Alfonso Capuchino, a food industry certification professional with more than 20 years’ experience, is joining the Kiwa Group as Global Technical Director for Food, Feed and Farm, and ASI, a member of the Kiwa Group, as Vice President of Certification. Capuchino specializes in management systems, HACCP, third-party auditing and GFSI certification, and has experience in developing multi-standard services. He is a certified instructor and auditor for GFSI standards in the scope of food handling, packaging, storage and distribution, and brokering.
“Alfonso’s background in GFSI benchmark standards will provide great value in increasing our already strong presence working with standards like BRC, FSSC, SQF, GlobalGAP, PrimusGFS, IFS, etc. We are happy to welcome him to the global team with open arms,” said Richard Stolk, President of the Board of Directors at ASI, and Global Business Sector Director of Food Feed Farm at Kiwa Group.
“We are excited to have Alfonso on board as a part of our growing Kiwa-ASI family. His vast industry knowledge and experience will be crucial as we work to continuously improve and expand our existing certification programs,” said Tyler Williams, CEO of ASI.
For more than 30 years, Capuchino has served multiple industries in various roles, including consulting, auditing and directing teams in quality, food safety, environmental safety, occupational safety and sustainability. He earned an industrial engineering degree from the Technological Institute of Tlalnepantla in Mexico City. Before joining the Kiwa Group, Capuchino was the Vice President of Certification Services at AIB International.
Global Testing, Inspection and Certification (TIC) company Kiwa has acquired St. Louis-based ASI. ASI has provided farm-to-fork food safety solutions since the 1940s. The company offers a full suite of safety and quality services to the food and beverage, dietary supplements and cannabis industries. The merger will strengthen Kiwa’s U.S. footprint in providing Food, Feed & Farm certifications.
“Kiwa and ASI share similar customer-first business values and follow the same business model when it comes to testing, inspection and certification. By joining the Kiwa family, we’re combining their wide portfolio of accreditations and services (BRC, IFS, FSSC, PrimusGFS, GLOBALG.A.P., Rainforest Alliance, MSC/ASC, Organic/USDA and many others), global business network and expertise with our client network in farm-to-fork food safety to assist our growing client base in North America even better,” said Charray Williams, CEO of ASI.
On January 1, 2023, 29-year-old Tyler Williams, CTO of ASI, will take the reigns as CEO of ASI. He is the youngest CEO in the history of the company. He will succeed current CEO Charray Williams and lead the expansion of Kiwa and ASI in the Food, Feed & Farm sector in North America. Richard Stolk, Kiwa’s global Director for the Food, Feed & Farm sector will serve as President of the Board of ASI and will be directly involved in the further growth of ASI.
“Kiwa already has a strong footprint in the global Food, Feed & Farm sector. With ASI, we significantly expand our reach, expertise and footprint, particularly in the U.S. but certainly with a global perspective. Now that we have welcomed ASI to the Kiwa family, we can better provide our customers with a one-stop shop for food- and feed-related certification services on all continents,” said Stolk.
In a move lauded by the pest management industry, the Safe Quality Food Institute (SQFI) announced toward the end of 2020 that the SQF Code Edition 9 for Food Manufacturing contains specific language endorsing the use of electronic monitoring devices in pest prevention programs. This new edition of SQF’s Code, which will be implemented starting May 2021, will guide participating companies in the implementation of some of the most stringent food safety management practices in the industry.
Specifically, section 11.2.4 of the SQF Code Edition 9, entitled Pest Prevention, details that for a pest prevention program to be effectively implemented, it shall “…Include the identification, location, number, and type of applied pest control/monitoring devices on a site map.” Additionally, the Code spells out numerous expectations for pest control providers, including that they “Provide a pest prevention plan (refer to 220.127.116.11), which includes a site map, indicating the location of bait stations, traps and other applicable pest control/monitoring devices.” SQF’s codification of electronic rodent monitoring systems is an acknowledgement of the important role played by electronic pest monitoring in modern food safety practices.
The American Institute of Baking (AIB) also recognizes electronic rodent monitoring in its food safety certification scheme. Specifically, section 4.11 of the AIB International Consolidated Standards of Inspection notes that rodent monitoring devices should identify and capture rodents that gain access to a facility and includes among the acceptable monitoring options “extended trigger traps that send alert e-mails or text messages.” AIB’s schematic points out that remote monitoring devices may play a particularly relevant role in facilities in countries or regions where the use of mechanical traps is prohibited.
While SQF is the first GFSI Certification Program Owner (CPO) and AIB is the first Certification Body (CB) to formally include electronic rodent monitoring in their protocols, it is only a matter of time before other certification programs, certification bodies and recognized standards such as GMP/HACCP follow suit.
