BY: Stacey Pisani
Comments: No Comments
Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:
- Size of the risk – where, how big, how often/many?
- Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
- Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?
Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.
A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.
Compliance Program Assessment
A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.
Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an integrated management system for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.
Compliance program assessment enables a company to define and understand:
- Compliance requirements and where regulated activities occur throughout the organization
- Current company programs and processes used to manage those activities and the associated level of program/process maturity
- Deficiencies in compliance program management and opportunities for improvement
- How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance
There are six phases associated with a compliance program assessment:
Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.
Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”
Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates management system principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.
Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.
Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.
Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is a management system in place, program review information and action plan tracking can be integrated into that management system.
As a whole, this process will help companies evaluate the degree to which:
- Compliance goals and objectives are set and communicated by management.
- Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
- Existing controls are adequate and effective, recognizing, and addressing changed conditions.
- Plans are in place to address risks not adequately covered by existing controls.
- Plans and controls are resourced and implemented.
- Controls are documented and operationalized across functions and work units.
- Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
- Controls are being monitored with appropriate metrics and compliance auditing and assurance.
- Information system is sufficient to support management system-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
- Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
- Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the integrated management system.
Are you registered for the PROCESS EXPO’s special food safety training courses? Find out why you should be!
Join Kestrel Principals Bill Bremer & Roberto Bellavia and our team of food safety experts on Tuesday, September 10 for a sneak peek into the special food safety training courses being offered as part of PROCESS EXPO 2019. You’ll get an overview of the courses, what you can expect to learn, and why each of these courses is so important to companies operating in the food industry.
Tuesday, September 10, 2019
1:00-2:00 pm CDT
Food Safety Training Courses
This FDA training is designed to help industry, particularly small- and medium-sized companies, to comply with the new preventive controls rules. The following supplemental food safety training courses will be featured at PROCESS EXPO from Monday, October 7 – Wednesday, October 9 and highlighted in the September 10 webinar.
Preventive Controls for Animal Food
This 2.5-day course is being made available in response to FDA’s final rule requiring covered animal food facilities to establish and implement an animal food safety system that includes an analysis of hazards and implementation of risk-based preventive controls. Completing this course meets FSMA requirements for a PSQI.
Foreign Supplier Verification Program (FSVP) Training
This 2.5-day course will provide participants with the knowledge to implement the requirements of the Foreign Supplier Verification Program (FSVP) for Importers of Food for Humans and Animals regulation of FDA’s FSMA. The FSVP course meets FSMA compliance, and FPSA certificates will be issued upon successful completion of the course.
HACCP is a systematic preventive approach to food safety from biological, chemical and physical hazards in production processes that can cause the finished product to be unsafe and designs measures to reduce these risks to a safe level. This is a certified 2-day course based on Global Codex and GFSI requirements.
Produced by the Food Processing Suppliers Association (FPSA), PROCESS EXPO is the nation’s largest trade show dedicated to bringing the latest technology and integrated solutions to all segments of the food and beverage processing and packaging industry.
McCormick Place | Chicago, Illinois
A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.
The following can show evidence of a living, breathing program:
- Comprehensiveness of the program
- Dedicated staff and resources
- Employee knowledge and engagement
- Management commitment and employee perception
- Internal operational inspections, “walkabouts” by management
- Independent insider, plus third-party audits
- Program tailoring to greatest risks
- Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
- Tracking of timely and adequate corrective/preventive action completion
- Progress and performance monitoring
To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:
Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
Maintaining Ongoing Compliance
The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A management system framework can help ensure operational sustainability. A management system drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.
Together, there is a real value at the intersection of a compliance assurance program and management systems. Management systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.
Testing and Monitoring
Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.
Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.
Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.
About 100 years ago, when nutrition labeling first began in a modest form, the purpose was to provide basic ingredient information about the product to protect the consumer. Fast forward to today and the goal of nutrition labels has grown beyond just protection. Now, those labels are intended to protect and to help guide consumers in their food choices. Labels are designed to provide facts for nutrients that impact common health concerns, such as weight control, diabetes and high blood pressure.
