“Food safety plan” is a term often used in the food industry to define an operation’s plan to prevent or reduce potential food safety issues that can lead to a serious adverse health consequence or death to humans and animals to an acceptable level. However, depending on the facility, their customers, and or regulatory requirements, the definition and specific requirements for food safety plans can be very different. To ensure food safety, it’s important that the industry finds consensus in a plan that is vetted and has worked for decades.
One of the first true food safety plans was HACCP. Developed in 1959 for NASA with the assistance of the food industry, its goal was to ensure food produced for astronauts was safe and would not create illness or injury while they were in space. This type of food safety plan requires twelve steps, the first five of which are considered the preliminary tasks.
- Assemble a HACCP team
- Describe the finished product
- Define intended use and consumer
- Create process and flow diagram
- Verify process and flow diagrams
This is followed by the seven principles of HACCP.
- Conduct the hazard analysis
- Identify critical control points
- Establish critical limits
- Establish monitoring requirements
- Establish corrective actions for deviations
- Procedures for verification of the HACCP plan
- Record keeping documenting the HACCP system
HACCP is accompanied by several prerequisites that support the food safety plan, which can include a chemical control program, glass and brittle plastics program, Good Manufacturing Practices (GMPs), allergen control program, and many others. With these requirements and support, HACCP is the most utilized form of a food safety plan in the world.
When conducting the hazard analysis (the first principle of HACCP), facilities are required to assess all products and processing steps to identify known or potential biological, chemical and physical hazards. Once identified, if it is determined that the hazard has a likelihood of occurring and the severity of the hazard would be great, then facilities are required to implement Critical Control Points (CCP) to eliminate or significantly reduce that identified hazard. Once a CCP is implemented, it must be monitored, corrective actions developed if a deviation in the CCP is identified and each of these are required to be verified. Records then also need to be maintained to demonstrate the plan is being followed and that food safety issues are minimized and controlled.
HACCP is, for the most part, the standard food safety plan used to meet the Global Food Safety Initiative (GFSI) standards. This is utilized in various third-party audit and customer requirements such as FSSC 22000, SQF, BRC, IFS and others. These audit standards that many facilities use and comply with also require the development of a food safety management system, which includes a food safety plan.
Further, HACCP is often used to demonstrate that potential food safety issues are identified and addressed. FDA has adopted and requires a regulated HACCP plan for both 100% juice and seafood processing facilities. USDA also requires the regulated development of HACCP for meat processing and other types of facilities to minimize potential food safety issues.
For facilities required to register with the FDA—unless that facility is exempt or required to comply with regulated HACCP—there is a new type of food safety plan that is required. This type of plan builds upon HACCP principles and its steps but goes beyond what HACCP requires. Under 21 CFR 117, specific additions assist in identifying and controlling additional food safety hazards that are on the rise. This includes undeclared allergen recalls, which constituted 47% of recalls in the last reportable food registry report published by FDA.
Prior to developing this plan, FDA provided recommendations for preliminary steps that can be completed and are essential in development of a robust food safety plan but are not a regulatory requirement. The steps are very similar to the preliminary tasks required by HACCP, including the following:
- Assemble a food safety team
- Describe the product and its distribution
- Describe the intended use and consumers of the food
- Develop a flow diagram and describe the process
- Verify the flow diagram on-site
Their recommended plan also requires a number of additional steps, including:
- A written hazard analysis. Conducted by or overseen by a Preventive Controls Qualified Individual (PCQI). However, this hazard analysis requires assessing for any known or reasonably foreseeable biological, chemical, physical, radiological, or economically motivated adulteration (food fraud that historically leads to a food safety issue only). You may note that two additional hazards—radiological and EMA—have been added to what HACCP calls for in the assessment.
- Written preventive controls if significant hazards are identified. However, similar preventive controls are different than a CCP. There are potentially four types of preventive controls that may be utilized for potential hazards, including Process Preventive Controls (the same as CCP), Allergen Preventive Controls, Sanitation Preventive Controls, Supply Chain Preventive Controls and Others if identified.
- A written supply chain program if a Supply Chain Preventive Control is identified. This includes having an approved supplier program and verification process for that program.
- A written recall plan if a facility identified a Preventive Control.
- Written monitoring procedures for any identified Preventive Control that includes the frequency of the monitoring what is required to do and documenting that monitoring event.
- Written corrective actions for identified Preventive Controls in case of deviations during monitoring. Corrective actions must be documented if they occur.
- Written verification procedures as required. This could include how monitoring and corrective actions are verified, procedures themselves are verified, and calibration of equipment as required. Also required is training, including a Preventive Control Qualified Individual. Additional training is required for those individuals responsible for performing monitoring, implementing corrective actions, and verification of Preventive Controls. Further, all personnel need to have basic food safety training and all training needs to be documented.
While the term “food safety plan” is used widely, it’s important that operations don’t just use the term, but enact a plan that is vetted, proven to work, and encompasses the principles of HACCP. Doing so will help ensure that their facility is producing foods that customers and consumers will know is safe.
Can we have 100% remote audits?
Shawna Wagner (on SQF): SQF does permit conducting an audit at 100% using ICT. Audits using ICT are not mandatory. This option must be a last resort option, as full onsite and the 50/50 blended option (50% onsite and 50% remote) shall be the first options. A feasibility assessment with a certified organization is needed to verify that a full remote audit is an effective and practical option. An SQF Fully Remote Audit only applies to announced re-certification and/or surveillance audits of the SQF Food Safety and/or Quality Codes. It does not apply to initial certification audits or unannounced re-certification audits.
