This requires effectively updating current programs, establishing key imperatives including cGMPs (Section 117), identifying a Preventive Control Qualified Individual (PCQI), and implementing a Food Safety Plan.
The following areas are all included under the FSMA requirements:
cGMP, Controls and Preventive Controls. Must be identified, modified, and implemented to further minimize or prevent the occurrence of hazards based on Section 117 requirements.
Food Safety Plan, Hazard Analysis, and HACCP. Companies must identify and evaluate changes in their existing programs to include FSMA Preventive Controls.
Qualified Individual. Must be trained with authority to oversee Preventive Control program aspects, developments and impacts.
Written Programs and Documentation. Up-to-date GFSI-level FSMS provides documented programs, procedures, and records for meeting requirements under FDA/FSMA.
Management & Monitoring. All controls, including under FSMA and existing GFSI-level, must be monitored, validated, and verified for effectiveness.
Management of Corrective Actions. Procedures including traceability response for addressing failures of procedures, GMPs and controls must be under management review and confirmed for prevention of adulterated food from entering commerce.
Recordkeeping. Records must be complete and accurate for all food production and safety activities and kept for two years, including the testing level verification of all programs under FSMA and GFSI-level programs.
Self-Diagnostic Assessment Tool
The following self-diagnostic assessment tool can help organizations better determine their current state of planning when it comes to GFSI-level programs meeting FSMA. To complete your own planning assessment, review your progress compared to the questions in Table I.
Companies must have their existing food compliance and GFSI programs in good standing to comply with FSMA or face possible violations, fines and penalties under FDA enforcement. The questions in Table I will help companies identify the areas in which they need to focus attention. Kestrel can also help answer questions, provide input on solutions, discuss how to better manage GFSI certification—and change “No” responses into “Yes” responses that promote best practices for FSMA compliance.
The Global Food Safety Initiative (GFSI) is a global initiative for the continuous improvement of food safety management systems. From a functional standpoint, you might be surprised to learn that one of the most challenging elements of keeping up with GFSI compliance for many food producers is sufficient document control. In fact, data compiled by SQF shows that document control-related issues are one of the most common sources of a non-conformance during GFSI-benchmarked audits. Examples of these non-conformances are associated with documentation of training requirements, business continuity planning, and corrective and preventative actions.
The Global Food Safety Initiative (GFSI) is an industry-driven initiative providing thought leadership and guidance on food safety management systems necessary for safety along the supply chain. This work is accomplished through collaboration between the world’s leading food safety experts from retail, manufacturing and food service companies, as well as international organizations, governments, academia and service providers to the global food industry. They meet together at technical working group and stakeholder meetings, conferences and regional events to share knowledge and promote a harmonized approach to managing food safety across the industry. GFSI is facilitated by The Consumer Goods Forum (CGF), a global, parity-based industry network, driven by its members.
So what exactly are some of the most common causes for document control issues as it relates to non-conformances? Keep an eye out for the following five errors that can affect compliance.
1. Lack of document control altogether
Lack of correct usage of document control in the context of GFSI compliance is a common error. This is an issue that often occurs as a result of document sprawl—specifically as it pertains to duplicate documents and supporting documents. For example, an organization might create internal reference material designed to be cheat sheets or summaries of larger policies. These could include simple charts that list key equipment set-up parameters or charts summarizing abbreviated information from product specification sheets. Many organizations fail to realize that because of the nature of the information in these files, these reference documents must also be included in their document control program to ensure that the information in them is current and universally applied.
2. Document version control
From using outdated forms to referencing outdated employee procedures, lack of proper document version control and enforcement is the most common GFSI compliance-related non-conformance. These issues can arise from operational errors (employees don’t know where to find up-to-date documentation or how to ensure that it is being used) to technical errors (the document control system is unable to properly manage document versioning, or in the case of home-grown document control software systems, they may be unable to do so altogether). To avoid these errors, it’s necessary to establish where controlled versions of documents are located and ensure that they are kept up to date. It’s also important remove obsolete versions of these documents—this is a basic principle of document control, but it’s often an area where errors compound over time. Reinforcing training so employees are made aware of document control best practices and policies is critical to keeping your compliance activities current.
