The 20^th Annual Food Safety Summit, held earlier in May, proved once again to be an engaging and informative meeting for all in attendance. During the four-day event, food safety professionals participated in interactive sessions focused on food safety in the supply chain.

Throughout the Summit, Kestrel’s food safety experts observed several common themes and challenges that the food industry is facing — challenges that your business may be encountering today. Here are some of our key takeaways:

Key Topics

This year’s Summit featured a supply chain focus. Every company in the food supply chain—those that produce, handle, or distribute food-grade products/ingredients—has an obligation to its customers to provide safe and quality food. The Summit began with six certification programs related to food safety across the supply chain, including Preventive Control for Human Food, Foreign Supplier Verification, Professional Food Safety Auditor Training, Seafood HACCP, HACCP Training, and Certified in Comprehensive Food Safety.

The focus on food safety throughout the supply chain was discussed in lessons learned from recent food safety case studies, as well as in four afternoon workshops focused on departmental cooperation, traceability, effectively managing food safety, and global regulatory systems. In addition, the new Community Cafes provided attendees the chance to meet with the subject matter experts, including experts from Kestrel, for more in-depth conversations about topics focused on the supply chain.

Industry Trends

As is evident from the key topics covered at the Summit, the current trend is a much stronger focus on food safety within the global supply-chain, particularly coordination of various global regulatory systems, requirements, and agencies. Steve Mandernach of the Association of Food and Drug Officials (AFDO), Dr. Robert Tauxe of the Centers for Disease Control (CDC), Paul Keicker of the U.S. Department of Agriculture (USDA), and Stephen Ostroff from the U.S. Food and Drug Administration (FDA) participated in sessions on how the agencies are working together on food safety initiatives and the impact food safety. This included a conversation on whole genome sequencing of pathogens as a game changer for disease monitoring and response.

Ongoing Challenges

A major concern and ongoing challenge within the food safety community involves training regarding food safety responsibility across all levels of the organization. This not only includes large organizations with individuals who are directly responsible for food safety programs, but also smaller organizations where these responsibilities must be understood and followed by everyone at all levels. This corresponds to the need for food organizations to establish a much more comprehensive and effective food safety culture. The lack of this training, organizational responsibility, and overall culture is considered one of the primary causes of continued contaminated food outbreaks.

Regulatory Updates

In addition to the discussion regarding the use and benefits of whole genome sequencing, enforcement of FSMA and the expanding rules of Intentional Adulteration and Food Fraud Prevention Programs continue to be top areas of regulatory concern. Inspections and investigations related to supporting Food Safety Plans under these requirements will continue to expand, as evidence of compliance is required by all food organizations under the law.

Food Safety Summit 2019

Plans are already being made for the 21st Anniversary of the Food Safety Summit, which will again be held at the Donald E. Stephens Convention Center in Rosemont, IL from Monday, May 6 through Thursday, May 9, 2019. Mark your calendar. Kestrel looks forward to being an active sponsor and participant again next year.

Since it was launched in May 2000 following a number of major food safety scares, the Global Food Safety Initiative (GFSI) has aimed to “provide continuous improvement in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide.”

Recognized Schemes

GFSI is not a scheme in itself, nor does it carry out any accreditation or certification activities. Rather, a benchmarked scheme (e.g., BRC, SQF, IFS, FSSC 22000) is recognized by GFSI when it meets the minimum food safety requirements, as set out in the GFSI Guidance Document.

Strategy for Certification

Companies have the flexibility to choose which GFSI-recognized scheme they want to adopt, and can achieve certification through a successful third-party audit. Under GFSI’s concept of “once certified, accepted everywhere,” certification to any GFSI-recognized scheme is accepted by many international, national, and regional retailers and suppliers.