SQF Fully Remote Audit certification can be applied to the following SQF Codes:
- SQF Food Safety Code for Food Manufacturing
- SQF Food Safety Code for Storage and Distribution
- SQF Food Safety Code for Manufacture of Food Packaging
- SQF Food Safety Code for Primary Production
- SQF Quality Code
Isabella D’Adda (on FSSC 22000): Yes, 100% remote audits are now allowed also for FSSC 22000. On the 5th of October, 2020 FSSC published a new document called “Full Remote Audit Addendum” that explains the conditions and the rules for conducting FSSC 22000 audits fully remotely. This document is valid and applicable only, when a certified organization cannot be accessed due to a serious event – as in the case of a pandemic.
The FSSC 22000 full remote audits are completed using Information and Communication Technology (ICT); these will be accredited audits, which will not be recognized by GFSI – the transparency of the certification process is always granted, that’s why the certificate that will be issued after these kind of audits will have a specific reference that a Full Remote Audit was conducted.
Before conducting a 100% remote audit, a certification body must evaluate an impact of the serious event on the current certificate and certification status, and conduct a feasibility assessment with the certified organization in order to verify that a full remote audit is an effective and practical option.
The FSSC 22000 full remote audits can be done when annual announced surveillance/periodical or recertification audits cannot take place on-site. But not for Stage 2 Initial audits. Note: even during the 100% Remote audits, auditors need to spend about 50% of the time on documents and records evaluation, and the rest of the audit time on performing video plant tours and interviews.
The addendum to the standard called “FSSC 22000 Annex 9” is still valid in cases where a certification body and an organization agree that it is more appropriate and effective to conduct an audit in two steps: document review and interviews with key personnel remotely, using information and communication technology (ICT), then audit implementation and perform verification of the food management system on-site, with a time-lapse between the two steps.
In the case of the first certification, the FSSC 22000 Annex 9 can be applied and the whole stage 1 audit can be conducted remotely, while the subsequent stage 2 audit will be conducted on-site at least within 6 months after stage 1. For all other audits, according to Annex 9, part of an audit can be conducted remotely, and the rest of the activity completed onsite, considering that the onsite audit cannot have a duration less than 1 day and shall be at least 50% of the total audit duration.
Veronica Ramos (on BRCGS): The rules have been changing recently for the BRCGS standards. These rules are published in the Position Statement BRCGS 078, 080 and 086 (www.brcgs.com) – and these are applicable only for already certified sites. Currently, all certified sites, whose certificates can be affected due to COVID-19 in respect to travel restrictions and internal rules of receiving external visitors to the sites, can opt to any of the following three options:
- Request a certificate extension for six months with a COVID-19 risk assessment (see Position Statement BRCGS 072);
- Request their re-certification audit with the “blended audit” modality (see Position Statement BRCGS 080) – where a remote audit (using ICT electronic systems) is combined with an on-site audit for re-certifications;
- Request the new temporary modality to conduct 100% of an audit remotely (according to the Position Statement BRCGS 086).
This is only applicable for announced audits. It is considered that the best option is to conduct a regular on-site audit or to go with the blended audit option, because an auditor can have a better opportunity to confirm the level of compliance on-site. The on-site audit part should be of at least 1.0 day duration, while the remote part shall not exceed 50% of the total audit duration. Note: full (100%) remote re-certification audits must replicate the exact methodology of a regular audit, including plant tours and interviews, however, it must be first verified that electronic devices and communication means can be used successfully. Also, one should be aware that 100% remote audits are not GFSI benchmarked, but are accredited. Please contact your lead auditor or certification body for more information.
What can be audited during the remote portion?
Wagner (on SQF): For SQF we would focus mainly on Module 2 items, such as Food safety policy, Management Reviews, Approved Supplier Program, Specifications, Validations, Verifications, and Training for the 50/50 blended audit. The 100% remote audit shall include all steps associated with an SQF Systems audit including the opening and closing meetings and discussion and agreement on non-conformities.
D’Adda (on FSSC 22000): When an audit is 100% remote, the whole activity will be done using an appropriate ICT. The audit will follow the same format and organization as an on-site one and, in any case, an auditor must be able to complete the full audit against all FSSC 22000 requirements: also during these audits a possibility to do interviews with personnel must be granted, an appropriate site inspection of all production areas, facilities, storage and external areas must be completed, implementation of PRPs must be verified, documentation must be evaluated with involvement of all management and staff, who manages the food safety system.
A fully remote audit can be conducted only, when a site is operational, and production is taking place.
For FSSC 22000 fully remote audits, it is advisable to provide supporting information to an auditor before an audit takes place. Documentation, such as site maps, updated flow diagrams, a list and overview of OPRPs/CCPs, any changes, caused by a serious event, and any other supporting information regarding the production process will be useful during an audit.
For audits done 50% remotely and 50% on-site there is the following process: during the remote part, focus will be on the ISO 22000 components of the FSSC 22000 scheme and interviews with management and key personnel. An auditor will review documents and procedures, check management review with specific focus on FSMS objectives and key process performance indicators, HACCP plan, internal audits, complaints and recalls, and how these were managed, focusing on key changes since the previous audit (applicable in the case of periodic audits and re-certification).