A discussion of electronic pest monitoring and a remote, digital rodent monitoring system, that provides 24/7, real time status alerts, for the food industry, may seem like a big leap forward. However, it was only a short time ago that many in the food industry needed to be convinced that a transition from a manual, pen and paper monitoring system of cold storage temperatures to a fully automated, 24/7 digital monitoring system with real time alerts, was needed. This is an example of technology being used in a meaningful way to eliminate the time-consuming aspect of certain important tasks and allow more time to be devoted to activities that contribute to the process of continuous improvement.
As remote and electronic monitoring systems, such as the Bayer Rodent Monitoring System (RMS), become better known and understood and their important role in elevating IPM programs more obvious, it is becoming clearer that auditing bodies will begin considering the presence of such systems in their evaluation protocols, even if formal changes to various standards lags behind.
If you are in doubt as to whether or not the next auditor, regulatory or non-regulatory, that will walk into your facility understands the role electronic rodent monitoring plays in supporting a robust food safety management program, take the lead on this important issue and raise the subject prior to your next audit.
“Food safety plan” is a term often used in the food industry to define an operation’s plan to prevent or reduce potential food safety issues that can lead to a serious adverse health consequence or death to humans and animals to an acceptable level. However, depending on the facility, their customers, and or regulatory requirements, the definition and specific requirements for food safety plans can be very different. To ensure food safety, it’s important that the industry finds consensus in a plan that is vetted and has worked for decades.
One of the first true food safety plans was HACCP. Developed in 1959 for NASA with the assistance of the food industry, its goal was to ensure food produced for astronauts was safe and would not create illness or injury while they were in space. This type of food safety plan requires twelve steps, the first five of which are considered the preliminary tasks.
Assemble a HACCP team
Describe the finished product
Define intended use and consumer
Create process and flow diagram
Verify process and flow diagrams
This is followed by the seven principles of HACCP.
Conduct the hazard analysis
Identify critical control points
Establish critical limits
Establish monitoring requirements
Establish corrective actions for deviations
Procedures for verification of the HACCP plan
Record keeping documenting the HACCP system
HACCP is accompanied by several prerequisites that support the food safety plan, which can include a chemical control program, glass and brittle plastics program, Good Manufacturing Practices (GMPs), allergen control program, and many others. With these requirements and support, HACCP is the most utilized form of a food safety plan in the world.
When conducting the hazard analysis (the first principle of HACCP), facilities are required to assess all products and processing steps to identify known or potential biological, chemical and physical hazards. Once identified, if it is determined that the hazard has a likelihood of occurring and the severity of the hazard would be great, then facilities are required to implement Critical Control Points (CCP) to eliminate or significantly reduce that identified hazard. Once a CCP is implemented, it must be monitored, corrective actions developed if a deviation in the CCP is identified and each of these are required to be verified. Records then also need to be maintained to demonstrate the plan is being followed and that food safety issues are minimized and controlled.
HACCP is, for the most part, the standard food safety plan used to meet the Global Food Safety Initiative (GFSI) standards. This is utilized in various third-party audit and customer requirements such as FSSC 22000, SQF, BRC, IFS and others. These audit standards that many facilities use and comply with also require the development of a food safety management system, which includes a food safety plan.
Further, HACCP is often used to demonstrate that potential food safety issues are identified and addressed. FDA has adopted and requires a regulated HACCP plan for both 100% juice and seafood processing facilities. USDA also requires the regulated development of HACCP for meat processing and other types of facilities to minimize potential food safety issues.
For facilities required to register with the FDA—unless that facility is exempt or required to comply with regulated HACCP—there is a new type of food safety plan that is required. This type of plan builds upon HACCP principles and its steps but goes beyond what HACCP requires. Under 21 CFR 117, specific additions assist in identifying and controlling additional food safety hazards that are on the rise. This includes undeclared allergen recalls, which constituted 47% of recalls in the last reportable food registry report published by FDA.
Prior to developing this plan, FDA provided recommendations for preliminary steps that can be completed and are essential in development of a robust food safety plan but are not a regulatory requirement. The steps are very similar to the preliminary tasks required by HACCP, including the following:
Assemble a food safety team
Describe the product and its distribution
Describe the intended use and consumers of the food
Develop a flow diagram and describe the process
Verify the flow diagram on-site
Their recommended plan also requires a number of additional steps, including:
A written hazard analysis. Conducted by or overseen by a Preventive Controls Qualified Individual (PCQI). However, this hazard analysis requires assessing for any known or reasonably foreseeable biological, chemical, physical, radiological, or economically motivated adulteration (food fraud that historically leads to a food safety issue only). You may note that two additional hazards—radiological and EMA—have been added to what HACCP calls for in the assessment.
