Since it was launched in May 2000 following a number of major food safety scares, the Global Food Safety Initiative (GFSI) has aimed to “provide continuous improvement in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide.”
GFSI is not a scheme in itself, nor does it carry out any accreditation or certification activities. Rather, a benchmarked scheme (e.g., BRC, SQF, IFS, FSSC 22000) is recognized by GFSI when it meets the minimum food safety requirements, as set out in the GFSI Guidance Document.
Strategy for Certification
Companies have the flexibility to choose which GFSI-recognized scheme they want to adopt, and can achieve certification through a successful third-party audit. Under GFSI’s concept of “once certified, accepted everywhere,” certification to any GFSI-recognized scheme is accepted by many international, national, and regional retailers and suppliers.
The following factors should be considered to ensure a successful GFSI strategy:
- Adequate knowledge of the GFSI standards (e.g., BRC, SQF, IFS, FSSC 22000) and how they work within food manufacturing and packaging companies
- Ability to use and implement document and records management and control
- Training to implement the chosen standard and ongoing training in the standard/key program areas, including Hazard Analysis and Critical Control Points (HACCP) and internal audit
- Meeting the building requirements of the GFSI standard
- An integrated pest management system that meets the requirements of the standard
- Dedicated role of a qualified plant sanitarian
- A strategy that includes management commitment and allocation of budgets and resources
- Proper management review meetings and records
- Compliant food safety and security
- A corrective and preventive action (CAPA) process that meets the requirements of the standard
- Approved supplier programs
- Control of non-conforming product through disposal
- Change management and acceptance by the organization
- Product specifications that meet the requirements of the standard
- Sanitation and chemical control programs
- Deviation and variance tracking, reporting, and response
- Product and raw material storage
- Food-level Good Manufacturing Practices (GMPs), operating prerequisites, and compliance
- Calibration of measurement devices
- Emergency response and contingency plans
The GFSI system provides a high degree of confidence that food safety management systems are adequately designed, implemented, and maintained. Certified companies tend to be more efficient and profitable and have more effective shared risk management tools for brand protection. Ultimately, certification results in improved consumer confidence, simpler buying, and safer food throughout the supply chain.
Kestrel is pleased to be growing our resources to the food industry with the addition of Senior Consultant Melody Ge.
Melody brings a diverse background to the Kestrel team. She started her career in product development, including production and quality control of a vegan “chicken meat” product. She then transitioned to a Compliance Specialist at SQF Institute, where she established and developed the SQFI Compliance Program and maintained the integrity of the SQF certification; and developing the SQF Code.
Immediately prior to joining Kestrel, Melody served in a number of quality management and business development roles at Lidl, an international grocery chain. As the Deputy Quality Assurance Director, she oversaw suppliers, food safety control, and product quality monitoring and management to maintain quality and safety of product routine tasks.
At Kestrel, Melody will be serving as project manager for food safety-related projects. She will be supporting clients in developing and implementing GFSI schemes and supplier approval programs, and sharing her expertise in GFSI, FSMA, FSVP, HACCP, GMP, SQF, IFS, FSSC 22000, and ISO.
Melody holds a Master’s Degree in Food Science from the University of Maryland, College Park, and a Bachelor’s Degree in Food Science and Technology from Shanghai Ocean University, and is fluent in English, Mandarin/Cantonese Chinese, French, and German. She is a member of the Institute of Food Technology (IFT) and holds certificates in HACCP, Extrusion Processing and Technology and Commercialization, and Commercially Sterile Packaged Foods.
This year (2017), most U.S. companies that source food from foreign sources will be obligated to adopt and follow the Food Safety Modernization Act (FSMA) Foreign Supplier Verification Program (FSVP) requirements. Under the FSVP, these new imperatives require companies to assess their foreign supply chain of food production and implement new programs to meet and achieve compliance. These programs must be implemented and ready for inspection under FDA FSMA enforcement by the compliance date. For many companies, that date was May 30, 2017.
Effective May 30, 2017, impacted companies are expected to follow the FSMA FSVP legal requirements or face a disruption in supply, business impacts, possible fines, and penalties. In short, this requires that companies ensure that receipt of foreign food includes the necessary information to be adequately inspected and verified.