Nutrition Labeling and Education Act (NLEA)
The Nutrition Labeling and Education Act (NLEA) was signed into law in 1990. The Act requires most foods to contain nutrition labeling. In addition, it requires all nutrient content claims (i.e., high fiber, low fat, etc.) and health claims be consistent with Food and Drug Administration (FDA) regulations. Compliance with the nutrition labeling regulations is based on the date the product was labeled, as opposed to the date the product is offered for entry into interstate commerce.
NLEA requires information in the following four areas:
- Nutrition Facts Panel
- Ingredient List
- Allergen Statements
- Nutrition Content Claims
Uniform Compliance Dates
It is not uncommon for FDA to issue regulations that sometimes require changes in food labeling. To minimize the economic impacts of responding separately to each change, in 1996 the FDA introduced the concept of uniform compliance dates. The uniform compliance date establishes a final compliance deadline for all new food labeling requirements that are established within a specific time period. Most recently, the FDA established January 1, 2022, as the uniform compliance date for food labeling regulations that are published on or after January 1, 2019, and on or before December 31, 2020.
Note that the FDA sets compliance dates other than the uniform compliance date, when necessary, such as the final rules for Nutrition Facts labels for packaged foods, as described below.
Nutrition Facts Labels
All foods sold in packages are required to have a food label. On May 27, 2016, the FDA published final rules on the new Nutrition Facts panel for packaged foods to reflect updated scientific information, including the link between diet and chronic diseases (e.g., obesity and heart disease). As mentioned above, this label is intended to help guide consumers in making more informed food choices.
These labels come with their own deadlines that are separate from the uniform compliance dates that FDA has established:
- January 1, 2020 for manufacturers with > $10 million in annual sales
- January 1, 2021 for manufacturers with < $10 million in annual food sales
- July 1, 2021 for manufacturers of single-ingredient sugars, such as honey, maple syrup and certain cranberry products
Nutrition labeling can be complex and confusing, particularly for first-time food manufacturers. There are very specific requirements that must be addressed to remain compliant not only with FDA requirements, but also with many vendors who require verification of labeling compliance as a condition of doing business (e.g., Amazon, Wal-Mart, Costco).
The following label components must be developed and then continually reviewed to identify which labels need further modification and to ensure ongoing compliance:
- Nutrition Facts Panel is included on all packaging in a place where it can easily
be seen by consumers. The panel includes the following:
- Serving size and servings per container, per FDA guidelines
- Calories per serving
- Nutrient values of the following:
- Total fat (saturated and trans fats)
- Total carbohydrates (dietary fibers and sugars)
- Vitamin A
- Vitamin C
- Ingredient List must include all ingredients and sub-ingredients present in the product in the order of predominance by weight in the product.
- Allergen Statements present a high-risk area, as they alert the consumer to the
presence of one of more of the top eight allergens:
- Crustacean shellfish
- Tree nuts
- Nutrition Content Claims include statements such as low fat, high fiber, low sodium, and can help a company positively market food products. However, these claims must be checked, as each has specific requirements established by the FDA.
In addition, any required instructions for making/preparing the product should be reviewed to ensure they are accurate and properly convey key steps in the process.
At the most basic level, non-compliance can result in products being pulled from store shelves. However, there are other implications to also consider:
- Improper labeling may impact a company’s ability to supply product to larger retailers with specific requirements.
- It can destroy the integrity of a company who makes false product claims or provides inaccurate nutritional information.
- It can result in legal action if inaccuracies present high risks (e.g., allergen statements, nutritional claims).
To ensure compliance, the food manufacturer must assume responsibility for the following—or work with an experienced food labeling consultant who can:
- Keep track of the most current regulatory requirements, as well as uniform compliance dates (and any other established compliance dates).
- Develop product labeling to ensure labels include the required information.
- Regularly review product labeling to identify any modifications to maintain compliance, particularly due to regulatory changes.
- Preserve the integrity of the company by ensuring consumers are provided with accurate information regarding all products.
Kestrel has worked with food manufacturers/producers in most food categories including baking, candy/confection, meats/proteins, specialty foods, grains flavors, and many others to help meet FDA and large product retailer food labeling requirements. Join Kestrel at the PROCESS EXPO, as we discuss this topic and others during our special food safety training courses this October in Chicago.