The following factors should be considered to ensure a successful GFSI strategy:

1. Adequate knowledge of the GFSI standards (e.g., BRC, SQF, IFS, FSSC 22000) and how they work within food manufacturing and packaging companies
2. Ability to use and implement document and records management and control
3. Training to implement the chosen standard and ongoing training in the standard/key program areas, including Hazard Analysis and Critical Control Points (HACCP) and internal audit
4. Meeting the building requirements of the GFSI standard
5. An integrated pest management system that meets the requirements of the standard
6. Dedicated role of a qualified plant sanitarian
7. A strategy that includes management commitment and allocation of budgets and resources
8. Proper management review meetings and records
9. Compliant food safety and security
10. A corrective and preventive action (CAPA) process that meets the requirements of the standard
11. Approved supplier programs
12. Control of non-conforming product through disposal
13. Change management and acceptance by the organization
14. Product specifications that meet the requirements of the standard
15. Sanitation and chemical control programs
16. Deviation and variance tracking, reporting, and response
17. Product and raw material storage
18. Food-level Good Manufacturing Practices (GMPs), operating prerequisites, and compliance
19. Calibration of measurement devices
20. Emergency response and contingency plans

The GFSI system provides a high degree of confidence that food safety management systems are adequately designed, implemented, and maintained. Certified companies tend to be more efficient and profitable and have more effective shared risk management tools for brand protection. Ultimately, certification results in improved consumer confidence, simpler buying, and safer food throughout the supply chain.

In recent years, companies have been generating vast and ever-increasing amounts of data associated with business operations. This trend has led to renewed interest in predictive analytics, a field which focuses on analyzing large data sets to identify patterns and predict outcomes to help guide decision-making. While many leading companies use predictive analytics to identify marketing and sales opportunities, similar data analysis strategies are less common in occupational and process safety. Although the use of predictive analytics is less common in the field of safety, the potential benefits of analyzing safety data are considerable.

Just as companies are currently using customer data to predict customer behavior, safety and incident data can be used to predict when and where incidents are likely to occur. Appropriate data analysis strategies can also identify the key factors that contribute to incident risk, thereby allowing companies to proactively address those factors to avoid future incidents.

Predictive Analytics: In Theory

Let’s take a step back and look at what predictive analytics is and what it does. Predictive analytics is a broad field encompassing aspects of various disciplines, including machine learning, artificial intelligence, statistics, and data mining. Predictive analytics uncovers patterns and trends in large data sets for the purpose of predicting outcomes before they occur. One branch of predictive analytics, classification algorithms, could be particularly beneficial to industry, especially when it comes to avoiding incidents.

Classification algorithms can be categorized as supervised machine learning. With supervised learning, the user has a set of data that includes predictive variable measurements that can be tied to known outcomes. The algorithms identify the relationships between various factors and those outcomes to create predictive rules (i.e., a model). Once created, the model can be given a dataset with predictive variable measurements and unknown outcomes, and will then predict the outcome based on the model rules.

Predictive Analytics: In Practice

Like many in the transportation industry, this railroad had experienced a number of derailments caused by broken rails. Broken rail derailments can have particularly severe consequences, since they typically occur on mainline tracks, at full speed, and with no warning of the impending broken rail. Kestrel was asked to create a predictive model of track-caused derailments on a mile-by-mile basis to identify areas of high broken rail risk so the railroad could target those areas for maintenance, increased inspections, and capital improvement projects.

Penalized Likelihood Logistic Regression

As described above, classification models learn predictive rules in an original data set that includes known outcomes, then apply the learned rules to a new data set to predict outcomes and probabilities. In this case study, Kestrel used a logistic regression modified by Firth’s penalized likelihood method to:

• Fit the model
• Identify eleven significant predictive variables (based largely on past incidents)
• Calculate broken rail probabilities for each mile of mainline track based on track characteristics

Final Model

The final model calculates a predicted probability of a broken rail occurring on each mile of track over a two-year period. The results suggest that the final model effectively predicted broken rail risk, with 33% of broken rails occurring on the riskiest 5% of track miles and 70% occurring in the riskiest 20%. Further, the model shows that the greatest risk reduction for the investment may be obtained by focusing on the 2.5% of track miles with the highest probability of a broken rail. This ability to predict where broken rails are likely to occur will allow the company to more effectively manage broken rail derailment risk through targeted track inspections, maintenance, and capital improvement programs.

Implications for Other Industries

The same general approach described in the above case study can also be applied to other industries—using KPIs to determine predictive variables and incidents as the outcome. The process is as follows:

• Measurements for defined variables would be taken regularly at each facility or unit. Precision increases as the measurements become more frequent and the observed area (facility/unit) becomes smaller.
• Once a sufficient number of measurements has been taken, they would then be combined with incident data to provide both the predictive variable measurements and the outcome data needed for training a model. This dataset would be fed into a logistic regression or other classification algorithms to create a model.
• Once the model has been created, it can be applied to new measurements to predict the probability of an incident occurring at that location during the applicable timeframe.