3. Document revision errors
One of the most common activities and most common sources of error within any document control program involves publishing revisions to documents. These errors include:
Updating the contents of a document but forgetting to update information such as the version number
Improper tracking of revision history
Adding new documents to the database rather than revising or updating existing documents
4. Inclusion of documents from external sources
If your food safety management system includes or makes use of external documents, these must be controlled in the same manner in which you control internal documents.
Some examples of external documents that may need to be included in your document control program include:
Sample labels provided by your chemical and pest management suppliers
Raw material specifications provided by your suppliers
Customer expectations manuals provided by your customers
5. Improper identification of approval personnel
A best practice of document control is for the person knowledgeable about the content of a document to be assigned the responsibility of approving updates to it. In many organizations, this is interpreted to mean that all approval responsibilities are assigned to a single person across the organization. This could be the food safety coordinator or the document control administrator, despite the fact that it is not reasonable for a single person to be knowledgeable about all the procedures across the organization.
A better approach to approval responsibilities is to identify individuals who can be responsible for authorizing changes based on function or discipline. By spreading the responsibilities across more people, your document control program is more likely to be current and accurate.
When it comes to food safety compliance and best practices, particularly as they relate to GFSI, it’s often the basic principles that get overlooked once your organizations processes and systems are up and running. Setting up a process for document control and maintaining this process over time is a key to achieving and maintaining compliance. As such, it’s important to revisit your controlled document process and library regularly to ensure things are operating as designed and avoid costly compliance surprises at the same time.
Confusion reigns in many organizations and especially with our food safety and quality professionals, as we debate and attempt to decide how best to address the requirements of FSMA. With the first compliance date of September 2016 drawing near, companies are feeling increased pressure to take action. As many are already accredited to a GFSI-approved food safety scheme such as SQF Level 3, BRC, Primas, IFS or FSSC 22000, often the question is, how does my current system fit into FSMA, and where do I need to make changes? The undercurrent to this question is the implication that changing the system to fit FSMA will cause it to no longer be tailored for the desired GFSI food safety scheme, and that a change could cause issues with those audits (which are crucial for purchasing, marketing and sales).
The Food Safety Consortium will discuss critical industry issues, including FSMA compliance. The event takes place in Schaumburg, IL | December 5–9, 2016 | LEARN MOREAs with so many of our industry challenges, there is no easy and prescriptive answer to these questions. Each organization has to make the decision for their own system based on their individual hazard analysis, risk tolerance and resources. Some over-arching themes begin to emerge, which may be analyzed to assist the decision makers in the creation of a road map to FSMA compliance.
During our FSMA Preventive Control Qualified Individual (PCQI) training courses we are repeatedly asked, “What qualifies as a preventive control? Are our critical control points (CCPs) automatically a preventive control? How about our operational prerequisite programs (OPRPs)—are these PCs also?” While there is no easy answer (yes or no), there are some important things to keep in mind that can help in the decision.
The official answer is that a preventive control should be any point in the process where, with a loss of control, it is reasonably foreseeable that a significant food safety hazard either will occur or has an increased likelihood of occurrence. Remember this is intended to be a single point in the process, not the entire process. For example, the sanitation program may be managed as a prerequisite program; however, there may be a point in the process that requires special sanitation attention and without it, there is a reasonably foreseeable likelihood of a hazard.
Thinking about the concept, a logical conclusion is that a loss of control leads to a significant food safety hazard or, at the very least, increases the likelihood of said hazard. It follows that a loss of control would beget the need for a withdrawal if the product had already left the organization’s control. Therefore, one should only designate a point as a preventive control if the implications of conducting a recall in the event of failure have been analyzed as part of the risk assessment. The organization must be fully prepared to conduct such a recall in the event of failure.
The FSMA Preventive Control regulation (§21CFR117.135 – Preventive Controls) requires a recall program only if there is a preventive control identified in the process. Of course, any food processing organization would be remiss if they did not have an effective recall program defined and tested by regular mock recalls. Waiting for a true recall is no time to find out that your program has issues. Even without a preventive control, what happens if a supplier contacts the processor with an issue that requires a recall?
Through the evolution of compliant and mature food safety management systems, it is common for an organization to initially identify multiple CCPs and then, through data collection and process improvements, slowly reduce the CCPs to control points managed through OPRPs or PRPs over time. So, should an OPRP (Operational Prerequisite Program – ISO 22000:2005 Section 7.5) also be designated preventive control? This is perhaps one of the grayest of gray areas in this arena. A deviation in a preventive control, if the product has left the organization’s control, requires a recall. A recall for a deviation in an OPRP is not absolute, and it is actually handled by the food safety team and management on a case-by-case basis, depending on the risk. In addition, although identified when possible, a critical limit is not required for an OPRP (ISO 22000:2015 Section 7.5). Parameters are required for a preventive control.