Ramos (on BRCGS): During the remote part of a blended audit focus should be on the information included in the documents and records: an auditor would need information on implementation and maintenance of the requirements since the last audit (meaning that samples of records, which could be requested, could be for the last twelve months). Most of the BRCGS standards are color coded, clearly indicating, which are the expected requirements to be audited against on-site, and which can be audited against remotely (e.g. management review, internal audits, complaints, recalls, etc.). But as mentioned before, everything will need to be audited, if the option selected is 100% remotely.
Who should attend the remote portion?
Wagner (on SQF): We would look at this audit no differently than as if we were onsite. It would be recommended that whichever employee is responsible for the section being audited that they attend. Employees could also be interviewed during a remote audit. This should be discussed with key personnel at the opening meeting.
D’Adda (on FSSC 22000): During remote audit both management and involved key personnel shall be available to support the auditor in his/her activity. Companies should cooperate and provide adequate resources to ensure the audit is conducted successfully.
Ramos (on BRCGS): During a remote audit both management and involved key staff shall be available to support the auditor in his activity.
What documents should we have ready for the remote portion?
Wagner (on SQF): Documents would be the same as if it were an onsite audit. All documentation should be made readily available to the auditor during the time of the remote portion and/or onsite portion of the audit.
D’Adda (on FSSC 22000): The documents that should be available for the remote audit are the same, as the ones requested for ISO 22000 implementation, like context analysis, food safety management system with its defined scopes, products and processes that are included and the objectives of the FSMS, food safety policy, HACCP Plan, management review, updated internal audits and all procedures that a company has documented, which are necessary for the effectiveness of their food safety management system.
Ramos (on BRCGS): All types of documents in their latest updated version shall be readily accessible. It is up to an auditor to request documentation, which is required to fulfil the objectives of an audit within its scope. Documents could be manuals, procedures, work instructions, templates of records, and actual records.
Can we send documents ahead of time?
Wagner (on SQF): It is not required that documents be sent ahead of time, although in some cases this could be helpful for the site and the auditor. Information that is sent ahead of time would be confidential and not audited until the actual audit.
D’Adda (on FSSC 22000): It is not required to send documents ahead of time, however all documents must be prepared and available for the planned audit dates, remote or onsite. There are some organizations, which want to share information in advance and show potentially useful examples, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Thus, this information will be handled as confidential. As a representative of a certified organization, one should know that during an audit, it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfill objectives of the audit.
Ramos (on BRCGS): It is not required to send documents in advance, however there are some organizations, who want to share information beforehand to demonstrate examples, which might be useful during an audit, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to the key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Such information will be handled as confidential. As a certified organization, one should know that it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfil the audit objectives, during an audit.
Is my information confidential?
Wagner (on SQF): All information that is sent shall be confidential and follows DNV GLs Information Security Policy.
D’Adda (on FSSC 22000): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information in accordance with the DNV GL’s Information Security Policy.
Ramos (on BRCGS): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information, in accordance with the DNV GL’s Information Security Policy and confidentiality agreements signed with customers.
When does the onsite portion need to happen?
Wagner (on SQF): The onsite needs to happen within 30 days of the remote portion. Both audits must occur within the 60-day audit window for SQF.
D’Adda (on FSSC 22000): In the case of fully remote audits, there won’t be an onsite auditing activity, and it will be completed using ICT equipment. In the case of an audit done partially remotely and partially on-site: FSSC has defined that the maximum timeline between a remote audit and the on-site portion shall be 30 calendar days. In the case of a serious event, this timeline can be extended to 90 calendar days, but only after a documented concession process and risk assessment have been completed by a certification body. Serious events that could lead to a postponement of the onsite portion of an audit are pandemic emergencies like Covid-19, legal proceedings, prosecutions, affecting food safety or legality, public food safety events (e.g. public recalls, calamities etc.), natural disasters (e.g. floods, fire, earthquake), war or political instability and other serious situations, like malicious hacking.
Ramos (on BRCGS): It is expected that in a blended audit the remote part is conducted first and then the on-site part, however, if logistics require that the audit is conducted in the reverse order, this is acceptable as well. The second part of a blended audit needs to happen within the following 28 calendar days, allowing enough time for a site to do a non-conformity closure (when applicable), and a re-certification decision can be issued before the expiration date of the current certificate. In exceptional justifiable circumstances, a certification body may request a concession from BRCGS for a maximum of 90 days. In the case of a 100% remote audit, the full audit shall be conducted as scheduled on consecutive full days.
EDGARTOWN, MA, June 27, 2019 – Innovative Publishing Co., publisher of Food Safety Tech and organizer of the Food Safety Consortium Conference & Expo is pleased to announce a partnership with FSSC 22000 to hold the organization’s Focus Event 2019 at this year’s Food Safety Consortium in Schaumburg, IL.
Taking place on October 1 as a pre-conference workshop, the FSSC 22000 Focus Event will provide a firsthand update of the FSSC 22000 program worldwide and review the new Version 5, which includes the revised ISO 22000:2018. Experts will give attendees an overview of the benefits of the ISO approach and its alignment with FSMA, as well as the role of FSSC 22000 new scopes, including Transport and Storage, with a practical example of the benefits of certification in this new sector. There will also be discussion of the application of the FSSC Global Markets Program to smaller and medium-sized organizations.