Written preventive controls if significant hazards are identified. However, similar preventive controls are different than a CCP. There are potentially four types of preventive controls that may be utilized for potential hazards, including Process Preventive Controls (the same as CCP), Allergen Preventive Controls, Sanitation Preventive Controls, Supply Chain Preventive Controls and Others if identified.
A written supply chain program if a Supply Chain Preventive Control is identified. This includes having an approved supplier program and verification process for that program.
A written recall plan if a facility identified a Preventive Control.
Written monitoring procedures for any identified Preventive Control that includes the frequency of the monitoring what is required to do and documenting that monitoring event.
Written corrective actions for identified Preventive Controls in case of deviations during monitoring. Corrective actions must be documented if they occur.
Written verification procedures as required. This could include how monitoring and corrective actions are verified, procedures themselves are verified, and calibration of equipment as required. Also required is training, including a Preventive Control Qualified Individual. Additional training is required for those individuals responsible for performing monitoring, implementing corrective actions, and verification of Preventive Controls. Further, all personnel need to have basic food safety training and all training needs to be documented.
While the term “food safety plan” is used widely, it’s important that operations don’t just use the term, but enact a plan that is vetted, proven to work, and encompasses the principles of HACCP. Doing so will help ensure that their facility is producing foods that customers and consumers will know is safe.
SQF Q&A with Shawna Wagner, CP-FS, Food Sector Technical Manager, North America
SQF Auditor of the Year 2019
FSSC 22000 Q&A with Isabella D’Adda, DNV GL Global Food & Beverage Manager
BRCGS Q&A with Veronica Ramos, DNV GL Lead Auditor, BRCGS Auditor of the Year 2020 award winner
Can we have 100% remote audits?
Shawna Wagner (on SQF): SQF does permit conducting an audit at 100% using ICT. Audits using ICT are not mandatory. This option must be a last resort option, as full onsite and the 50/50 blended option (50% onsite and 50% remote) shall be the first options. A feasibility assessment with a certified organization is needed to verify that a full remote audit is an effective and practical option. An SQF Fully Remote Audit only applies to announced re-certification and/or surveillance audits of the SQF Food Safety and/or Quality Codes. It does not apply to initial certification audits or unannounced re-certification audits.
SQF Fully Remote Audit certification can be applied to the following SQF Codes:
SQF Food Safety Code for Food Manufacturing
SQF Food Safety Code for Storage and Distribution
SQF Food Safety Code for Manufacture of Food Packaging
SQF Food Safety Code for Primary Production
SQF Quality Code
Isabella D’Adda (on FSSC 22000): Yes, 100% remote audits are now allowed also for FSSC 22000. On the 5th of October, 2020 FSSC published a new document called “Full Remote Audit Addendum” that explains the conditions and the rules for conducting FSSC 22000 audits fully remotely. This document is valid and applicable only, when a certified organization cannot be accessed due to a serious event – as in the case of a pandemic.
The FSSC 22000 full remote audits are completed using Information and Communication Technology (ICT); these will be accredited audits, which will not be recognized by GFSI – the transparency of the certification process is always granted, that’s why the certificate that will be issued after these kind of audits will have a specific reference that a Full Remote Audit was conducted.
Before conducting a 100% remote audit, a certification body must evaluate an impact of the serious event on the current certificate and certification status, and conduct a feasibility assessment with the certified organization in order to verify that a full remote audit is an effective and practical option.
The FSSC 22000 full remote audits can be done when annual announced surveillance/periodical or recertification audits cannot take place on-site. But not for Stage 2 Initial audits. Note: even during the 100% Remote audits, auditors need to spend about 50% of the time on documents and records evaluation, and the rest of the audit time on performing video plant tours and interviews.
The addendum to the standard called “FSSC 22000 Annex 9” is still valid in cases where a certification body and an organization agree that it is more appropriate and effective to conduct an audit in two steps: document review and interviews with key personnel remotely, using information and communication technology (ICT), then audit implementation and perform verification of the food management system on-site, with a time-lapse between the two steps.
In the case of the first certification, the FSSC 22000 Annex 9 can be applied and the whole stage 1 audit can be conducted remotely, while the subsequent stage 2 audit will be conducted on-site at least within 6 months after stage 1. For all other audits, according to Annex 9, part of an audit can be conducted remotely, and the rest of the activity completed onsite, considering that the onsite audit cannot have a duration less than 1 day and shall be at least 50% of the total audit duration.