Once predicted incident probabilities have been found, management would be able to focus improvement resources on those locations that have the highest probabilities of experiencing an incident. The classification algorithms also identify which factors have predictive validity, so management will know how improving those factors will affect the predicted probability of incidents occurring. In other words, they will know which factors have the strongest relationship with incidents and can focus on improving those first.

Data-Driven Decisions

Industrial companies are generating and recording unprecedented amounts of data associated with operations. Those that strive to be best-in-class need to use that data intelligently to guide future business decision-making.

The versatility of predictive analytics, including the method described in this case study, can be applied to help companies analyze a wide variety of problems. In this way, companies can:

• Explore and investigate past performance
• Gain the insights needed to turn vast amounts of data into relevant and actionable information
• Create statistically valid models to facilitate data-driven decisions

Companies grasp the importance of using technology to create business efficiencies. Integrating technology into traditional processes allows companies to stretch and empower limited resources. It offers ways to provide more value to company operations and management systems.

Traditional Solutions

When it comes to technology integration, however, companies traditionally look for an isolated solution to a single problem—a find-it, fix-it approach. A simple example of this would be creating an Excel spreadsheet to manage data from multiple sources. While this creates an improvement beyond the traditional hard copy binder, it is a linear, isolated solution to one issue that offers minimal additional business value.

Consider the data on that spreadsheet and consider how business systems work. Does the data stand alone or does it impact other parts of the business? Does the business system operate in a silo or are there common elements with other business systems? In most cases, there is overlap between data, information, systems, platforms, etc. As a result, building a patchwork of technology solutions to address individual problems is only a short-term fix.

Relational Approach

Truly valuable technology solutions take a relational approach that considers the immediate issue within the context of the overall business need, and then integrates multiple platforms/systems, as required, into an aligned system.

A forward-thinking, relational technology approach takes a solution perspective that thinks beyond the singular project need to the big picture and then designs backward. It’s a shift in mindset from “How can I use technology to make this efficient?” to one that asks, “Ultimately, what does the big-picture, desired state look like…and how can technology get us there?”

A relational approach such as this follows these steps:

Case Study in Technology Integration

The following case study provides a real-world example of how a global chemical distributor is following these steps to create a relational technology solution that will improve business efficiencies across the company. Initially, this distributor wanted to pull data from facility reports for 150+ locations into one database—that was the “simple” problem. The old system had facilities entering data into Excel forms. That information was then pulled into Access so the data could be manipulated.

Understanding that the facility data is intertwined with many aspects of the business, Kestrel looked beyond this singular issue at the bigger picture. The forward-thinking solution would be to create a technology platform that would solve this facility data problem and could easily be expanded to other business needs, particularly since facility data is tied to most aspects of the business.

To do this, Kestrel built the facility form into SharePoint as the base application for the company’s overall system. SharePoint houses all data previously input into Excel documents for each facility broken up by 11 regional operating companies with multiple locations under each. The form requires that each facility contact fill out quarterly information on the facility (e.g., permits, fleets, transportation, personnel). Beyond the facility form, the SharePoint system currently has the following modules, which all feed into the facility form:

1. Facility images
2. Storage tanks
3. Facility audits
4. Sustainability

The SharePoint system is continuing to be expanded to integrate other systems into a single source that will create significant business efficiencies. This approach is creating many benefits across the company:

• The company is able to collect multiple levels of data and then associate that data to the individual facility or provide a composite report (i.e., data required for storage tanks, sustainability efforts, audits conducted).
• The look and feel of the forms in SharePoint are very similar to the original Excel documents, so it is an easy transition and very intuitive system to use. Little training has been required.
• The company can easily track information on all facilities. Management can export data to Excel and create reports. The company has complete ownership of data and deliverables.
• The system can create alerts for overdue items and generate real-time metrics and dashboards. Many additional options can be further customized based on ongoing business needs.
• Additional data from other systems being used across the company (e.g., auditing program) can be integrated and aligned into SharePoint as users become more familiar with the platform.