BY: Stacey Pisani
Comments: No Comments
Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply.
8 Functions of Compliance
- Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
- Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
- Functional/operational roles and responsibilities (i.e., who does what, where, when)
- Hazardous materials
- Discharges (operational and stormwater-related)
- Safety practices
- Food safety practices
- Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
- Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
- Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
- Practices in place involve doing what is required to follow the terms of the permits, related plans and regulations. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required processes.
- Monitoring & inspections provide compliance checks to ensure locations and operations are functioning within the required limits/parameters and the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping, sanitation, and process efficiency.
- Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
- Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with regulatory agencies on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, recall, or spill.
Reliable Compliance Performance
Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). The compliance IMS helps create process standardization and, subsequently, consistent and reliable compliance performance.
In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:
- Helps improve the company’s capability to comply on an ongoing basis
- Establishes compliance practices for when an incident occurs
- Creates a strong foundation for internal and 3rd-party compliance audits and for answering outside auditors’ questions (agencies, customers, certifying bodies)
- Helps companies know where to look for continuous improvement
- Reduces surprises and unnecessary spending on reactive compliance-related activities
- Informs management’s need to know
- Enhances confidence of others (e.g. regulators, shareholders/investors, insurers, customers), providing evidence of commitment, capability, reliability and consistency in the company’s compliance program
In May 2016, FDA issued its final rule on Mitigation Strategies to Protect Food Against Intentional Adulteration (IA). This rule requires covered facilities to prepare and implement food defense plans. The first compliance date—for businesses with sales of $10 million or more per year and more than 500 full-time equivalent employees—is July 26, 2019. (Note that small businesses have until 2020 and very small businesses have until 2021.)
Just as important, FDA has announced it will begin routine inspections to verify compliance with the IA rule in March 2020. Given those dates, compliance with this rule should be a top priority for the approximately 3,400 impacted firms that operate 9,800 food facilities.
Requirements: Food Defense Plan
Let’s start by defining food defense and why it is so important. According to FDA, “Food defense is the effort to protect food from acts of intentional adulteration.” Intentional adulteration is any act where there is an intent to cause wide-scale public health harm, including acts of terrorism. As such, the rule is designed to primarily cover larger facilities with products that reach many people.
At its most basic level, the IA rule requires every covered facility to prepare and implement a food defense plan. The food defense plan incorporates four major elements:
- The vulnerability assessment identifies those areas in the process that pose the greatest IA risks. Each step in the facility’s process should be evaluated for the following:
- Potential severity and scale of the impact on the public
- Physical access to the product
- Ability to successfully alter/contaminate the product
- Facilities must develop and implement mitigation/preventive strategies at each step in the process to address vulnerabilities and minimize the risks of IA.
- A system must be put in place to ensure implementation of mitigation strategies and to effectively manage the following:
- Monitoring mitigation strategies, including frequency
- Corrective action response
- Verification activities
- Appropriate recordkeeping must be maintained for food defense monitoring, corrective actions, and verification, and key personnel must receive appropriate training.
Kestrel’s previous article on the Four A’s of Food Defense outlines a proactive approach to food defense that will help meet a key requirement by ensuring the organization is working to avoid the risks associated with food adulteration and contamination.
In addition, when conducting an assessment of food defense, IA, and generally accepted industry vulnerability, threats, and controls, Kestrel suggests completing a mock exercise scenario. This allows companies to:
- Assess their food defense and IA programs under FSMA;
- Test to confirm their program’s integrity, as documented and implemented; and
- Conduct vulnerability scenarios to verify, validate, and make improvements.
The following areas should be addressed in the assessment, strategies, and plan information:
- Key activities
- Transportation and distribution
- Management and personnel
A key aspect is also review of and improvements to training programs for all employees based on responsibility, recordkeeping process, management objectives, and program monitoring.
This activity provides the information needed to develop and implement an effective and compliant food defense and IA program under FSMA. Additionally, it can provide verification of the site’s programs, corrective actions to be implemented, and the necessary records of compliance.