There really isn’t one answer that fits every situation, but it is important to remember that the requirements for FSMA Preventive Controls regulation (§21CFR117.135) are designed for those operations that in the past have not had the opportunity to define, implement and maintain a food safety program—one that includes a hazard analysis based on HACCP guidelines (Codex Alimentarius Commission [Annex to CAC/RCP 1-1969, Rev. 3 (2003)]) and/or a GFSI-approved food safety scheme. Personally, we feel that if an organization has evaluated their process in compliance with a GFSI-approved food safety scheme, then any reasonably foreseeable hazards have been identified and addressed through a control point such as a CCP, OPRP or PRP. However, that said, upwards of 90% of recalls are linked to either ineffective or nonexistent PRPs such as allergen mislabeling, which accounted for 53% of all recalls last year. Thus, it is imperative that we evaluate all aspects of our processes with the same scrutiny that we do our microbial pathogen and metal control programs, which are common CCPs in today’s world of food safety.
Risks must be evaluated through an effective risk assessment based on science and facts. We start almost all of our workshops with the great American Society for Quality (ASQ) video: Cost of Poor Quality. This highlights the lack of an effective risk assessment performed on January 28, 1986, related to the launch of the Challenger. Unfortunately, emphasis was not on the fact that the engineers presented about the lack of cold temperature stability of critical O-rings, but rather on the fact that the launch had already been postponed for two days, and there was intense media and political hype surrounding the event. An effective risk assessment must be based on facts and objectivity, not on our feelings about what we want or need the decision to be.
FSMA PCQI training stresses the use of reliable and credible resources such as academia, trade organizations and process authorities. The internet itself can also be a valuable resource. Jon Porter stated in 2004, “HACCP, as we know it, would not exist without the internet.” (If Jon could only see us now.) However, again, we must be sure we are choosing credible information from the internet. We all know that we can usually find any answer we desire on the internet, but is it credible and accurate?
Competent industry sector-experienced consultants may also be good options if the organization ensures their credibility. Sometimes, a set of independent eyes can be just what the doctor ordered. Even in cases where the organization has a fully qualified team that is perfectly capable of managing the food safety program on their own, the right external resource (i.e., consultant) may provide an additional, independent viewpoint to your process. A friendly debate with an external resource can oftentimes open a whole new vista of previously unconsidered possibilities for the team.
The FSMA Preventive Controls regulation (§21CFR117.135) states that “each organization is required to have a PCQI that has successfully completed training in the development and application of risk-based preventive controls at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to develop and apply a food safety system”. What qualifies an individual to be qualified through job experience is not specifically defined but is judged by the effectiveness of their food safety program. However, if FDA visits the facility and asks for the PCQI and no one has taken an FDA-recognized course—but there is someone that the organization has identified as qualified—this has the potential to start the visit off with a negative focus. We urge each organization to send two food safety associates to an FDA-recognized FSMA PCQI training course regardless of their background (this provides a back-up person in case the primary representative is ill, traveling for business or pleasure, wins the lottery, or otherwise leaves the company, etc.). This provides a strong foundation for the future, as ownership of the system is always crucial to not just surviving an inspection, but excelling—and as food safety professionals that is an idea we can all support.
The human behavior that surrounds us contagious. Read the article about Frank Yiannas’ presentation, Catch the Food Safety Culture Bug. In keeping with this theme, Frank Yiannas, vice president of food safety at Walmart, reviews behavioral science techniques that can be applied to a food safety management system. In part I of this video series from the 2015 Food Safety Consortium, Yiannas reviews the principles of consistency and commitment.
If you watch the evening news or read the local newspaper, the chances are pretty good that you will read or see something about a food safety concern or incident.
While the American food supply is among the safest in the world, the Federal government estimates that there are about 48 million cases of foodborne illness annually—the equivalent of sickening 1 in 6 Americans each year, according to Foodsafety.gov. And each year these illnesses result in an estimated 128,000 hospitalizations and 3,000 deaths. Five types of organisms—Salmonella, Toxoplasma, Listeria, norovirus, and Campylobacter—account for 88% of the deaths for which the cause is known.