Why SharePoint?

SharePoint is a dynamic solution tool that can be customized and designed to capture data and provide consolidated reporting to all levels of management. Because of SharePoint’s flexibility, the possibilities of what it can do are virtually endless:

• Creates a single, familiar platform that simplifies access
• Provides functionality for continual adaptation to meet future data management and reporting needs
• Adapts to the needs of the business, rather than the business adapting to the capabilities of the program
• Maximizes efficiency and connectivity between many field and corporate groups
• Allows information to be shared and tracked in multiple ways
• Allows users to easily create complex databases that are both manageable and flexible
• Gives the ability to manage sites/facilities/plants/departments for compliance purposes
• Simplifies the data entry process by providing user-friendly functionality
• Consolidates reporting
• Provides a dynamic solution – updates made to the tool are reflected immediately
• Allows local users to control and build sites to their specifications
• Allows all levels of users to work with it easily due to its intuitive nature

By having so many features and applications on a single platform, it is easy to tie them all together into an aligned system and to create multiple functions/uses for the data being collected from so many sources. With an aligned system, then, achieving the big-picture, desired state (rather than the short-term fix) becomes entirely possible.

EPA Announces Chemical Safety Milestones

To celebrate the one-year anniversary of the Frank R. Lautenberg Chemical Safety for the 21st Century Act, EPA Administrator Scott Pruitt announced on June 22, 2017, that the Agency has met its first-year statutory responsibilities under the law. This includes the following actions:

• Issuing a rule to establish EPA’s process and criteria for identifying high-priority chemicals for risk evaluation and low-priority chemicals not requiring risk evaluation. http://www.epa.gov/assessing-and-managing-chemicals-under-tsca/prioritizing-existing-chemicals-risk-evaluation
• Issuing a rule to establish EPA’s process for evaluating high-priority chemicals to determine whether they present an unreasonable risk to health or the environment. https://www.epa.gov/assessing-and-managing-chemicals-under-tsca/risk-evaluations-chemicals-under-tsca
• Issuing a rule to require industry reporting of chemicals manufactured or processed in the U.S. over the past 10 years. https://www.epa.gov/tsca-inventory/tsca-inventory-notification-active-inactive-rule
• Releasing scope documents for the initial ten chemicals for risk evaluation under the amended law. https://www.epa.gov/assessing-and-managing-chemicals-under-tsca/risk-evaluations-chemicals-under-tsca#ten
• Releasing guidance for external parties interested in submitting draft risk evaluations to the EPA for consideration. https://www.epa.gov/assessing-and-managing-chemicals-under-tsca/guidance-assist-interested-persons-developing-and

Read the EPA press release: https://www.epa.gov/newsreleases/epa-marks-chemical-safety-milestone-1st-anniversary-lautenberg-chemical-safety-act

The Food Safety Modernization Act (FSMA) Foreign Supplier Verification Program (FSVP) imperatives require companies to assess their foreign supply chain of food production and implement new programs to meet and achieve compliance. These programs must be implemented and ready for inspection under FDA FSMA enforcement by the compliance date. For many companies, that date was May 30, 2017.

FSVP Requirements

Effective May 30, 2017, impacted companies are expected to follow the FSMA FSVP legal requirements or face a disruption in supply, business impacts, possible fines, and penalties. In short, this requires that companies ensure that receipt of foreign food includes the necessary information to be adequately inspected and verified.

Key areas to demonstrate FSVP compliance include the following:

• Determine the receipt information under FSVP to verify approval of each shipment of each product by lot identity.
• Confirm the existing information that may already be required for each shipment, including COA by product lot and FDA registration number (with expiration date).
• Document the actual site of manufacture of the foreign-supplied product, including the location, contact information, operator, and Qualified Individual overseeing the Food Safety Plan.
• Require declarations with each shipment stating that the supplier is in good standing with FDA and their foreign government’s food safety regulations. Provide a list of all programs under FSMA (Food Safety Plan and Section 17 cGMPs) with each shipment under an authorized signature.
• Include any additional information that is required under the FSVP that adequately confirms compliance to the company’s program, product requirements, and FSMA.
• Establish and maintain receipt records on all information that can be accessed and inspected at the request of inspection authorities for at least two years.