“I am excited to welcome stakeholders from the GFSI-recognized food safety management system FSSC 22000 to the Food Safety Consortium as key participants in educating an important part of this industry,” said Rick Biros, president of Innovative Publishing Co., Inc. and director of the Food Safety Consortium Conference and Expo.
Speakers include Cornelie Glerum, Managing Director, FSSC 22000; Cor Groenveld, Market Development Director, FSSC 22000; Jacqueline Southee, North America Representative, FSSC 22000; and Jim Blackmon, President of Carry Transit (invited).
Professionals within the following roles/segments should attend this event: Food and beverage companies; FSSC 22000 certified companies and companies interested in becoming FSSC 22000 certified; certification bodies and contractor auditors; accreditation bodies; and training organizations.
The FSSC 22000 Focus Event is available and included in the Food Safety Consortium Conference registration fee.
Delegates registering for the FSSC 22000 Focus Event 2019 only will also receive complimentary admission to the plenary session of the Food Safety Consortium, presented by Frank Yiannas, deputy commissioner, food policy and response at FDA, and are invited to attend the evening reception in the exhibition hall.
About Food Safety Tech
Food Safety Tech publishes news, technology, trends, regulations, and expert opinions on food safety, food quality, food business and food sustainability. We also offer educational, career advancement and networking opportunities to the global food industry. This information exchange is facilitated through ePublishing, digital and live events.
About the Food Safety Consortium Conference and Expo
The Food Safety Consortium Conference and Expo is a premier educational and networking event for food safety solutions. Attracting the most influential minds in food safety, the Consortium enables attendees to engage conversations that are critical for advancing careers and organizations alike. Visit with exhibitors to learn about cutting edge solutions, explore diverse educational tracks for learning valuable industry trends, and network with industry executives to find solutions to improve quality, efficiency and cost effectiveness in an ever-changing, global food safety market. This year’s event takes place October 1–3 in Schaumburg, IL.
About FSSC 22000
FSSC 22000 (Food Safety System Certification 22000) offers a complete certification program for the auditing and certification of Food Safety Management Systems (FSMS) and Food Safety and Quality Management Systems (FSSC 22000-Quality). Based on the internationally accepted ISO 22000 family of standards and benchmarked by the Global Food Safety Initiative (GFSI), FSSC 22000 sets out the requirements for companies throughout the supply chain for meeting the highest food safety standards. FSSC 22000 is recognized and relied upon by some of the world’s largest food manufacturers, is widely accepted by Accreditation Bodies worldwide and supported by important stakeholders like FoodDrinkEurope (FDE) and the American Grocery Manufacturers Association (GMA).
I attended the Safe Food California Conference last week in Monterey, California. Food fraud was not the main focus of the conference, but there was some good food fraud-related content. Craig Wilson gave a plenary session about the past, present and future of food safety at Costco. As part of that presentation, he discussed their supplier ingredient program. This program was implemented in response to the 2008 Salmonella Typhimurium outbreak in peanut paste but has direct applicability to food fraud prevention.
Food Fraud: Problem Solved? Learn more at the 2019 Food Safety Supply Chain Conference | May 29–30, 2019 | Attend in Rockville, MD or virtually Jeanette Litschewski from SQFI gave a breakout presentation on the most common SQF non-conformities in 2018. She presented data from 7,710 closed audits that cited 44,439 non-conformities. Of those, 756 were related to food fraud requirements. While this presentation was not focused on the specifics of the food fraud non-conformities, Jeanette did mention that many of them were related to broad issues such as not having completed a food fraud vulnerability assessment or appropriately documenting that each of the required factors was addressed in an assessment.
I was invited to give a breakout presentation with an overview of food fraud issues globally and a brief outline of some of the tools currently available to assist with conducting vulnerability assessments. Although many of the attendees had already began implementation of food fraud measures, there was a lot of interest in this list of tools and resources. Therefore, I am recreating the list in Table I. The focus is on resources that are either complimentary or affordable for small- and medium-sized businesses, with recognition that “full-service” and tailored consulting services are always an option.
|Food Fraud Resources (Table I)|
|Food Fraud Mitigation Training||Food Fraud Vulnerability Assessments||Food Fraud Data/Records|
|Michigan State Massive Open Online Courses for Food Fraud||SSAFE/PwC||Decernis Food Fraud Database|
|Food Fraud Advisors Online Training Courses||USP FFMG||FPDI Food Adulteration Incidents Registry|
|Food Fraud Advisors Vulnerability Assessment Tools (downloadable spreadsheets):|
The USP Food Fraud Mitigation Guidance referenced in Table I is a great source of general information on food fraud mitigation, as is the “Food Fraud Prevention” document created by Nestle. Many of the GFSI Certification Programme Owners have also released guidance documents about vulnerability assessments, such as BRC, FSSC 22000, and SQF.
The Decernis Food Fraud Database and the FPDI Food Adulteration Incidents Registry (see Table I) are two sources of historical food fraud data that are referenced specifically in the SSAFE/PwC tool. Companies can also track official information about food safety recalls and alerts (including related to food fraud) from public sources such as the FDA Recalls, Market Withdrawals, & Safety Alerts; Import Refusals; Warning Letters; USDA Recalls and Public Health Alerts; EU RASFF, and many others.