Piece of the Puzzle
Food defense is a big piece of the FSMA puzzle. According to Kestrel Food Safety Principal Bill Bremer, “We have included food defense in virtually all of our program development activities this year for GFSI (all schemes) and now FSMA.” Kestrel has worked with over 400 food sites in passing audits and inspections that have included general or focused food defense and IA management programs in food categories including baking, candy/confection, meat, flavor/ingredients, grain, flour, packaging/contact materials, beverages, beans, chemicals, dietary supplements, commissary/catering, and more.
Doing so directly aligns with FDA’s requirements for companies to assess risk and implement preventive controls on a broad basis. Thinking about risk-based strategies—whether in the supply chain or internal systems or whether you are a grower or an importer—is key for any food company planning for the future. Preventive strategies are the essence of FSMA and HACCP. Proactively creating or updating a food defense and safety plan is the first step to ensure compliance.
Join Kestrel at the PROCESS EXPO, as we discuss this topic and others during our special food safety training courses this October in Chicago.
Before food can be imported into the U.S., it is subject to FDA inspection. These inspections are intended to ensure food imports are safe, sanitary, and properly labeled. While important in maintaining food safety, this process can be long and onerous. The Voluntary Qualified Importer Program (VQIP) was created by FDA to expedite this process.
What Is VQIP?
In essence, VQIP acts as the “TSA line” for food into the U.S. The voluntary program allows foreign suppliers to get expedited entry for their food products into the U.S., provided importers meet all eligibility criteria, including offering food from a facility certified under FDA’s accredited third-party program (see below).
Why Is VQIP Important?
There are a number of reasons a U.S. importer might choose to participate in VQIP, including the following:
- Enables expedited entry into the U.S. for all foods included in an approved application.
- Limits examination and/or sampling to “for cause” situations in which there is a potential threat to public health; any sampling or examination is done at destination or another location chosen by the importer and laboratory analysis of any samples is expedited.
- Provides assurance that a foreign supplier complies to FSMA rules, avoiding the need to further assess the supplier.
- Incentivizes importers to adopt a robust system of supply chain management.
- Moves any perishable or short shelf-life product through the border quickly.
For foreign suppliers, there are also several benefits:
- Reduces the extra work of proving status as it relates to compliance to FSMA rules.
- Opens doors to new clients by making it easier for a U.S. importer to choose certified products versus a non-certified competitor.
Beyond that, VQIP further benefits public health by allowing FDA to focus its resources on food entries that pose a higher risk to public health.
What Are the Eligibility Requirements?
A company must be a food importer to participate in VQIP (i.e., a person/entity that brings food or causes food to be brought from a foreign country into the U.S.). In addition, the following criteria must be met on the importer and the foreign supplier sides:
- Have 3+ years history of importing food to the U.S.
- Have a Dun & Bradstreet Data Universal Number System (DUNS) number (used as a unique identifier number)
- Use paperless filers/brokers who have received acceptable results during their last FDA Filer Evaluation
- Do not have any food you import subject to detention under an Import Alert or Class 1 recall
- Do not have any ongoing FDA administrative or judicial action, or other history of non-compliance with food safety regulations by the importer, other entities in the supply chain, or food
- Are in compliance with supplier verification and other importer responsibilities under the applicable FSVP or HACCP (i.e., juice, seafood) regulations
- Have not been the subject of any CBP penalties, forfeitures, or sanctions related to the safety or security of any FDA-regulated product imported or offered for import
- Have current facility certification, including farms, issued under FDA’s Accredited Third-Party Certification regulations for each foreign supplier of food in VQIP (see below)
- Develop and implement a Quality Assurance Program (QAP) (see below)
What Is Foreign Supplier Facility Certification?
VQIP is regulated by the FSMA rule on Accredited Third-Party Certification. This is a voluntary, fee-based program for the recognition of third-party auditors to conduct food safety audits and issue certifications of foreign sites and the foods they produce. An accredited third-party can perform audits against the Food, Drug and Cosmetics (FD&C) Act and other FDA applicable regulations, and issue a certificate attesting compliance.