Key areas to demonstrate FSVP compliance include the following:
- Determine the receipt information under FSVP to verify approval of each shipment of each product by lot identity.
- Confirm the existing information that may already be required for each shipment, including COA by product lot and FDA registration number (with expiration date).
- Document the actual site of manufacture of the foreign-supplied product, including the location, contact information, operator, and Qualified Individual overseeing the Food Safety Plan.
- Require declarations with each shipment stating that the supplier is in good standing with FDA and their foreign government’s food safety regulations. Provide a list of all programs under FSMA (Food Safety Plan and Section 17 cGMPs) with each shipment under an authorized signature.
- Include any additional information that is required under the FSVP that adequately confirms compliance to the company’s program, product requirements, and FSMA.
- Establish and maintain receipt records on all information that can be accessed and inspected at the request of inspection authorities for at least two years.
At first glance, the FSVP requirements seem basic—foreign supplied food product is approved by meeting the FDA requirements and the requirements of U.S. companies receiving these products. It looks to be the same as existing supplier qualifications for U.S.-supplied food product.
However, the FSVP rule provides much information on “what” is required of companies but not “how” or how to validate and verify these programs. Many FSMA training programs, including the FDA-funded FSPCA, really do not provide a level of guidance for companies to develop and meet the anticipated inspection process, which could include shipments stopped at a foreign port or at the U.S. port of entry. Concurrently, established importers have programs to communicate import shipments based on the requirements prior to FSMA and the FSVP, but many have expressed confusion in determining the changes now required.
Leading up to the May 30th compliance date, many companies of all sizes and scale began to seek ways to best establish their programs to meet the full regulatory requirement. Much of the focus has been on establishing practices that informally address what is really required under the FSVP while making a casual determination of compliance. Other companies have developed programs consistent with the procedural requirements of the FSVP rule, as published.
Some companies have taken the requirements to an extreme by determining new supplier requisite information for each shipment to prove compliance. This has resulted in generating a significant amount of information for each shipment by each product. This level of information is not what FSMA intended. Much of the required information for FSVP is already in the established supplier qualification program and must be maintained but is not required in its entirety with each shipment. In fact, there are issues with the approach of requiring all information with each foreign supply shipment, including:
- Sheer volume of information
- Time required to assemble the information
- Inability of inspectors to assess all the information for compliance
All of this leads to the confusing situation that exists in the market today concerning the FSMA FSVP, where compliant practices have not been developed and newly established requirements have not been tested by enforcement. As a result, reports indicate that many foreign suppliers of varying company size, scale and sophistication are not openly willing to respond without clear, simple instructions from their U.S customers.
Establishing Reasonable Plans
Ultimately, many of the FSVP practice requirements will be developed and refined through the regulatory inspection actions of the rule. That being said, the industry cannot wait. Companies need to have reasonable plans established for all current shipments being made under the FSVP.
Companies should focus on the more fundamental aspects of the FSVP—those requirements that must be verified, recorded, and evident in the documents supporting all foreign shipments of food product under the rule. This information does not need to include the entire policy manual but select summary information.
An important consideration involves understanding how this law is expected to be inspected. Knowing this provides a basis to develop and implement an effective program. The premise is that the foreign shipments may not be stopped for inspection at the border level, but that inspections will more commonly occur at the receiving party location of the product shipment at delivery to their U.S. locations. Regulators will expect to inspect verified, recorded, and legal receipt of the foreign-supplied food product.
Areas to focus on to ensure compliance with the FSVP requirements includes the following:
Receipt of RSVP Products. Focus on verification of the necessary information for receipt of FSVP products based on the law and the company’s defined program. This does not mean all program information but information that adequately meets the level required for compliance.
Shipment Information for Receiving Records. Establish lists of shipment information for all shipments, which includes all products being received under FSVP, as summary forms with current and validated information. Summary information that can be effectively inspected as part of and aligned with the shipping paperwork will provide the necessary information as part of an FSVP receiving record.