Of course, there are quite a few companies that offer tailored tools, training and consulting services. Companies that offer courses in food fraud mitigation and assistance in creating a vulnerability assessment (or FDA-required food safety plan) include NSF, Eurofins, AIB International, SGS, and The Acheson Group.
Also available are services that compile food safety recalls and alerts (including those resulting from food fraud) from multiple official sources, such as FoodAKAI and HorizonScan. EMAlert is a proprietary tool that merges public information with user judgment to inform food fraud vulnerability. Horizon Scanning is a system that can monitor emerging issues, including food fraud, globally.
In short, there are many resources available to help support your food fraud vulnerability assessments and mitigation plans. If I have unintentionally missed mentioning any resources you have found to be helpful, please let us know in the comments.
Accreditation is an internationally accepted independent oversight process for maintaining operational standards and ensuring confidence. It is accepted by many governments and private industries, including at various levels of the global food supply.
Recognized within the food industry and endorsed by the Global Food Safety Initiative (GFSI), the process of accredited certification has become essential for business.
In the United States, the Food and Drug Administration (FDA) Food Safety Modernization Act (FSMA), in its rule on accredited third-party certification, incorporates the accreditation process for oversight over third-party certification bodies certifying foreign food facilities manufacturing for import into the United States.
With accredited services increasingly becoming an integral part of business operations, many wonder how the processes of accreditation and certification work.
Accreditation is the process of ensuring that an organization has the necessary technical competence to perform a specific task, and has met and continues to meet a specific set of operational requirements. An accreditation body (AB) uses internationally established techniques and procedures to assess conformity assessment bodies (CABs) against recognized standards to ensure their impartiality, competence, and ability to produce consistently reliable, technically sound and impartial results.
Accreditation provides formal recognition that an organization is competent to carry out specific tasks, and provides an independent assessment of conformity assessment bodies (CABs)1 against recognized standards to ensure their impartiality and competence. Accreditation provides assurance to a CAB’s customers and industry that the CAB continuously operates according to internationally accepted criteria applicable to CAB’s scope of accreditation.
Although there is flexibility for an AB to design its accreditation process within the constraints of ISO/IEC 17011, Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies, the standard to which all internationally recognized ABs must conform, some aspects are mandatory.
As part of the application process, the applicant for accreditation submits information about the desired scope of accreditation and its documented quality management system. The AB conducts a document review to verify that the applicant has documented all management system requirements specified in the relevant criteria and any other applicable requirements. Additional requirements could include, for example, those mandated by a specific regulatory authority or industry. During the assessment, through witnessing of the CAB conducting a conformity assessment activity, interviews of personnel, and review of records and other objective evidence, the AB’s assessment team verifies the CAB’s technical competence and implementation of the quality management system.
The applicant is required to provide corrective action for all identified deficiencies. Only after all identified issues have been addressed can the accreditation decision process begin. To ensure that the accreditation decision is impartial, members of the assessment team do not take part in the decision. The designated decision maker, which may be a group or an individual, is responsible for reviewing the assessment team’s recommendation and ensuring that all accreditation requirements have been met by the applicant and are properly documented before granting accreditation.
A certificate and scope of accreditation are issued only after a favorable accreditation decision.
Once accredited, the CAB is regularly re-assessed to ensure continued conformance to the accreditation requirements, and to confirm that the required standard of operation is being maintained.
To ensure transparency, the AB is required to make publicly available information on the status and scope of accreditation for each accredited CAB. Any changes occurring after initial accreditation, such as suspension for all or part of the scope of accreditation, are published on the AB’s website.
It is important to note while ABs provide oversight over CABs, internationally recognized ABs are themselves subject to regular oversight from organizations orchestrating the harmonization and recognition of the accreditation process internationally.
The International Laboratory Accreditation Cooperation (ILAC) and the International Accreditation Forum (IAF) provide this international oversight. ABs that are signatories of the ILAC and/or IAF mutual recognition agreements (MLAs or MRAs) must conform with the requirements of ISO/IEC 17011 as applicable program-specific requirements, and are admitted to the agreements for a specific capability, for example, as an accreditor for testing labs or for management systems certification bodies. Technical competence of the AB and conformance to the requirements is verified through rigorous on site evaluation by other member of the IAF or ILAC community.
Without international oversight, there would be no evidence or confirmation that an AB operates in accordance with international requirements when providing oversight of accredited CABs. This oversight provides assurance that the AB understands the CAB’s process and can attest to the CAB’s competence.
The IAF, MLA and ILAC agreements are internationally recognized forms of approval; signatories have demonstrated their compliance with specified standards and requirements. Accreditation by a signatory of the ILAC MRA and/or IAF MLA provides assurance that decisions are based on reliable results, thus minimizing risk.
This is of particular importance in the constantly evolving global food-supply network. Many specifiers, such as regulatory authorities, have acknowledged the importance of credible accreditation programs.
A number of government agencies in the United States and around the world, including the U.S. Consumer Product Safety Commission (CPSC), U.S. Environmental Protection Agency (EPA) and the Canadian Food Inspection Agency (CFIA), have mandated accreditation by an internationally recognized accrediting body for their programs.
Accreditation within the MLA/MRA process helps regulators meet their legislative responsibilities by providing assurance that testing, inspection and evaluation results are issued by organizations whose technical competence and compliance with specified criteria has been verified by an independent third party. It provides assurance to stakeholders, such as the regulatory authorities, that the accredited CAB operates in accordance with recognized and accepted criteria.