Veronica Ramos (on BRCGS): The rules have been changing recently for the BRCGS standards. These rules are published in the Position Statement BRCGS 078, 080 and 086 (www.brcgs.com) – and these are applicable only for already certified sites. Currently, all certified sites, whose certificates can be affected due to COVID-19 in respect to travel restrictions and internal rules of receiving external visitors to the sites, can opt to any of the following three options:
Request a certificate extension for six months with a COVID-19 risk assessment (see Position Statement BRCGS 072);
Request their re-certification audit with the “blended audit” modality (see Position Statement BRCGS 080) – where a remote audit (using ICT electronic systems) is combined with an on-site audit for re-certifications;
Request the new temporary modality to conduct 100% of an audit remotely (according to the Position Statement BRCGS 086).
This is only applicable for announced audits. It is considered that the best option is to conduct a regular on-site audit or to go with the blended audit option, because an auditor can have a better opportunity to confirm the level of compliance on-site. The on-site audit part should be of at least 1.0 day duration, while the remote part shall not exceed 50% of the total audit duration. Note: full (100%) remote re-certification audits must replicate the exact methodology of a regular audit, including plant tours and interviews, however, it must be first verified that electronic devices and communication means can be used successfully. Also, one should be aware that 100% remote audits are not GFSI benchmarked, but are accredited. Please contact your lead auditor or certification body for more information.
What can be audited during the remote portion?
Wagner (on SQF): For SQF we would focus mainly on Module 2 items, such as Food safety policy, Management Reviews, Approved Supplier Program, Specifications, Validations, Verifications, and Training for the 50/50 blended audit. The 100% remote audit shall include all steps associated with an SQF Systems audit including the opening and closing meetings and discussion and agreement on non-conformities.
D’Adda (on FSSC 22000): When an audit is 100% remote, the whole activity will be done using an appropriate ICT. The audit will follow the same format and organization as an on-site one and, in any case, an auditor must be able to complete the full audit against all FSSC 22000 requirements: also during these audits a possibility to do interviews with personnel must be granted, an appropriate site inspection of all production areas, facilities, storage and external areas must be completed, implementation of PRPs must be verified, documentation must be evaluated with involvement of all management and staff, who manages the food safety system.
A fully remote audit can be conducted only, when a site is operational, and production is taking place.
For FSSC 22000 fully remote audits, it is advisable to provide supporting information to an auditor before an audit takes place. Documentation, such as site maps, updated flow diagrams, a list and overview of OPRPs/CCPs, any changes, caused by a serious event, and any other supporting information regarding the production process will be useful during an audit.
For audits done 50% remotely and 50% on-site there is the following process: during the remote part, focus will be on the ISO 22000 components of the FSSC 22000 scheme and interviews with management and key personnel. An auditor will review documents and procedures, check management review with specific focus on FSMS objectives and key process performance indicators, HACCP plan, internal audits, complaints and recalls, and how these were managed, focusing on key changes since the previous audit (applicable in the case of periodic audits and re-certification).
Ramos (on BRCGS): During the remote part of a blended audit focus should be on the information included in the documents and records: an auditor would need information on implementation and maintenance of the requirements since the last audit (meaning that samples of records, which could be requested, could be for the last twelve months). Most of the BRCGS standards are color coded, clearly indicating, which are the expected requirements to be audited against on-site, and which can be audited against remotely (e.g. management review, internal audits, complaints, recalls, etc.). But as mentioned before, everything will need to be audited, if the option selected is 100% remotely.
Who should attend the remote portion?
Wagner (on SQF): We would look at this audit no differently than as if we were onsite. It would be recommended that whichever employee is responsible for the section being audited that they attend. Employees could also be interviewed during a remote audit. This should be discussed with key personnel at the opening meeting.
D’Adda (on FSSC 22000): During remote audit both management and involved key personnel shall be available to support the auditor in his/her activity. Companies should cooperate and provide adequate resources to ensure the audit is conducted successfully.
Ramos (on BRCGS): During a remote audit both management and involved key staff shall be available to support the auditor in his activity.
What documents should we have ready for the remote portion?
Wagner (on SQF): Documents would be the same as if it were an onsite audit. All documentation should be made readily available to the auditor during the time of the remote portion and/or onsite portion of the audit.
D’Adda (on FSSC 22000): The documents that should be available for the remote audit are the same, as the ones requested for ISO 22000 implementation, like context analysis, food safety management system with its defined scopes, products and processes that are included and the objectives of the FSMS, food safety policy, HACCP Plan, management review, updated internal audits and all procedures that a company has documented, which are necessary for the effectiveness of their food safety management system.
Ramos (on BRCGS): All types of documents in their latest updated version shall be readily accessible. It is up to an auditor to request documentation, which is required to fulfil the objectives of an audit within its scope. Documents could be manuals, procedures, work instructions, templates of records, and actual records.