Compliance Actions. Establish procedures and work instructions to ensure that compliant practices are approved, verified, and meet the minimum requirements. This will include modifying some existing documents and forms that are specifically required under the FSVP. This level of approved summary information must reflect the documented policies and procedures developed in the company’s FSMA Food Safety Plan and FSVP.
Internal Programs. Maintain internal programs, with oversight verification conducted diligently. All required information must be accounted for and records must be completed and maintained with a high level of accuracy and integrity. Verification must include oversight and multi-level signed approval.
BY: Stacey Pisani
Comments: No Comments
This is the fifth in a series of five articles on developing and maintaining a world-class compliance assurance program.
A well-designed and well-executed compliance assurance program provide an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.
The following can show evidence of a living, breathing program:
- Comprehensiveness of the program
- Dedicated staff and resources
- Employee knowledge and engagement
- Management commitment and employee perception
- Internal operational inspections, “walkabouts” by management
- Independent insider, plus third-party audits
- Program tailoring to greatest risks
- Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
- Tracking of timely and adequate corrective/preventive action completion
- Progress and performance monitoring
To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:
Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
Maintaining Ongoing World-Class Compliance Assurance Program
The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A Management System framework can help ensure operational sustainability. A Management System drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.
Together, there is a real value at the intersection of a compliance assurance program and Management Systems. Management Systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.
Testing and Monitoring
Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.
Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.
Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.
Read the other articles in this series:
Each year, Kestrel looks forward to the Food Safety Summit as one of the premier events in the food industry for networking with other food professionals, hearing about industry trends, and learning practical information to bring back to our food industry clients.
Kestrel is proud to provide our ongoing support for the manufacture, processing, and distribution of safe food, and to be taking an active role in the Summit again this year!
Food Safety Summit Expo & Conference
May 8-11, 2017
Donald Stephens Convention Center
Connect with Kestrel
Stop by to visit with Kestrel representatives at our booth (#708). We are happy to also welcome special guests from Grainger to our booth, who will be on-hand to discuss their solutions. We look forward to talking further about your food safety needs and how Kestrel might be of assistance.
BY: Stacey Pisani
Comments: No Comments
This is the fourth in a series of five articles on developing and maintaining a world-class compliance assurance program.
Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.
There are a number of third-party auditing standards that offer guidelines for ensuring accurate, complete, and reliable EHS audits, including:
- The Board of Environmental, Health, and Safety Auditing Certifications (BEAC) Standards, 2008
- ISO 19011 Auditing Guidelines, 2002
- Auditing Roundtable Standards, 1993
- USEPA Auditing Policy, 1986, 2000
- Institute of Internal Auditors Standards, 1997
Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:
Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide a better return on investment of assessment resources.
Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
Most common options for compliance audit team design include the following:
- Facility-based EHS Team
- Advantages – awareness of operations and specific facility EHS regulated activities
- Disadvantages – lack independence and objective outside perspective; may have some responsibilities for activities audited; likely to have limited regulatory expertise needed; likelihood of significant inconsistencies and variability from facility to facility
- Best use – routine and frequent inspections and monitoring, including progress checks on completion of corrective actions arising from other audits; desirable to have staff from other facilities participate on audit team; auditors should not audit their own departments or operations; may conduct and submit to corporate annual facility compliance self-assessments and assurance statements by facility management
- Independent Inside EHS Team
- Typically, from corporate headquarters (may include facility EHS representatives from other facilities)
- Advantages – improved independence from operations; likely to provide regulatory know-how and multi-facility perspective; consistency in audit methods and content likely across facilities
- Disadvantages – can be subject to limited independence and internal business pressures; may have limited perspective on best industry practices from outside organization; may not have up-to-date regulatory requirements awareness
- Best use – dedicated corporate EHS lead auditor(s) supported by subject matter experts on audit team; EHS personnel from other facility(s) participate on team for cross-facility learning; audit protocols maintained to be current; audits conducted annually at higher risk facilities; team review of facility self-assessments at lower risk facilities
- Third-Party Independent Audit Team
- Advantages – organizational independence; outside perspective and experience with compliance practices of other companies; auditor credentials and up-to-date awareness of audit methods and regulatory requirements; ability to bring specialized know-how, as needed; must meet client expectations for deliverable quality and timeliness
- Disadvantages – may not have organizational standing to ensure necessary cooperation and openness of auditees
- Best Use – periodic audit of the company’s audit program and process (5-year cycle); periodic compliance audits of selected facilities (3-year cycle), including auditing the completion of corrective actions initiated as a result of internal audits by corporate team; audits of company’s management system as part of compliance audits; done under attorney-client privilege
Audit frequency. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of a priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. An analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.