Continue to page 2 below.
Food Safety Tech recently sat down with experts from Eurofins to discuss FSSC 22000. According to Kristopher Middleton, technical manager at Eurofins, and Kim Knoll, food safety systems national sales manager at the company, there are still quite a few companies (especially in North America) that are unfamiliar with the ins and outs of the certification scheme. In a Q&A with FST, Middletown and Knoll break down the basics of FSSC 2000, along with explaining some of its benefits.
Food Safety Tech: How is the trend with FSSC 22000 evolving?
Kristopher Middleton: The scheme started in 2009 based on a demand for people wanting to have an ISO-based certification within the GFSI benchmarking process. When the program came out, it trended toward larger companies that already had ISO-based certifications, mainly ISO 22000 and ISO 9001. The FSSC 22000 scheme is the fastest growing GFSI benchmarking scheme currently. It’s not just for large multinational companies; a lot of smaller suppliers are seeking certification to this scheme. The foundation continues to expand its scopes to become a true farm-to-fork certification program.
FST: Is FSSC 22000 also appropriate for a single site or for a company with fewer than 50 employees?
Middleton: The certification doesn’t discriminate based on facility size—nor footprint or number of employees. It’s ideal for any company that has a robust food safety management system and manufacture products that fall within the FSSC 22000 scope of certification. This currently includes manufacturers of perishable animal products (feed and food), perishable vegetable products, products with a long shelf life, biochemical products (i.e., food ingredients, vitamins, biocultures, etc.), manufacturers of food packaging, and primary production of animal products.
The key thing about FSSC 22000 certification is that it is not a terribly prescriptive food safety scheme, when compared to others that are available. You will be successful with FSSC 22000 certification if you are confident and knowledgeable about your own food safety management system, and you have appropriate justification or validation for the method in which your programs have been implemented, as well as validation for the controls of your food safety hazards.
FST: Are there quite a few companies that have not heard of FSSC 22000 or are not aware that it is a GFSI-recognized scheme?
Middleton: Since ISO 22000 was not terribly popular here in North America, it didn’t catch on right away. It was more so overseas that it caught on. However, within the past two years the scheme has become increasingly popular here, especially among companies that have other ISO standards already implemented (i.e. ISO 9001, 14001, 18001,etc), where it relates to occupational health and safety, environmental, and quality. The reason for that is the FSSC can easily intertwine with that entire management system program so that it all works together versus having separate programs in place.
Kim Knoll: I’m having a lot of conversations with smaller manufacturers who are brand new to GFSI. Many of them are being asked by their customers to achieve a GFSI benchmarked certification and are in the early stages of researching scheme options. Some of these companies are surprised to learn that FSSC 22000 is a viable option. Like other certification schemes, Eurofins lends support to companies planning to pursue FSSC 22000 through training courses, consulting services, pre-assessments and ultimately certification services. Even though FSSC 22000 is a newer scheme, auditor availability is not an issue.
FST: What are the key differences between FSSC 22000 and the other GFSI schemes?
Middleton: Probably the most apparent difference with FSSC compared to other GFSI benchmark schemes is the fact that your certification lasts for three years, not one year. The reason for that is that it’s not a product-based certification like the others, it is a process-based certification and it uses the accreditation standard of ISO 17021 not ISO 17065. It also uses ISO 22003 for direction to the certification body for the conducting of the audit. That doesn’t mean that sites won’t be audited annually; it just means that once the certificate is granted, it’s good for three years.
Another key difference is that there is no true pass or fail within the audit. It’s a conform or not-conform audit. The decision to certify is based off the findings from the auditor and their recommendations, as well as the decision from a technical review meeting at the certification body. It requires the effective closure of a particular non-conformance or satisfactory plan being submitted for the closure of those non-conformances before the actual certificate can be granted. So that’s a bit different, because you can just submit plans for your non-conformances [instead of] actually showing that everything has been completely resolved. That being said, if a facility isn’t able to hold or get a certificate, if there’s an imminent food safety threat noted during an audit—if there’s an issue, such as a potential recall or contaminated goods, the ability to be granted that certificate is not feasible.
FST: Can you walk us through the auditing and certification process under FSSC 22000?
Middleton: Like any of the standards out there, you can get a pre-assessment, which is not necessarily part of the certification activity. The certification activity starts at a Stage 1 audit within this scheme (also known as a document audit within other schemes). It’s an evaluation of a facility’s food safety management system document to determine if they’re valid. The process does not include an entire evaluation of the implementation of the program, just simply that the programs are adequately designed and meet the requirements that are in place.
Next there’s a Stage 2 audit (sometimes referred to a facility audit) that is conducted no more than six months after the Stage 1 audit. The Stage 1 audit will identify the areas of concern—programs that might not meet exactly what the specifications required within the standard, which would become non-conformances in a Stage 2 audit (also called a facility audit or certification audit).
The Stage 2 audit is the full evaluation of the implementation of the program that was reviewed in the Stage 1 audit. Following completion of the audit, effective closure of non-conformances is required. This closure can either be [related to] major non-conformances, CAPA or root cause analysis. You have to supply evidence that the non-conformance is properly eliminated and will not recur, and this evidence must be supplied to the certification body and the auditor for review.