Can we send documents ahead of time?
Wagner (on SQF): It is not required that documents be sent ahead of time, although in some cases this could be helpful for the site and the auditor. Information that is sent ahead of time would be confidential and not audited until the actual audit.
D’Adda (on FSSC 22000): It is not required to send documents ahead of time, however all documents must be prepared and available for the planned audit dates, remote or onsite. There are some organizations, which want to share information in advance and show potentially useful examples, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Thus, this information will be handled as confidential. As a representative of a certified organization, one should know that during an audit, it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfill objectives of the audit.
Ramos (on BRCGS): It is not required to send documents in advance, however there are some organizations, who want to share information beforehand to demonstrate examples, which might be useful during an audit, such as master list of documents, flow diagrams, maps, or a summary of preliminary answers to the key requirements/topics. This information will not be audited until the actual audit (remote or on-site) starts. Such information will be handled as confidential. As a certified organization, one should know that it is up to auditors to request certain information, which may help to get proper evidence, needed to fulfil the audit objectives, during an audit.
Is my information confidential?
Wagner (on SQF): All information that is sent shall be confidential and follows DNV GLs Information Security Policy.
D’Adda (on FSSC 22000): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information in accordance with the DNV GL’s Information Security Policy.
Ramos (on BRCGS): All DNV GL auditors received specific training on how to manage remote audits and treat confidential information, in accordance with the DNV GL’s Information Security Policy and confidentiality agreements signed with customers.
When does the onsite portion need to happen?
Wagner (on SQF): The onsite needs to happen within 30 days of the remote portion. Both audits must occur within the 60-day audit window for SQF.
D’Adda (on FSSC 22000): In the case of fully remote audits, there won’t be an onsite auditing activity, and it will be completed using ICT equipment. In the case of an audit done partially remotely and partially on-site: FSSC has defined that the maximum timeline between a remote audit and the on-site portion shall be 30 calendar days. In the case of a serious event, this timeline can be extended to 90 calendar days, but only after a documented concession process and risk assessment have been completed by a certification body. Serious events that could lead to a postponement of the onsite portion of an audit are pandemic emergencies like Covid-19, legal proceedings, prosecutions, affecting food safety or legality, public food safety events (e.g. public recalls, calamities etc.), natural disasters (e.g. floods, fire, earthquake), war or political instability and other serious situations, like malicious hacking.
Ramos (on BRCGS): It is expected that in a blended audit the remote part is conducted first and then the on-site part, however, if logistics require that the audit is conducted in the reverse order, this is acceptable as well. The second part of a blended audit needs to happen within the following 28 calendar days, allowing enough time for a site to do a non-conformity closure (when applicable), and a re-certification decision can be issued before the expiration date of the current certificate. In exceptional justifiable circumstances, a certification body may request a concession from BRCGS for a maximum of 90 days. In the case of a 100% remote audit, the full audit shall be conducted as scheduled on consecutive full days.
SQF certification validates a contract manufacturer’s ability to produce safe, consistent, and high-quality products. It’s a mark of distinction, which can lead to more business. But to obtain SQF certification, a manufacturer must have effective quality and safety controls.
Well-known food and beverage brands will often turn to contract manufacturers to produce the quality products that their customers expect and enjoy. With their brand names on the line, these brand owners need assurance that their suppliers can deliver safe and high-quality goods and mitigate the looming threat of recalls.
How do they know if they’re working with a reliable contract manufacturer? Well, many will look to see if they hold certifications from a reputable third-party organization, such as the Safe Quality Food Institute (SQFI). In fact, one in four companies today require that their suppliers have SQF certification, making it one of the most important certifications in contract manufacturing.
SQF certification demonstrates that a supplier has met benchmarked standards—set by the Global Food Safety Initiative (GFSI)—for upholding quality and controlling food safety risks. It’s a form of validation of an organization’s ability to consistently produce safe and high-quality products. Contract manufacturers that have SQF certification are more likely to win contracts and can bid for business on a national or global scale. Thus, it presents a clear competitive advantage to those certified in the various levels of SQF certification.
Level 1: The SQF Safety Fundamentals Program is an introduction to food safety standards for small- to medium-sized food suppliers. Ideal for those with low-risk food products, the program doesn’t meet GFSI standards but establishes a foundation for doing so. Suppliers certified at this level typically sell their services to smaller, local purveyors.
Level 2: The SQF Food Safety Program follows GFSI-benchmarked food safety standards. It helps sites implement preventive food safety measures according to Hazard Analysis and Critical Control Points (HACCP) regulations, which ensure scientific analysis of microbiological, physical and chemical hazards are applied at each step of the supply chain. This level is ideal for businesses that would like to work with purveyors that require adherence to GFSI benchmarked standards.