Training. Training should be done throughout the entire organization, across all levels:
- Auditors are trained on both technical matters and program procedures.
- Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
- Line operations are trained on compliance procedures and company policy/systems.
Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.
Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continuous improvement should be emphasized.
Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.
Funding for corrective actions. Funding should be allocated to projects based on the significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.
Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.
Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.
Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.
Deployment plan & schedule. The best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.
Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training. The figure illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields a real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.
In our fifth and final article in this series, we talk about compliance program best practices and what it takes to maintain an ongoing world-class compliance assurance program.
Read the other articles in this series:
The Food Safety Modernization Act (FSMA) includes new requirements for food site inspections. Beyond that, the Act increases the frequency of established inspections. For example, FSMA mandates that high-risk facilities must be inspected within five years of enactment and no less than every three years following the initial inspection. The Act also requires inspection of at least 600 foreign facilities initially and double that number every year for the next five years. Routine inspections from FDA and other enforcement agencies will continue based on schedules to be communicated.
With FSMA rules moving to the compliance stage, food companies must prepare to best respond to the requirements and, correspondingly, to additional inspections beyond GFSI or as part of customer requirements.
Inspectors will focus heavily on new requirements and the “letter of the law”. Therefore, a well-established inspection program and response that is implemented and tested will help to achieve the most favorable outcome. This is an important area to address, especially given the many changes in compliance under FSMA, greater scrutiny under GFSI, and a rapidly changing responsibility for food safety management resources. It is critical to have established roles, planning, and testing as part of any inspection readiness program.
As reported, the FDA is underfunded to conduct the scheduled inspection of food operations under FSMA. While many inspections will be administered by the FDA, which will continue to expand internal resources, some local agencies are already under contract for conducting inspections that will be much more detailed than visits from them in the past.
These local regulatory agencies, including state health departments, are providing the “boots on the ground” to conduct inspections for direct compliance under FSMA or as a means of communicating more serious issues to the FDA. Based on recent experience, more critical issues are being raised to the FDA level for final action.
Roles and Responsibilities
Regardless of a company’s experience with FDA compliance audits, the new rules and Section 117 cGMPs will require more formalized programs and strong evidence of compliance through internal audits and oversight by Qualified Individuals. Additionally, organizations under the FSMA Preventive Control Rule must have multiple Food Safety Plan Qualified Individuals, Qualified Auditors, competent sanitation management, and competent plant operators. Ultimately, all food company employees must be prepared for their roles in an FDA compliance inspection.
As preparation for FDA inspections, companies must establish a program to best address an inspection. The focus must be on compliance to FDA, FSMA, and internal requirements—with the inspection providing this for the company in question. The biggest concern is gaps in compliance or known non-compliances; however, with FSMA there is no tolerance or excuse for ignorance.
A response procedure should be well-orchestrated to meet and respond to the representative of the FDA or the agency visiting the site for an FDA inspection. Along with the immediate response to any inspection (including those planned and those unplanned), food companies should consider the following:
- Completely develop an FSMA Food Safety Plan to ensure that it is aligned with a possible audit and includes reference to all supporting programs, cCMPs, resource qualifications, and records. The plan must be developed under the oversight, validation, and verification of preventive controls Qualified Individual, as trained, qualified and designated.
- Have the most appropriate organizational structure (i.e., with Qualified Individuals, Qualified Auditor, sanitation leads and food plant operators) to meet FSMA resources and minimize the organizational impacts.
- Regularly review the FSMA Food Safety Plan as part of a general and management review process, including the internal audit by the Qualified Auditor, to ensure the up-to-date compliance of the Plan.
- Review all records to maintain verification requirements for FSMA, as required by Section 117. Ensure that all records are complete, validated, and verified.