Any other non-conformances (also known as minor non-conformances) must have corrective action plans. Companies need to state how they plan on resolving the issue. They will be “closed” but left open for the next audit, which has to occur within one calendar year (known as a surveillance audit). The term “surveillance audit” within this standard is different from some of the other standards. Within some of the other standards, a surveillance audit is not a yearly activity—it is done within the year of certification. The surveillance audit within this standard is a yearly audit that is required to meet the requirements of GFSI. It’s also a requirement within [ISO] 17021 and [ISO] 22003 that surveillance audits are conducted. The GFSI requirement changed the surveillance audit within the ISO world because they used to do a sampling audit, which progressed to a full-blown audit. Your whole food safety management system will be evaluated, which is slightly different from ISO 22000 surveillance audits.
After that audit is conducted, you have another surveillance audit in the following calendar year. Within those surveillance audits, if any minor non-conformances or non-conformances from the previous audit are still present, they are upgraded to major non-conformances and [companies] would have to implement a full corrective action plan, root cause analysis, etc. and then determine the solution.
Once the second surveillance audit is conducted, the following year will be your recertification audit, which is simply another facility audit. It’s not a document audit—you don’t have to do Stage 1 audits after that initial one. This recertification audit occurs prior to your certificate expiring.
If my company is GFSI-certified, is it also FSMA compliant? The answer is: With shared goals of producing safe food, coordinating preventive measures and ensuring continuous improvement, if your company is FSSC 22000 certified, you’re well on the road to FSMA compliance, according to Jacqueline Southee, Ph.D., U.S. Liaison, FSSC 22000. Southee discussed several areas in which FSSC 22000 aligns with FSMA as part of a recent Leadership Series, “GFSI in the Age of FSMA”.
Supply Chain Visibility
FSSC 22000 is applicable to all aspects of the supply chain and requires interactive communication (all of which must be documented), from the downstream level in ensuring raw materials and suppliers meet requirements of ISO 22000 framework to communication with customers and suppliers to verify and control hazards.
FSMA controls the hazard of food within the United States, says Southee, whereas GFSI certification is a global initiative, thereby extending supply chain visibility to foreign suppliers.
The Food Safety Plan
There has been much discussion surrounding building a FSMA-ready food safety plan and the migration from HACCP to HARPC. “HARPC can be referred to as HACCP with preventive controls,” says Southee. FSSC 22000 provides a flexible yet robust approach in a framework that is applicable to all situations (i.e., different manufacturers have different issues, such as producing ice cream versus baked goods). Rather than being prescriptive, the prerequisite program has the flexibility to apply to a particular situation. In addition, validation, verification, monitoring and documentation are an inherent part of the ISO 22000 approach and the FSSC 22000 certification.
FSSC 22000 serves as an effective tool in preparing companies for FSMA compliance. “We’re not a regulatory system; FDA has that domain,” says Southee. “They’re the ones that carry the responsibility of meeting those regulations. We work with everyone…to do the best job we can.”
Being audit ready all the time is a key part of preparing for FSMA. FSSC 22000 certifies a food safety management system (a three-year certification cycle) and requires internal audits of company performance, along with helping companies ensure that their records are organized at all times. The goal is to install a management system that enables constant monitoring, reevaluation and assessment as part of an ongoing process of keeping food safe, according to Southee. “If you’re certified and have an effective ongoing management system, unannounced audits won’t be an issue,” she says.
Food Safety Culture
FSSC 22000 and ISO 22000 provide a strong foundation for building food safety culture. ISO 22000 requires proof of management commitment to the food safety process, along with accountability, and for management to make resources available to see the food safety process through. “We agree that culture has to come from the top,” says Southee. “The personnel have to see that management is committed, and the culture will come from that commitment.” It also requires constant communication, up and down the supply chain as well as internally. This includes involving all employees and making sure that they know what they’re doing (i.e., training). “Everyone needs to know they’re valued and important, and how their function contributes to the function of safe food,” says Southee.
FSMA Alignment and Gap Analysis
There are sure to be some gaps when it comes to FSSC 22000 and FSMA. FSSC 22000 has commissioned a gap analysis to compare the preventive controls for human and animal food rules with the GFSI scheme and will add addendums as needed. Areas of review include a requirement to include food fraud into the hazard analysis and a review of unannounced audit protocol.
The “GFSI in the Age of FSMA” three-part series wrapped up in early December, providing the food safety community insight on how leading GFSI schemes align with, and help prepare for, compliance with FSMA. The series was presented by SafetyChain with media partner FoodSafetyTech.
Each GFSI scheme leader from SQF, BRC and FSSC 22000 discussed how their schemes align with FSMA in several key areas, including Supply Chain Controls, migrating Food Safety Plans from HACCP to HARPC, and audit readiness. While each scheme leader provided insights and details on how their scheme aligns with FSMA, common key themes across all three sessions included:
- FSMA’s focus on prevention vs. reaction is similar and aligns with GFSI’s objectives; Scheme certifications and ongoing compliance is centered around continuously assessing risks and putting preventive measures in place to mitigate those risks
- GFSI’s global approach surrounding a company’s food safety program—to ensure better supply chain controls internally, upstream and downstream prepares companies to manage FSMA’s increased focus on both domestic and foreign supplier compliance
- GFSI stringent documentation and recordkeeping requirements—along with unannounced audit protocols—are a strong foundation to help food and beverage companies prepare for FSMA’s “if it isn’t documented you didn’t do it” mantra
The GFSI scheme leaders also spoke about the importance and opportunity companies have to leverage technology tools to help more effectively manage the complexities and requirements of GFSI and FSMA compliance. Series participants were able to see an example of how these automation tools work and the impact they can have on managing a robust food safety program via a post session demo of SafetyChain Software.