We watched from the sidelines when major retailers faced public scrutiny over their practices on safeguarding consumer credit card information when their websites were hacked. Today, consumer and regulatory interest in food safety are the new focus areas for the news media, especially in light of the Blue Bell Creameries Listeria and the Peanut Corporation of America (PCA) Salmonella outbreaks. Unlike consumer credit information, serious missteps in our industry can kill people, and in the case of PCA, can put you permanently out of business.
In 2008, peanut butter paste manufactured by PCA killed nine people and sickened 714 others, some critically, across 46 states and was one of the largest food recalls in American history, according to the CDC. Although still under appeal, PCA CEO Stewart Parnell was convicted and sentenced to a 28-year prison term for his role in knowingly shipping out salmonella-contaminated peanut butter. Parnell received one of the toughest punishments in U.S. history in a foodborne illness case.
In the Blue Bell case, a total of 10 people with Listeriosis related to this outbreak were reported from four states, with three deaths reported from Kansas, according to the CDC. Blue Bell pulled their products from store shelves on April 20, 2015. On May 7, the FDA released findings from inspections at the Blue Bell production facilities in Brenham, Texas, Broken Arrow, Oklahoma and Sylacauga, Alabama. The FDA reports highlighted serious problems across multiple sites.
Both cases shine a spotlight on what can happen if you don’t have an effective food safety management system (FSMS). So what makes up a good FSMS, and is it enough to keep you out of trouble? An effective FSMS is built on three elements: Good Manufacturing Practices (GMPs), Hazard Analysis Critical Control Points (HACCP) and a management system. Food safety issues are avoidable, and good processes and a strong culture within an organization make them more unlikely to occur.
Implementing a FSMS does not happen in a few months; it may take up to two years to establish one. No doubt, foundational activities need to be in place for factory operations. In addition to focusing on foundational elements such as making sure equipment is cleaned properly and procedures for allergens are implemented, the leadership team needs to make it clear that it is never acceptable under any circumstances to take shortcuts that could jeopardize food safety. This policy needs to be indoctrinated throughout the organization and thus does not happen overnight.
Underlying an effective FSMS are strong HACCP and GMPs, but food safety should always be the top priority for management and its employees, not share price, earnings or profit margin. Although financial performance is important, food safety must take precedence in the organization, and leadership at all levels needs to send that message loud and clear to all employees. In today’s environment, HACCP is pretty much mandatory from a regulatory standpoint and is an essential part of a FSMS. But the missing piece in many organizations is the support from the top—this is where culture becomes embedded in the organization.
The FSMS culture is the collective behavior from the organization around shared values and beliefs. The organization will follow the actions of leaders, not necessarily what they say—we all know actions speak louder than words. A good food safety culture is one where best practices are openly discussed, defined and rewarded. Food safety culture has become a buzz word and there needs to be a focus on making it come to life through a structured FSMS.
At this year’s Food Safety Consortium conference, Tim Ahn will discuss advancing food safety training and harmonization (November 19). LEARN MOREFood safety training is important not only for first line supervisors and operators, but also for senior managers and leadership, because they define the objectives and policies of the FSMS. What does it mean to conduct an effective management review? What does it mean to do an internal audit? What’s a good corrective action process? Training often misses the mark, because organizations fail to embed it correctly.
For FSMS to thrive, management must commit to the FSMS being a required way of doing things throughout the entire organization. A FSMS is most effective when it benchmarked against a proven standard and verified by an independent third party. Certification against a proven standard will reduce risk within your business.
Select your independent third-party verifier carefully. Do they have the resources and time, and do they know what they are doing? Do they add value to your organization? This is important since once you get certified, your journey starts and it doesn’t end. The value comes in two areas: Identifying risks and developing the appropriate control measures, and ensuring that the process drive continuous improvement in your organization. FSMS is focused on how continuous improvement applies to the management of risk and business operations.
The most effective way to establish an FSMS is to have leadership that recognizes its importance. The worst way is to have a recall or an incident, which draws attention to the fact that there is a problem and something needs to happen. In the case of Blue Bell, they probably understood the importance of food safety and thought they were taking the right actions. However, their management system led them to problems. FSMS must be independently verified against world-class standards to ensure effective performance.