- Conduct mock regulatory inspections to ensure readiness and understanding of the responsibilities of each employee based on their roles in the process. This should include following the program and confirming all actions, roles, and responsibilities. All improvements from this process should be updated into programs and implemented for possible inspection purposes.
- Ensure compliance with all other regulatory requirements, including FSMA Sanitary Transportation, Foreign Supplier Verification, site registration, and any other related regulatory requirements.
- Confirm compliance with Management of Change (MOC) to ensure that all building, equipment, and process changes are reflected in current Food Safety Plans and Section 117 cGMPs. This must include product-level specifications, including packaging, ingredients, and processing.
- Document and update review and mock drills of regulatory inspection programs with any non-conformances addressed as quickly as possible. Consider the process for verifying the inspector’s credentials, opening the session, and ensuring that all required personnel or backups are onsite in the case of an inspection. In cases where all cannot be present or for outside contacts, ensure availability of ownership, corporate compliance management, and designated legal counsel.
Compliance with both FSMA and GFSI requirements means fully conforming with the other. A non-conformance to the GFSI food safety system represents a potential FSMA violation; correspondingly, lack of conformance to FSMA can be a non-conformance to GFSI certification. Criminal violations for non-compliance to FSMA begin with misdemeanor charges starting at $250,000 and up to one year in jail. With these consequences on the line, the importance of FDA inspections must be taken very seriously.
BY: Stacey Pisani
Comments: No Comments
All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations to industry codes, to system standards (i.e., ISO), to internal corporate requirements.
Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.
By combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and computerized systems and tools, companies are better able to capture and analyze audit data, and then use that information to improve business performance. Having auditing software of some sort can greatly streamline productivity and enhance quality, especially in industries with many compliance obligations.
The following tips can help ensure that companies are getting the most out of their auditing process:
- Have a computerized system. Any system is better than nothing; functional is more important than perfect. The key is to commit to a choice and move forward with it. Companies are beginning to recognize the pitfalls of “smart people” audits (i.e., an audit conducted by an expert + notebook with no protocols or systems). While expertise is valuable, this approach makes it difficult to compare facilities and results, is not replicable, and provides no assurance that everything has been reviewed. A defined system and protocol helps to avoid these pitfalls.
- Invest time before the audit. The most important time in the audit process is before the audit begins. Do not wait until the day before to prepare. There is value in knowing the scope of the audit, understanding expectations, and developing question sets/protocol. This is also the time to ensure that the system collects the data desired to produce the final report.
- Capture data. Data is tangible. You can count, sort, compare and organize data so it can be used on the back end. Data allows the company to produce reports, analytics, and standard metrics/key performance indicators.
- Don’t forget about information. Information is important, too. The information provides descriptions, directions, photos, etc. to support the data and paint a complete picture.
- Be timely. Reports must be timely to correct findings and demonstrate a sense of urgency. Reports serve as a permanent record and begin the process of remediation. The sooner they are produced, the sooner corrective actions begin.
- Note immediate fixes. During the audit, there may be small things uncovered that can be fixed immediately. These items need to be recorded even if they are fixed during the audit. Unrecorded items “never happened”. Correspondingly, it is important to build a culture where individuals are not punished for findings, as this can result in underreporting.
- Understand the audience. Who will be reading the final report? What do they need to know? What is their level of understanding? Not all data presentation is useful. In fact, poorly presented data can be confusing and cause inaction. It is important to identify key data, reports desired, and the ways in which outputs can be automated to generate meaningful information.
- Compare to previous audits. The only way to get an accurate comparison is if audits have a common scope and a common checklist/protocol. Using a computerized system can ensure that these factors remain consistent. Comparisons reinforce and support a company’s efforts to maintain and improve compliance over time.
- Manage regulatory updates. It is important to maintain a connection to past audits and the associated compliance requirements at the time of the audit. Regulations might change and that needs to be tracked. Checklists, however, may remain the same. Companies should have a process for tracking regulatory updates and making sure that the system is updated appropriately.
- Maintain data frequency. For data, the frequency is key. Consider what smaller scope, higher frequency audits look like. These can allow the company to gather more data, involve more people, and improve the overall quality and reliability of reports.