Level 3: The SQF Food Safety and Quality Program shows an ability to not only contain safety risks through the HACCP system, but also monitor and control threats related to food quality. This highest level of certification is ideal for large-scale producers, manufacturers, food packaging facilities and distributors that have successfully deployed an SQF Food Safety Program and want to go above and beyond in their quality efforts.
While it’s the most demanding of the three, Level 3 certification is what most contract manufacturers should aspire to because it’s required by many of the world’s largest food and beverage brands. In order to attain this level of distinction, contract manufacturers need an effective way to demonstrably meet all GFSI benchmarked standards and readily access their quality data during an audit. This is where statistical process control (SPC) comes in.
The SPC Gamechanger
SPC is a proven methodology for monitoring and controlling quality during the manufacturing process. SPC enables manufacturers to chart real-time quality data against predefined control limits to identify unwanted trends and product or process variations. If there is an issue, timely alerts will notify responsible parties to take remedial action early on, preventing unsafe or poor-quality goods from entering the supply chain and triggering a recall. This establishes strong controls for food quality and safety in accordance with a Level 3 SQF Program. Audits also become a breeze, as all historical data are stored digitally in a centralized repository. Suppliers can thereby quickly and easily produce auditor-requested reports showing compliance with SQF requirements and GFSI standards.
But beyond quality monitoring and facilitating audits, SPC can deliver greater impact by providing suppliers with analytical tools useful for mining historical data for actionable insights. They can run comparative analyses of the performance of different lines, products, processes, or even sites, revealing where and how to further reduce risk, improve consistency, streamline operations, and lower production costs. In this way, SPC lends itself to a profit-positive business model—driving additional savings through process improvement while increasing new business opportunities through contracts won via SQF certification.
A Snacking Success
One contract manufacturer of savory and healthy snacks previously struggled with large variations in product quality. These inconsistencies often resulted in quality holds or process aborts that generated high waste and costs. By implementing SPC, the snack supplier was able to take advantage of a wide range of data—including incoming receiving tracking and quality inspection tracking—to finetune its production processes with effective controls for food quality and safety. In addition to a 30% reduction in customer complaints, SPC has helped the supplier realize a $1 million reduction in product waste and attain Level 3 SQF certification, the latter of which has generated continued new business from several well-known snack food brands.
This snack supplier is a clear example of SQF certification as a competitive differentiator. Working with such SQF-certified and SPC-powered contractors is important to food and beverage brands because they can protect their reputations and ensure continued customer retention by way of safe, consistent, high-quality products. Ultimately, it builds greater trust and integrity in the supply chain among companies and consumers alike.
Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series addressed the importance of a physical security expert, insider threat detection programs, actionable process steps (APS) and varying approaches to a VA. To further assist facilities with reviewing old or conducting new VAs, Part II will touch on access, subject matter experts, mitigation strategies and community drinking water through more lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.
Lesson 6: Utilization of Card Access. The FDA costs of implementing electronic access control, as reported in the Regulatory Impact Analysis document (page 25) are shown in Table 1.
Average Cost Per Covered Facility
Prohibit after hours key drop deliveries of raw materials
Electronic access controls for employees
Secured storage of finished products
Secured storage of raw materials
Cameras with video recording in storage rooms
Peer monitoring of access to exposed product (not used)
Physical inspection of cleaned equipment
Prohibit staff from bringing personal equipment
Table I. Costs of Mitigation
In our opinion, these costs may be underreported by a factor of five or more. A more realistic number for implementing access control at an opening is $5,000 or more depending on whether the wire needs to be run in conduit, which it typically would. While there are wireless devices available, food and beverage organizations should be mindful that the use of wireless devices may in some cases result in the loss of up to 50% of electronic access control benefits. This happens because doors using this approach may not result in monitored-for-alarm conditions, such as when doors are held open too long or are forced open. Some wireless devices may be able to report these conditions, but not always as reliable as hardwired solutions. Using electronic access control without the door position monitoring capability is a mistake. From a cost standpoint, even a wireless access control device would likely be upwards of $2,000 per opening.
Lesson 7: In the interest of time, and in facilities with more complex processes (which increases the work associated with the VA), plan to have quality, food safety and physical security personnel present for the duration of the VA. But also bring in operational specialists to assess each point, step or procedure for the respective operational areas. You may wish to have a quick high-level briefing for each operational group when it’s their turn to deliberate on their portion of the manufacturing operation. Proper planning can get a hybrid style VA done in one-and-a-half to three days maximum for the most complex of operations.