Foreign suppliers must have a facility certification, which would be issued following a regulatory audit conducted by an accredited third-party certification body. This audit attests that the foreign supplier complies with applicable food safety requirements of the FD&C Act and FDA regulations. Note that certifications are not required for Foreign Supplier Verification Program (FSVP) and Preventive Controls rules.
What Is Included in the QAP?
According to the FDA, the VQIP QAP includes all the written policies and procedures the facility will use to ensure adequate control over the safety and security of foods being imported. The QAP should include the following information:
- Corporate quality policy statement relating to food safety and security throughout the supply chain
- Organizational structure, as well as functional responsibilities for those implementing the VQIP QAP
- Food safety policies and procedures to be implemented to ensure food safety from source to entry into the U.S.
- Food defense policies and procedures to ensure compliance with FDA’s intentional adulteration regulation
- Qualification requirements for employees responsible for implementing the VQIP QAP (e.g., knowledge of regulations, understanding of the QAP)
- Procedures for implementing your VQIP QAP
- Procedures for establishing and maintaining records regarding the structure, processes, procedures and implementation of the QAP
How Do I Become Part of VQIP?
Importers must apply between January 1 and May 31 annually to be considered for VQIP. The VQIP fiscal year/benefit period is between October 1 and September 30, following application approval. Participants must submit an application every year; however, you may use data from the previous year’s application.
FDA will conduct a VQIP inspection to verify that you meet all eligibility criteria and have fully implemented food safety and food safety defense systems, as established in your QAP. FDA may also:
- Conduct an FSVP inspection
- Request a copy of food labels for those foods included in the application
- Ask you to submit supporting documentation (e.g., hazard analysis, lab results, food labels)
Additional information on VQIP and the application process can be found on the FDA website.
The ultimate responsibility for food safety lies with food service providers and their ability to develop and maintain effective food safety management systems. Currently, there is a shift in the emphasis of hazard analysis and preventive controls related to both Process Safety Management (PSM) and Hazard Analysis and Critical Control Points (HACCP). This is of particular concern for the food industry, where many regulations include both EHS and food safety requirements.
Many food operations fall under both PSM and HACCP requirements. In general, PSM is bulk chemical-centric for food operations, while HACCP is food safety risk-centric for maintaining food purity. (Common chemicals subject to both include anhydrous ammonia for cooling and chlorine for sanitation of product and processes. In addition, many large food processing types include process aids at levels under PSM.)
Changing regulations and the increased emphasis on hazard analysis require the food industry to develop well-documented and managed programs that address both PSM and HACCP using common approaches:
- Better use of organizational resources
- Standard programs
- Training efficiency and effectiveness
- Shared knowledge and approaches
- More effective and aligned hazard analysis management
PSM is a key risk management practice that must be implemented for qualifying plants. PSM is covered in the recent Executive Order focused on modernization of high-risk sites and, as a result, is under greater scrutiny with regulator focus and recent events. While PSM is a highly visible requirement, it is currently not widely inspected and reviewed—though that may be changing. PSM generally entails a more event-driven inspection by interested parties other than the company. As a growing area of focus and concern, PSM will require plants to reassess and, potentially, update systems and operations to meet requirements.
HACCP, on the other hand, is widely implemented for food processing and is expanding with high visibility. HACCP is the historic requirement providing the accepted food safety plan for some food industries. HACCP is rapidly being advanced with FSMA and GFSI-level requirements, but requirements have not been fully established based on FSMA rulemaking. The complexity of programs is rapidly increasing, while the level of food industry sectors is expanding to include all food contact, packaging, GRAS, and distribution and transportation companies.
Hazard Analysis Methods
The hazard analysis methods under PSM and HACCP are similar but different:
- Process Hazard Analysis (PHA) is associated with high-risk chemicals or materials, and is required for compliance with PSM. A PHA is designed to protect people and the environment from specific hazards. PHA methods vary based on an organization’s determination of the best method for their situation. These methods are directed to the overall process and operating condition by the process step. PHA focuses largely on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. It involves an organized, systematic analysis of potential hazards to improve safety and reduce the potential consequences of those hazards.