Compliance Challenges

At first glance, the FSVP requirements seem basic—foreign supplied food product is approved by meeting the FDA requirements and the requirements of U.S. companies receiving these products. It looks to be the same as existing supplier qualifications for U.S.-supplied food product.

However, the FSVP rule provides much information on “what” is required of companies but not “how” or how to validate and verify these programs. Many FSMA training programs, including the FDA-funded FSPCA, really do not provide a level of guidance for companies to develop and meet the anticipated inspection process, which could include shipments stopped at a foreign port or at the U.S. port of entry. Concurrently, established importers have programs to communicate import shipments based on the requirements prior to FSMA and the FSVP, but many have expressed confusion in determining the changes now required.

Leading up to the May 30th compliance date, many companies of all sizes and scale began to seek ways to best establish their programs to meet the full regulatory requirement. Much of the focus has been on establishing practices that informally address what is really required under the FSVP while making a casual determination of compliance. Other companies have developed programs consistent with the procedural requirements of the FSVP rule, as published.

Some companies have taken the requirements to an extreme by determining new supplier requisite information for each shipment to prove compliance. This has resulted in generating a significant amount of information for each shipment by each product. This level of information is not what FSMA intended. Much of the required information for FSVP is already in the established supplier qualification program and must be maintained but is not required in its entirety with each shipment. In fact, there are issues with the approach of requiring all information with each foreign supply shipment, including:

• Sheer volume of information
• Time required to assemble the information
• Inability of inspectors to assess all the information for compliance

All of this leads to the confusing situation that exists in the market today concerning the FSMA FSVP, where compliant practices have not been developed and newly established requirements have not been tested by enforcement. As a result, reports indicate that many foreign suppliers of varying company size, scale and sophistication are not openly willing to respond without clear, simple instructions from their U.S customers.

Establishing Reasonable Plans

Ultimately, many of the FSVP practice requirements will be developed and refined through the regulatory inspection actions of the rule. That being said, the industry cannot wait. Companies need to have reasonable plans established for all current shipments being made under the FSVP.

Companies should focus on the more fundamental aspects of the FSVP—those requirements that must be verified, recorded, and evident in the documents supporting all foreign shipments of food product under the rule. This information does not need to include the entire policy manual but select summary information.

An important consideration involves understanding how this law is expected to be inspected. Knowing this provides a basis to develop and implement an effective program. The premise is that the foreign shipments may not be stopped for inspection at the border level, but that inspections will more commonly occur at the receiving party location of the product shipment at delivery to their U.S. locations. Regulators will expect to inspect verified, recorded, and legal receipt of the foreign-supplied food product.

Areas to focus on to ensure compliance with the FSVP requirements includes the following:

Receipt of RSVP Products. Focus on verification of the necessary information for receipt of FSVP products based on the law and the company’s defined program. This does not mean all program information but information that adequately meets the level required for compliance.

Shipment Information for Receiving Records. Establish lists of shipment information for all shipments, which includes all products being received under FSVP, as summary forms with current and validated information. Summary information that can be effectively inspected as part of and aligned with the shipping paperwork will provide the necessary information as part of an FSVP receiving record.

Compliance Actions. Establish procedures and work instructions to ensure that compliant practices are approved, verified, and meet the minimum requirements. This will include modifying some existing documents and forms that are specifically required under the FSVP. This level of approved summary information must reflect the documented policies and procedures developed in the company’s FSMA Food Safety Plan and FSVP.

Internal Programs. Maintain internal programs, with oversight verification conducted diligently. All required information must be accounted for and records must be completed and maintained with a high level of accuracy and integrity. Verification must include oversight and multi-level signed approval.

What is ISO 45001?

ISO 45001 is a new international standard created by the International Organization for Standardization (ISO) that specifies requirements for an occupational, health & safety management system (OHSMS). It provides a framework for managing the prevention of death, work-related injury, and work illnesses. The ultimate goal of the standard is to help organizations proactively improve OHS performance and create a safe and healthy workplace.

Note that ISO 45001 provides guidance. It does not state specific criteria for OHS performance, nor is it prescriptive about the OHSMS design. It is a management tool for voluntary use by organizations to minimize OHS risks.