A well-designed and well-executed auditing program—with analysis of audit data—provides an essential tool for improving and verifying business performance. Audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. And using a technology tool or system to manage the audit makes that information even more useful.
BY: Stacey Pisani
Comments: No Comments
This is the third in a series of five articles on developing and maintaining a world-class compliance assurance program.
Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:
- Size of the risk – where, how big, how often/many?
- Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
- Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?
Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.
A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.
Compliance Program Assessment
A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.
Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an EHSMS for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, EHSMS conformance, adequacy of internal controls, potential risks, and best practices.
Compliance program assessment enables a company to define and understand:
- Compliance requirements and where regulated activities occur throughout the organization
- Current company programs and processes used to manage those activities and the associated level of program/process maturity
- Deficiencies in compliance program management and opportunities for improvement
- How to feed review recommendations back into elements of the EHSMS to create a roadmap for sustaining and continually improving compliance
There are six phases associated with a compliance program assessment:
Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.
Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”
Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates Management System principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.
Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.
Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.
Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is an EHSMS in place, program review information and action plan tracking can be integrated into that Management System.
As a whole, this process will help companies evaluate the degree to which:
- EHS compliance goals and objectives are set and communicated by management.
- Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
- Existing controls are adequate and effective, recognizing and addressing changed conditions.
- Plans are in place to address risks not adequately covered by existing controls.
- Plans and controls are resourced and implemented.
- Controls are documented and operationalized across functions and work units.
- Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
- Controls are being monitored with appropriate metrics and compliance auditing and assurance.
- Information system is sufficient to support EHSMS-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
- Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
- Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the ISO 14001 and OHSAS 18001-certified EHSMS.
With this foundation, the next article in this series discusses audit program best practices.
Read the other articles in this series:
This year is being described as “the year of FSMA compliance,” as many compliance dates for the various FSMA rules fall in 2017. As one might expect, the FSMA law and rules include many aspects of the established Global Food Safety Initiative (GFSI) standard; however, there are also differences in how they are applied to create better food safety enforcement.
At the most basic level, GFSI is an industry conformance standard for certification, while FSMA is a compliance regulation that must be met. However, both work together to ensure companies are effectively managing food safety.
The GFSI is facilitated by the industry network of The Consumer Goods Forum. It provides a very solid foundation and supporting objective of “safe food for consumers everywhere”.
GFSI was originally established based on a growing pattern of food safety outbreaks throughout the international marketplace. This led to the proactive development of GFSI standards as an alternative to the more limited and less effective customer audits in place at the time. An important part of this outcome was that CEOs in the food industry—not a regulatory body—determined the need to address food safety through the GFSI food safety standard.
With its beginning as a benchmarking organization, GFSI has since evolved throughout the food supply chain as a strong means for achieving global food safety. It is now established, growing, and improving across the primary supply chains within the global food market.
As such, much work to address food safety has been accomplished by GFSI over the past sixteen years. In fact, the industry-driven aspect of GFSI along the food supply chain has led many companies to achieve levels of food safety comparable to those required to achieve FSMA compliance. Based on its collaboration of food safety experts, GFSI provides for a significant evolution of food safety programs and supports those requiring FSMA compliance.
During a similar timeframe, the United States identified food safety as a major concern for the public. In the 1990s, a growing number of food outbreaks from biological contamination continued to spread, prompting the addition of controls within both the USDA and FDA. These brought the mandated requirement for Hazards and Critical Control Points (HACCP) and supporting Good Manufacturing Practices (GMPs) to specific industry sectors. However, these efforts were measured to have limited effect, as the outbreaks continued.
By the early 2000s, the public concern for food safety continued, and the FDA was determined to make changes. Along with Congress, the FDA commissioned research into the underlying issues that were resulting in the growing number and severity of food outbreaks. This research was being conducted and analyzed just as GFSI was determining its final group of benchmarked standards. At the same time, GFSI was positioned to be advanced into the U.S. market by food industry leaders, including Cargill, McDonalds, Walmart, Kroger, Coca Cola and Wegmans.
The outcomes from the FDA studies determined that the GMPs (in existence for the past 40 years) were not effectively implemented across the U.S. food industry. Further, the studies indicated that the ability to prevent food safety issues through specific controls would provide a means for reducing the number of foodborne illness.