- Hazard Analysis and Preventive Control (HAPC) is associated with food safety risk under Hazard Analysis and Risk-based Preventive Controls (HARPC) and is an aspect of HACCP. HAPC is a growing regulatory compliance requirement related to food safety plans (FDA and USDA) that focuses on process, equipment, contamination, procedures, and control points. HAPC involves an organized and systematic analysis of potential risks to food and food materials to improve the purity of food during processing/handling by reducing contamination.
PHA and HAPC are required for facilities, as determined by the regulations, and include the following common requirements:
- Develop preventive control plan
- Perform hazard analysis for foreseeable hazards (written)
- Conduct “what-if” scenarios, rating, and ranking
- Identify and implement preventive controls, as well as intentional hazards and controls
Under both PSM and HACCP, all plans and records may be subject to inspections. Failures to act may be interpreted as willful non-conformance or probable cause for expanded inspection.
Companies subject to PSM and HACCP need to consider other related regulatory requirements, as well. This relationship in itself is key under GFSI.
- Maintain evidence
- Conduct development programs and hazard analysis adequately
- Establish programs to ensure preventive controls
- Conduct training
- Validate and verify programs, completed forms
- Record all key information relevant periods
- PSM-level inspections can be part of incident follow-up or planned OSHA or NEP inspections; there is state registering of PSM inspections.
- HACCP will be part of mandatory FDA inspections, by any qualified agency to FSMA, and required under GFSI; customers may also require HACCP as part of their supplier programs.
- Cleanup and Catch-up
- Monitor effectiveness
- Establish corrective actions
- Verify programs and preventive controls
- Monitor and support SOPs/GMPs
- Diligently follow and record Management of Change (MOC)
In addition, hazardous materials and communication are key for both EHS and FDA, as well as areas like air quality, water quality, sanitation, and blood borne pathogen/bodily fluids.
The Right Resources
A higher level of compliance requires plans to be reassessed and, subsequently, the resources to reassess them. For many, once programs are developed, they are put into “maintain” mode. Historical knowledge isn’t captured or is lost to turnover.
Beyond that, PSM and HACCP both require that “qualified individuals” develop and manage these systems. Qualified individuals include a designated lead with certain experience and qualifications, as outlined in the requirements. Availability of resources is almost always an issue, as maintaining systems with just one person is very difficult, especially given organizational change.
Keeping qualified resources at the proper certification is difficult. New employees are now typically required to provide both oversight and operational capability. The mix of education, work experience, and certification are all important. The growing approach is to maintain teams with alternates to supplement the leads and to provide coverage for all situations, including daily/weekly schedules. This is an area that must be continually monitored and subjected to corrective action.
The following tips will help to effectively align PSM and HACCP programs and strategies, and provide for efficient compliance with both regulatory programs:
- Establish plans to assess existing programs
- Apply continuous improvement (Plan-Do-Check-Act)
- Take inventory of qualified resources
- Align qualified personnel to PSM and HACCP teams
- Use a sub-team approach to ensure the necessary level of participation and backup
- Maintain multi-year strategy, planning, and training
- Establish a cleanup and catch-up approach for hazard analysis activities to move forward
- Use continuous improvement to maintain validated and verified programs
The Global Food Safety Initiative (GFSI) relies on a number of benchmarked schemes to establish food safety requirements; all are designed to ensure the quality and safety of a company’s products. In order to become certified to one of these GFSI-recognized schemes, a company must undergo a third-party audit by a certified auditor. Kestrel’s experience conducting these audits has revealed that companies who successfully achieve certification demonstrate a number of common attributes—regardless of their chosen scheme:
- Corrective and preventive actions are up-to-date and current.
- Continuous improvement/root cause analysis process is in place to make ongoing improvements and to ensure final resolutions to all out-of-control issues or non-conformances to the Food Safety Program.
- Premises, facility, and building programs are established and operating, including controls, signage, direction, job training, and physical evidence of a fully implemented Food Safety Program.
- Preventive maintenance system links scheduled maintenance to Hazard Analysis & Critical Control Points (HACCP) critical equipment monitoring requirements.
- Approved materials and process specifications are managed and controlled.
- Product identification and traceability processes are in place, including complete records detailing all activities for the production of food product.