Companies can develop blind spots where they cannot see their own bad practices, and they become institutionalized over time. Fortunately, experienced independent third-party assessors can shine a spotlight on those bad practices. That is the true value in bringing in outsiders to look at your operations and culture to uncover those blind spots.
At PCA, their poor culture and actions to the problem sealed their fate. In some ways, this criminal case presented a wake-up call to boardrooms across America and highlights how badly leadership mismanaged matters. This case came to light in the context of the public complaining to the regulators that they were not doing enough following several highly visible food poisoning cases. A FSMS would have prevented these problems because the structure would not allow such bad decisions to be made and would have been verified by an independent third party that would test and check everything. A reputable third-party verifier would not miss poor GMP/ HACCP processes.
A good assessor can help a company understand what is really important and what is not so important when it comes to findings (i.e., context). We don’t waste a client’s time with insignificant issues and that is where the experience and judgment of the auditor becomes critical. Last year I met with a client and said, “you need to be checking for Salmonella in your environment—how do you know it is not there?” I pushed them into checking because I understood the changing regulatory environment. I came back a year later, and they had confirmed that regulators were interested in their Salmonella monitoring program during a recent inspection. As an auditor, you have to be confident enough to provide advice and context to the client in a way that is understood and accepted, and that helps to build trust.
With FSMA, the government can now take specific actions against companies. If I am plant manager or CEO, how do I know for sure that I am in compliance with the requirements? How do I know that I don’t have any of these potential issues? The only way to know for sure is to have the FSMS assessed. Just like a bank or publicly traded company hires financial auditors to assure everything is done correctly, companies need to audit their FSMS to ensure compliance. Get a process audit and ensure they drill down deep into the organization—that is where we find issues and gaps. A thorough auditor will find your problems instead of looking the other way. It is important to call it the way you see it and not be too “soft” when getting an assessment.
If I am the CEO, I want to know where those problems exist. Independent third party assurance is the best way to find out how compliant you are with regulations. No CEO wants to deal with the inevitable lawsuits and lost business impacts. At least with an effective FSMS, you can show a level of due diligence when the regulators show up at your doorstep and the culture is such that you want to address any problems.
We have entered an important time for the food industry with FSMA implementation and other food safety regulatory requirements in the United States. These new rules place an emphasis on management accountability, risk assessment and control of supply chains. The bar for due diligence has been raised and it up to all us to show that we have done everything possible, and the best way is with an effective FSMS.
Food safety training has traditionally focused on foundational topics such as Hazard Analysis Critical Control Points (HACCP) and Good Manufacturing Practices (GMPs). While these topics are essential in defining and implementing Food Safety Prerequisite Programs, they define the What and How, but not the Why of Food Safety. In order to address the Why of Food Safety, training programs need to address food safety culture, and the role of a food safety management system in establishing that culture.
A session during the 2015 Food Safety Consortium Conference will discuss advancing food safety and harmonization through educating employees. | November 17-20, Schaumburg, IL| REGISTER NOWCreating a food safety culture needs to start at the top. It must be known that food safety is a top priority to upper management. In order for training programs to support a food safety culture, they need to be delivered in a format that enables employees to contribute to the organization’s business strategy and food safety objectives while simultaneously reinforcing employee skills, attitudes and behaviors. Studies have shown that during training, one should consider manufacturing as a whole—not bits and pieces—and that the correct and most effective approach to training should look at collective knowledge requirements rather than any single requirement. A good starting point is to understand how a well-planned management system can help bring focus on a holistic approach that transforms the culture. A company’s ability to adopt a culture of food safety is dependent on its ability to take a holistic approach to manage food safety risk and incorporate all components of a food safety culture.
The second area of focus is having an effective FSMS in place. The International Organization for Standardization (ISO) defines a system as “a set of interrelated or interactive elements” and a management system as “a system to establish policy and objectives and to achieve these objectives.” In order for the FSMS to thrive, management must commit to the FSMS being a required way of doing things throughout the whole organization. A food management system is most effective when it benchmarked against a proven standard and independently verified. Having an effective FSMS in place provides a vote of confidence in your organization—a statement that your organization takes safety and quality seriously and has made the right moves to help protect your brand reputation and consumers by addressing the complexity of risks, up and down your supply chain, and assuring food safety and sustainability.
By following these pragmatic guidelines your organization can raise the level of food safety around the world by creating more effective food safety solutions not only for today, but also tomorrow.