This effort led to the development of FSMA, which passed in January 2011. Additional FSMA rules have since been published, starting in September 2016. The FSMA rules represent a rewrite of the existing FDA food safety regulations. However, with the FSMA law taking several years to roll out, the existing FDA laws remain in effect until they are replaced. These actions expand the FDA’s jurisdiction now and until full compliance of FSMA.
Bringing GFSI and FSMA Together
The presence of GFSI in the U.S., as well as the GFSI certification of many suppliers to U.S. food importers, provides for a synergy between the GFSI standard and the FSMA law being enforced throughout the U.S. and its foreign suppliers. GFSI’s global focus provides the structure to adapt and meet many of the FSMA requirements, with the ability to expand to all FSMA requirements.
As one would expect, the FSMA law and rules include several aspects of the GFSI standard; however, there are many differences in how each is applied to encourage better food safety enforcement. For instance, GFSI has the advantage of providing the time to develop programs, and thousands of companies are certified to the various programs under the standard. Conversely, FDA is implementing FSMA compliance over several years, with 2017 being a big year for compliance (based on the rules’ published dates, company size and industry segment).
In this new order of food safety in the U.S., those companies that have achieved GFSI certification should have an advantage over those who do not, provided they can align their GFSI programs with the FSMA law requirements. However, there is also a benefit to starting with FSMA and moving to a GFSI certification.
Existing GFSI certifications provide an established framework, with many of the program requirements similar to those required by FSMA. For example, personnel are required by both to establish HACCP and Food Safety Plans, as well prerequisite procedures (PRPs) and current-Good Manufacturing Practices (cGMPs). The challenges are ensuring the complete development of these food safety procedures to guarantee they meet both GFSI and FSMA requirements.
As another example, personnel requirements are similar but different under FSMA and GFSI, which calls for training, updating and qualifying resources. Ultimately, advanced HACCP training under GFSI provides the means for establishing a Qualified Individual under FSMA, but it requires expanding the training to include FSMA Preventive Controls and procedures. The resulting plan is the Food Safety Plan, which can be based on HACCP but with the proper additions to meet FSMA requirements.
Global Food Safety Conference
The upcoming Global Food Safety Conference (February 27 – March 3 in Houston, Texas) provides an opportunity for those seeking compliance to FSMA or certification to a scheme within the GFSI Standard to get a deeper understanding of food safety. With 2017 being the year of FSMA compliance, it is very appropriate that the Global Food Safety Conference be held in the U.S. this year. The conference will provide U.S. companies attending, as well as foreign suppliers of products to the U.S. market, an educational opportunity and forum to reach out to experts from industry, government, and academia to better understand these two key areas for food safety program development. Some of the topics to be addressed at the conference include the following:
- Food safety management commitment and corporate governance
- Required training of food safety roles, including management, staff and operations
- Specific requirements of the documented food safety program or written programs under FSMA
- FDA requirements of the past and existing requirements prior to FSMA and the relationship of these as comparable to GFSI
- Implications for FDA enforcement under FSMA of these previous requirements and program requirements that may need to be formalized under FSMA
- The proof of evidence with supporting records required by FSMA that may be addressed in part by existing or GFSI-level food safety programs
- How to adapt a FSMA-level food safety plan and preventive controls cGMPs from existing programs, including GFSI, or develop these to function with existing programs
- Levels and numbers of qualified individuals, qualified auditors and competent sanitation for oversight and management of FSMA food safety plans
- Management reanalysis and update of the written FSMA programs to ensure compliance and readiness for inspection by FDA FSMA investigators
- Process used to ensure compliance with FSMA Preventive Controls and the other FSMA rules being issued in 2017 and 2018, including Foreign Suppler Verification, Sanitary Transportation and Intentional Adulteration
Kestrel has been a long-time advocate of GFSI, performing site certification program development support for hundreds of companies. We have served as a GFSI Stakeholder, Technical Working Group participant, and panelist at previous GFSI Global Food Safety Conferences. We look forward to seeing you at the 2017 GFSI Global Food Safety Conference and to helping you navigate GFSI conformance and FSMA compliance requirements.