- Document management and control program is updated, validated, and maintained. Developing program management systems helps ensure compliance with document management and control.
- Food safety program updates and management are completed through annual and multi-year planning for maintaining the Food Safety Program, including management of change, management review, approvals, and internal audit.
- Records and verification management systems provide access to supporting data, as determined by FDA/FSMA and company programs.
- Data management of food safety records outlines processes for assuring prompt or immediate access to critical records, as needed, for audit, compliance, or regulatory purposes.
A management system is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks—safety, environmental, quality, business continuity, food safety (and many others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.
The management system addresses:
- What is done and why
- How it is done and by whom
- How well it is being done
- How it is maintained and reviewed
- How it can be improved
Creating an Effective and Valuable Management System
Each company’s management system reflects its unique culture, vision, and values. To be effective and valuable, the management system must be tailored and focused on how it can enhance the business performance of the organization. It must also be:
- Useful to people in the operations
- Intuitive—organized the way operations people think
- Flexible—making use of methods and tools as they are developed and documented
- Valuable from the outset—addressing the most critical risks and processes
- Linked to the business of the business (not “pasted on”), with ownership at the operational level
- A means to better align operational quality, safety, and environment with the business
Attributes of an effective management system are senior management expectations and guidance coupled with employee engagement. Importantly, a management system involves a continual cycle of planning, implementing, reviewing, and improving the way in which safety, quality, and environmental obligations and objectives are met. In its simplest form, this involves implementing the Plan, Do, Check, Act/Adjust (P-D-C-A) cycle for continuous improvement.
Auditing for Ongoing Compliance
The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.
Conducting periodic audits is a practical way to test a management system’s implementation maturity and effectiveness. One of the many advantages of audits is that they help identify gaps so that corrective/preventive actions can be put into place and then sustained and improved through the management system.
Audits also help companies with continuous improvement initiatives; properly developed audit programs help measure results over time. To achieve best value, audits should emphasize finding patterns that can yield opportunities for learning and continual improvement, rather than “gotchas” for exceptions that are discovered.
Management System Standards
Several options are available for structuring management systems, whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.
The International Organization for Standardization (ISO) standards are some of the most commonly applied. The ISO standards for quality (ISO 9001), environment (ISO 14001), health & safety (ISO 45001), business continuity (ISO 22301), and food safety (FSSC 22000) have consistent elements, allowing organizations to more easily align their various management systems. Aligned management systems help companies to achieve improved and more reliable quality, environmental, and health & safety performance, while adding measurable business value.
Companies can become certified to each of the standards discussed above. Certification has a number of benefits, including the following:
- Meet customer or supply chain requirements
- Use outside drivers to maintain management system process discipline (e.g., periodic risk assessment, document management, compliance evaluation, internal audits, management review)
- Take advantage of third-party assessment and recommendations
- Improve standing with regulatory agencies (e.g., USEPA, OSHA, FDA, and state programs)
- Demonstrate the application of industry best practice in the event of incidents/accidents requiring defense of practices
However, if there is no market or other business driver, certification can lead to unnecessary additional cost and effort regarding management system development. Certification in itself does not mean improved performance—management system structure, operation, and management commitment determine that.
There are a number of reasons to implement a management system. A properly designed and implemented management system brings value to organizations in a number of ways:
- Risk management
- Identify risks
- Set priorities for improvement, measurement, and reporting
- Provide great opportunity to identify, share, and learn best practices, while recognizing operational differences
- Protection of people
- Send people home the way they arrived at work
- Protect the public and the environment
- Compliance assurance
- Improve and sustain regulatory compliance
- Business value
- Continually improve quality, environmental, and safety performance across the organization (employee, public, equipment, infrastructure)
- Reduce incident costs and accrued liabilities
- Protect assets
- Assure processes, methods, and practices are in place, documented, and consistently applied
- Reduce variability in processes and performance
- Employee engagement
- Help employees to find and use current versions of all procedures and documents
- Provide a ready reference for field management to structure location-specific procedures
- Enable the effective transfer of standards, methods, and know-how in employee training, new job assignments, and promotions