Archived recordings of all three sessions—SQF in the Age of FSMA, featuring Robert Garfield, Senior VP, SQF; BRC in the Age of FSMA, featuring John Kukoly, Director, BRC Americas; and FSSC 22000 in the Age of FSMA, featuring Jacqueline Southee, U.S. Liaison, FSSC 22000—are available and can be accessed here.
Accreditation, certification, certificates…the structure that supports the third-party audit system can be very confusing! Further, an audit company offers a menu of audits: An audit to their own private standard, audits to several GFSI benchmarked schemes, and perhaps in the future, an “FDA accredited” audit. How do you know which one you need? How do you know which best prepares you for FSMA?
Jennifer McEntire spoke during the session, “Staying Ahead of New USDA and FDA Mandates for Controlling Pathogens in Food Processing” at the Food Safety Consortium conference. LEARN MOREUntil the compliance dates for the Preventive Controls rules pass, food manufacturers really only need to be compliant with good manufacturing practices (GMPs), from a regulatory standpoint. There are some specific audits that evaluate adherence to GMPs, but many companies wanted to take their food safety programs to the next level by demonstrating that they were implementing effective food safety management systems. Certification to a GFSI-benchmarked audit scheme (BRC, SQF, FSSC22000, IFS, etc.) was a primary means to show a commitment to food safety and the demonstration of exemplary programs. With the finalization of the Preventive Controls Rules, FDA is catching up. So how do the FDA requirements compare with the main elements of the GFSI Guidance Document?
Let’s evaluate the extent to which the scope of GFSI aligns with FSMA. In September, the Preventive Controls for Human Food rule was finalized, and the areas addressed within that rule constitute the bulk (although not all) of the topics covered by GFSI (GFSI covers additional areas for which FDA has not yet finalized rules, such as food defense and traceability). The question on everyone’s mind is, “If I’m certified to a GFSI-benchmarked audit scheme, am I compliant with the rule?” The answer is, “You’re probably in way better shape than someone who is not certified.” The reason is, regardless of which GFSI benchmarked audit scheme you choose, your facility will need to demonstrate, through fairly exhaustive documentation, the nature and validity of the programs that are in place, and the proof that those programs are followed day in and day out. FDA is looking for the same thing.
The Preventive Controls rules go beyond strict HACCP in that they require facilities to consider what has historically been termed the HACCP system. This includes programs that may not be critical control points (CCP) per se, but are critical to the safety of the food product. FDA identifies elements of sanitation and allergen control, as well as a supplier program, in this category. If you’re familiar with FSSC 22000, you might call these “operational prerequisite programs”. FDA will want to see how each and every hazard is evaluated to determine if it needs a preventive control, whether that is a traditional CCP or another control. For the most part, this is aligned with the GFSI benchmarked schemes, although some of the language may differ.
When it comes to the implementation of a supplier program, facilities should be aware that FDA’s requirements of such a program are much more explicit than most of the GFSI-benchmarked schemes. Even if the result is the same at the end of the day, FDA inspectors may be looking for companies to follow a fairly structured approach compared to a GFSI auditor.
To further complicate matters, FDA will be finalizing a program for the accreditation of third-party auditors. If an effective private third-party audit system exists, why is FDA adding another layer with its own form of audits (separate from inspections)? The answer lies with Congress, not FDA, as it identified two specific circumstances in which a special regulatory audit would be necessary. One situation is when a facility (or their customer) wishes to participate in the forthcoming Voluntary Qualified Importer Program. The second is if FDA has determined that the food poses food safety risks such that a facility wishing to export that food needs a certification issued by an auditor under this program. In neither case will domestic facilities be audited under this program; this program only applies to foreign facilities and only in very limited instances.
Since the rule and accompanying guidance documents related to accreditation of third-party auditors hasn’t been issued by FDA, it is premature to comment on how these audits will compare to those in use by private industry today.
So with the implementation of new rules from FDA, is there still a market for audits? Absolutely. From a very practical standpoint, FDA won’t be inspecting most facilities on an annual basis, and many private audits are conducted on an annual schedule. Plus, industry typically pushes itself further than regulations, which lag behind. Regulations can be viewed as the floor for expectations, but not the ceiling. Moving forward, we expect audit standards and private audits to become even more stringent and aggressive in terms of promoting the very best food safety practices. But beware, as history has shown us, a certificate is not a guarantee or indication of the ongoing quality of a plant’s food safety system. This is why FDA will not blindly accept that a facility has a favorable audit; regardless of the audit certifications you hold, FDA will still inspect you. That said, depending on the audit, it can serve as a credible certification of a food safety system in a plant and demonstrate to your customers your level of food safety commitment. And poor performance during an audit can find its way to FDA too, since in some instances the agency will have access to the conclusions of the audit and corrective actions taken in response to significant deficiencies identified during the audit. FDA initially proposed that serious issues uncovered during consultative audits conducted as part of the third-party accreditation of auditor program would be shared with FDA, and when audits are used as part of supplier programs, FDA will see how serious deficiencies in audits have been addressed. Be clear on why you are pursuing a particular audit, and take the program seriously. Audits should reflect your food safety culture, not serve as your motivation.