Lesson 8: Conduct a thorough site tour during the assessment process; do not limit your vulnerability activity to a conference room. Both internal and external tours are important in the assessment process by all members of the team. The external tour is needed to evaluate existing measures and identify vulnerabilities by answering questions such as:
Is the perimeter maintained?
Are cameras pointed correctly?
Are doors secure?
Are vehicles screened?
Are guards and guard tours effective?
Internal tours are important to validate documented HACCP points, steps or procedures.A tour also helps to validate process steps that are in multiple parts and may need to be further assessed as a KAT, for public health impact, accessibility and feasibility or to identify issues that have become “invisible” to site employees which might serve a security purpose.
Properly conducted tours measure the effectiveness of a variety of potential internal controls such as:
Use of identification measures
Use of GMP as a security measure (different colors, access to GMP equipment and clean rooms)
Effectiveness of buddy systems
Lesson 9: Do not forget the use of community drinking water in your processes. This is an easy way to introduce a variety of contaminants either in areas where water is being treated on site (even boiler rooms) or where water may sit in a bulk liquid tank with accessibility through ladders and ports. In our experience, water is listed on about half of the HACCP flow charts we assessed in the VA process.
Lesson 10: Some mitigation strategies may exist but may not be worth taking credit for in your food defense plan. Due to the record keeping requirements being modeled after HACCP, monitoring, corrective action and verification records are required for each mitigation strategy associated with an APS. This can often create more work than it is worth or result in a requirement to create a new form or record. Appropriate mitigation strategies should always be included in your food defense plan, but sometimes it produces diminishing returns if VA facilitators try to get too creative with mitigation strategies. Also, it is usually better to be able to modify an existing process or form than having to create a new one.
Lesson 11: In cases of multi-site assessments, teams at one plant may reach a different conclusion than another plant on whether an identical point, set or procedure is an APS. This is not necessarily a problem, as there may be different inherent conditions from one site to the next. However, we strongly suggest that there be a final overall review from a quality control standpoint to analyze such inconsistencies adjudicate accordingly where there is no basis for varying conclusions.
Lesson 12: If there is no person formally responsible for physical security at your site, you may have a potential gap in a critical subject matter area. Physical security measures will make at least a partial contribution to food defense. Over 30 years, we have seen many organizations deploy electronic access control, video surveillance and lock and key control systems ineffectively, which provides a false sense of security and results in unidentified vulnerability. It is as important to select the right physical security measures to deploy, but also critical to administer them in a manner that meets the intended outcome. Most companies do not have the luxury of a full-time security professional, but someone at the plant needs to be provided with a basic level of competency in physical security to optimize your food defense posture. We have developed several online training modules that can help someone who is new to security on key food defense processes and security system administration.
Lesson 13: As companies move into ongoing implementation and execution of the mitigation strategies, it is important to check that your mitigation strategies are working correctly. You will be required to have a monitoring component, correction action and verification intended for compliance assurance. However, one of the most effective programs we recommend for our clients’ food defense and physical security programs is the penetration test. The penetration test is intended to achieve continuous improvement when the program is regularly challenged. The Safe Quality Food (SQF) Institute may agree with this and now requires facilities that are SQF certified to challenge their food defense plan at least once annually. We believe that frequency should be higher. Simple challenge tests can be conducted in 10 minutes or less and provide substantial insight into whether your mitigation strategies are properly working or whether they represent food defense theater. For instance, if a stranger were sent through the plant, how long would it take for employees to recognize and either challenge or report the condition? Another test might include placing a sanitation chemical in the production area at the wrong time. Would employees recognize, remove and investigate that situation? Challenge tests are easy high impact activities; and regardless of the outcome, can be used to raise awareness and reinforce positive behaviors.
Whether training a new security officer, reviewing existing security plans or preparing for an upcoming vulnerability assessment (due July 26, 2020), these lessons learned from experienced security consultants should help to focus efforts and eliminate unnecessary steps at your facility. The final installment in this series will address broad mitigation strategies, the “Three Element” approach and food defense plan unification. Read the final installment of this series on Lessons Learned from Intentional Adulteration Vulnerability Assessments, Part III.
I attended the Safe Food California Conference last week in Monterey, California. Food fraud was not the main focus of the conference, but there was some good food fraud-related content. Craig Wilson gave a plenary session about the past, present and future of food safety at Costco. As part of that presentation, he discussed their supplier ingredient program. This program was implemented in response to the 2008 Salmonella Typhimurium outbreak in peanut paste but has direct applicability to food fraud prevention.