Why is ISO 45001 necessary?

There are several reasons why the creation of an international standard to manage OHS performance is necessary:

• First and foremost, organizations are responsible for minimizing the risk of harm to all individuals that may be impacted by their activities. The standard aims to protect human lives by encouraging organizations to create a safer, healthier workplace.
• According to the International Labour Organization (ILO), there were 2.34 million deaths worldwide in 2013 as a result of worker activities. The greatest majority (2 million) are associated with health issues, as opposed to injuries. The economic burden associated with this number of occupational injuries and illnesses is significant. Organizations must manage all their risks—including OHS—to survive. Poor OHS management can result in loss of key employees, business interruption, claims, higher insurance premiums, regulatory action, reputational damage, loss of investors, and loss of business.
• Finally, increased globalization creates new OHS challenges. ISO 45001 is an international standard that promotes global conformity.

What are the key aspects of ISO 45001?

Many of the elements of ISO 45001 are the same or similar to those found in OSHAS 18001. However, there are additions and changes in ISO 45001 that differentiate the new standard.

ISO 45001 establishes new roles for the organization’s people. First, it emphasizes worker participation in the OHSMS. This includes ensuring that workers are competent and have the appropriate skills to safely perform their tasks. Second, the role of top management is different than in OHSAS 18001. Of note, a designated Management Representative is no longer required; however, those individuals in management roles are expected to take ownership and demonstrate a commitment to OHS through leadership. Top management must demonstrate direct involvement and engagement with the OHSMS by:

• Ensuring the organization’s OHS policy and objectives are compatible with the overall strategic direction of the organization
• Integrating OHSMS processes and requirements into business processes
• Developing and promoting an OHS culture that supports the OHSMS
• Being accountable for the OHSMS’s effectiveness

In addition to people, ISO 45001 follows a risk-based approach that advocates prevention. This requires identifying activities that could harm those working on behalf of the organization. A large part of this involves understanding the “context” of the organization, another new element of ISO 45001. Organizations must be able to identify all external and internal factors that have the potential to impact OHS management objectives and results.

To address risks and opportunities, there are new clauses related to hazard identification, as well. As with other sections of the standard, hazard identification becomes a process rather than a procedure and, importantly, considers all individuals near the workplace who may be impacted by the organization’s activities. ISO 45001 further outlines a more defined hierarchy for organizations to determine appropriate controls.

How does ISO 45001 fit in with other ISO standards and management system approaches?

ISO 45001 follows the same high-level management system approach being applied to other ISO management system standards (e.g., ISO 14001 and ISO 9001)—Annex SL. Because of this, the ISO 45001 requirements should be consistent with the other standards to allow for relatively easy alignment and integration into the organization’s overall management processes.

In addition, ISO 45001 takes into account other OHS standards, including OHSAS 18001, ILO-OSH Guidelines, various national standards, and the ILO’s international labor standards and conventions.

What is Annex SL?

As mentioned above, Annex SL is the structure for all new and revised ISO standards. It defines the framework for a generic management system—and is then customized for each discipline. This standard structure allows for easier integration between management systems and improved efficiencies. The major clauses for all ISO management system standards are identical under Annex SL and fall into the Play-Do-Check-Act (PDCA) cycle. Organizations who have already implemented ISO 9001:2015 or ISO 14001:2015 will be familiar with the Annex SL structure.

The table below outlines the main clauses in Annex SL, as well as the OHSMS-specific clauses. Highlighted areas indicate those sections that are significant changes/additions to the existing OHSAS 18001 standard.

What does this mean for OHSAS 18001?

As outlined in the table above, ISO 45001 does not conflict with OHSAS 18001. In fact, it expands and enhances the existing standard to improve integration of the OHSMS into the overall business. ISO 45001 is intended to replace OHSAS 18001. Much like other management system standards, current users of OHSAS 18001 will need to update their systems according to the requirements of the new standard within a three-year transition period.

Who should use ISO 45001?

The short answer is everyone. ISO 45001 is designed to be a flexible management system that can be implemented by any organization, no matter the size, type, or industry. As long as the organization has people who may be affected by its activities, an OHSMS has value in ensuring worker health and safety and fulfilling legal requirements.

Why should I do this? Why are management systems like ISO 45001 beneficial?

A management system is an organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.

What do I do next?

• Get informed! Start reading up on ISO 45001 to get familiar with how the new standard is structured.
• Identify gaps in your existing OHSMS that will need to be addressed to meet any new requirements. If you don’t have an existing OHSMS, review the requirements and determine what pieces you may already have in place.
• Develop an implementation plan. There is a three-year transition period. Plan according to this timeline.
• Provide training. It is vital to ensure that workers and management are engaged in the OHSMS and that they are competent in any new skills/responsibilities that may be required.
• Put your plan into action. Update/develop your OHSMS to meet the ISO 45001 requirements and provide verification of its effectiveness to ensure certification.

The Food Safety Modernization Act (FSMA) includes new requirements for food site inspections. Beyond that, the Act increases the frequency of established inspections. For example, FSMA mandates that high-risk facilities must be inspected within five years of enactment and no less than every three years following the initial inspection. The Act also requires inspection of at least 600 foreign facilities initially and double that number every year for the next five years. Routine inspections from FDA and other enforcement agencies will continue based on schedules to be communicated.

With FSMA rules moving to the compliance stage, food companies must prepare to best respond to the requirements and, correspondingly, to additional inspections beyond GFSI or as part of customer requirements.

Be Prepared

Inspectors will focus heavily on new requirements and the “letter of the law”. Therefore, a well-established inspection program and response that is implemented and tested will help to achieve the most favorable outcome. This is an important area to address, especially given the many changes in compliance under FSMA, greater scrutiny under GFSI, and a rapidly changing responsibility for food safety management resources. It is critical to have established roles, planning, and testing as part of any inspection readiness program.

Inspection Agencies

As reported, the FDA is underfunded to conduct the scheduled inspection of food operations under FSMA. While many inspections will be administered by the FDA, which will continue to expand internal resources, some local agencies are already under contract for conducting inspections that will be much more detailed than visits from them in the past.

These local regulatory agencies, including state health departments, are providing the “boots on the ground” to conduct inspections for direct compliance under FSMA or as a means of communicating more serious issues to the FDA. Based on recent experience, more critical issues are being raised to the FDA level for final action.

Roles and Responsibilities

Regardless of a company’s experience with FDA compliance audits, the new rules and Section 117 cGMPs will require more formalized programs and strong evidence of compliance through internal audits and oversight by Qualified Individuals. Additionally, organizations under the FSMA Preventive Control Rule must have multiple Food Safety Plan Qualified Individuals, Qualified Auditors, competent sanitation management, and competent plant operators. Ultimately, all food company employees must be prepared for their roles in an FDA compliance inspection.

Planning

As preparation for FDA inspections, companies must establish a program to best address an inspection.  The focus must be on compliance to FDA, FSMA, and internal requirements—with the inspection providing this for the company in question. The biggest concern is gaps in compliance or known non-compliances; however, with FSMA there is no tolerance or excuse for ignorance.

A response procedure should be well-orchestrated to meet and respond to the representative of the FDA or the agency visiting the site for an FDA inspection. Along with the immediate response to any inspection (including those planned and those unplanned), food companies should consider the following:

1. Completely develop an FSMA Food Safety Plan to ensure that it is aligned with a possible audit and includes reference to all supporting programs, cCMPs, resource qualifications, and records. The plan must be developed under the oversight, validation, and verification of preventive controls Qualified Individual, as trained, qualified and designated.

2. Have the most appropriate organizational structure (i.e., with Qualified Individuals, Qualified Auditor, sanitation leads and food plant operators) to meet FSMA resources and minimize the organizational impacts.

3. Regularly review the FSMA Food Safety Plan as part of a general and management review process, including the internal audit by the Qualified Auditor, to ensure the up-to-date compliance of the Plan.

4. Review all records to maintain verification requirements for FSMA, as required by Section 117. Ensure that all records are complete, validated, and verified.

5. Conduct mock regulatory inspections to ensure readiness and understanding of the responsibilities of each employee based on their roles in the process. This should include following the program and confirming all actions, roles, and responsibilities. All improvements from this process should be updated into programs and implemented for possible inspection purposes.