Food Fraud: Problem Solved? Learn more at the 2019 Food Safety Supply Chain Conference | May 29–30, 2019 | Attend in Rockville, MD or virtually Jeanette Litschewski from SQFI gave a breakout presentation on the most common SQF non-conformities in 2018. She presented data from 7,710 closed audits that cited 44,439 non-conformities. Of those, 756 were related to food fraud requirements. While this presentation was not focused on the specifics of the food fraud non-conformities, Jeanette did mention that many of them were related to broad issues such as not having completed a food fraud vulnerability assessment or appropriately documenting that each of the required factors was addressed in an assessment.
I was invited to give a breakout presentation with an overview of food fraud issues globally and a brief outline of some of the tools currently available to assist with conducting vulnerability assessments. Although many of the attendees had already began implementation of food fraud measures, there was a lot of interest in this list of tools and resources. Therefore, I am recreating the list in Table I. The focus is on resources that are either complimentary or affordable for small- and medium-sized businesses, with recognition that “full-service” and tailored consulting services are always an option.
Of course, there are quite a few companies that offer tailored tools, training and consulting services. Companies that offer courses in food fraud mitigation and assistance in creating a vulnerability assessment (or FDA-required food safety plan) include NSF, Eurofins, AIB International, SGS, and The Acheson Group.
Also available are services that compile food safety recalls and alerts (including those resulting from food fraud) from multiple official sources, such as FoodAKAI and HorizonScan. EMAlert is a proprietary tool that merges public information with user judgment to inform food fraud vulnerability. Horizon Scanning is a system that can monitor emerging issues, including food fraud, globally.
In short, there are many resources available to help support your food fraud vulnerability assessments and mitigation plans. If I have unintentionally missed mentioning any resources you have found to be helpful, please let us know in the comments.
The “GFSI in the Age of FSMA” three-part series wrapped up in early December, providing the food safety community insight on how leading GFSI schemes align with, and help prepare for, compliance with FSMA. The series was presented by SafetyChain with media partner FoodSafetyTech.
Each GFSI scheme leader from SQF, BRC and FSSC 22000 discussed how their schemes align with FSMA in several key areas, including Supply Chain Controls, migrating Food Safety Plans from HACCP to HARPC, and audit readiness. While each scheme leader provided insights and details on how their scheme aligns with FSMA, common key themes across all three sessions included:
FSMA’s focus on prevention vs. reaction is similar and aligns with GFSI’s objectives; Scheme certifications and ongoing compliance is centered around continuously assessing risks and putting preventive measures in place to mitigate those risks
GFSI’s global approach surrounding a company’s food safety program—to ensure better supply chain controls internally, upstream and downstream prepares companies to manage FSMA’s increased focus on both domestic and foreign supplier compliance
GFSI stringent documentation and recordkeeping requirements—along with unannounced audit protocols—are a strong foundation to help food and beverage companies prepare for FSMA’s “if it isn’t documented you didn’t do it” mantra
The GFSI scheme leaders also spoke about the importance and opportunity companies have to leverage technology tools to help more effectively manage the complexities and requirements of GFSI and FSMA compliance. Series participants were able to see an example of how these automation tools work and the impact they can have on managing a robust food safety program via a post session demo of SafetyChain Software.
Archived recordings of all three sessions—SQF in the Age of FSMA, featuring Robert Garfield, Senior VP, SQF; BRC in the Age of FSMA, featuring John Kukoly, Director, BRC Americas; and FSSC 22000 in the Age of FSMA, featuring Jacqueline Southee, U.S. Liaison, FSSC 22000—are available and can be accessed here.
“Over a period of time, things have changed for the corner suite, and many CEOs and presidents of corporations understand that with the media today and the way that FDA has improved its ability to focus on contamination, something needed to happen,” said Robert Garfield, senior vice president at SQFI during the recent “SQF in the Age of FSMA” webinar. “It’s not everything that we wanted…but it’s a rule that brings the regulations up to where they need to be in this century.”
GFSI leaders will be available during the Food Safety Consortium conference. On Wednesday, November 18, don’t miss the session, “The Role of Technology in Ensuring Accessible, Actionable Data to Tackle FSMA Compliance”. LEARN MOREGarfield discussed the role of SQF certification in FSMA compliance during part one of the 2015 GFSI Leadership webcast series. Hot topics included:
Foreign supplier verification program alignment
Building a food safety plan, including HACCP to HARPC migration
Being audit ready and record keeping requirements
“Farm-to-fork” and safety controls
SQF scheme changes to align with FSMA
How SQF fills in the gaps in FSMA requirements
The next webinar takes place Friday, October 30 and covers the alignment of BRC certification with FSMA. John Kukoly, director of BRC Americas, is the featured speaker. Register here for the complimentary webinar.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.