6. Ensure compliance with all other regulatory requirements, including FSMA Sanitary Transportation, Foreign Supplier Verification, site registration, and any other related regulatory requirements.

7. Confirm compliance with Management of Change (MOC) to ensure that all building, equipment, and process changes are reflected in current Food Safety Plans and Section 117 cGMPs. This must include product-level specifications, including packaging, ingredients, and processing.

8. Document and update review and mock drills of regulatory inspection programs with any non-conformances addressed as quickly as possible. Consider the process for verifying the inspector’s credentials, opening the session, and ensuring that all required personnel or backups are onsite in the case of an inspection. In cases where all cannot be present or for outside contacts, ensure availability of ownership, corporate compliance management, and designated legal counsel.

Compliance with both FSMA and GFSI requirements means fully conforming with the other. A non-conformance to the GFSI food safety system represents a potential FSMA violation; correspondingly, lack of conformance to FSMA can be a non-conformance to GFSI certification. Criminal violations for non-compliance to FSMA begin with misdemeanor charges starting at $250,000 and up to one year in jail. With these consequences on the line, the importance of FDA inspections must be taken very seriously.

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations to industry codes, to system standards (i.e., ISO), to internal corporate requirements.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

By combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and computerized systems and tools, companies are better able to capture and analyze audit data, and then use that information to improve business performance. Having auditing software of some sort can greatly streamline productivity and enhance quality, especially in industries with many compliance obligations.

The following tips can help ensure that companies are getting the most out of their auditing process:

1. Have a computerized system. Any system is better than nothing; functional is more important than perfect. The key is to commit to a choice and move forward with it. Companies are beginning to recognize the pitfalls of “smart people” audits (i.e., an audit conducted by an expert + notebook with no protocols or systems). While expertise is valuable, this approach makes it difficult to compare facilities and results, is not replicable, and provides no assurance that everything has been reviewed. A defined system and protocol helps to avoid these pitfalls.

2. Invest time before the audit. The most important time in the audit process is before the audit begins. Do not wait until the day before to prepare. There is value in knowing the scope of the audit, understanding expectations, and developing question sets/protocol. This is also the time to ensure that the system collects the data desired to produce the final report.
   

3. Capture data. Data is tangible. You can count, sort, compare and organize data so it can be used on the back end. Data allows the company to produce reports, analytics, and standard metrics/key performance indicators.
   

4. Don’t forget about information. Information is important, too. The information provides descriptions, directions, photos, etc. to support the data and paint a complete picture.
   

5. Be timely. Reports must be timely to correct findings and demonstrate a sense of urgency. Reports serve as a permanent record and begin the process of remediation. The sooner they are produced, the sooner corrective actions begin.
   

6. Note immediate fixes. During the audit, there may be small things uncovered that can be fixed immediately. These items need to be recorded even if they are fixed during the audit. Unrecorded items “never happened”. Correspondingly, it is important to build a culture where individuals are not punished for findings, as this can result in underreporting.
   

7. Understand the audience. Who will be reading the final report? What do they need to know? What is their level of understanding? Not all data presentation is useful. In fact, poorly presented data can be confusing and cause inaction. It is important to identify key data, reports desired, and the ways in which outputs can be automated to generate meaningful information.
   

8. Compare to previous audits. The only way to get an accurate comparison is if audits have a common scope and a common checklist/protocol. Using a computerized system can ensure that these factors remain consistent. Comparisons reinforce and support a company’s efforts to maintain and improve compliance over time.
   

9. Manage regulatory updates. It is important to maintain a connection to past audits and the associated compliance requirements at the time of the audit. Regulations might change and that needs to be tracked. Checklists, however, may remain the same. Companies should have a process for tracking regulatory updates and making sure that the system is updated appropriately.
   

10. Maintain data frequency. For data, the frequency is key. Consider what smaller scope, higher frequency audits look like. These can allow the company to gather more data, involve more people, and improve the overall quality and reliability of reports.

A well-designed and well-executed auditing program—with analysis of audit data—provides an essential tool for improving and verifying business performance. Audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. And using a technology tool or system to manage the audit makes that information even more useful.

Organizations in the chemical manufacturing and energy industry face the daily challenge to safely manage the processing, storage, and transportation of hazardous materials. To enable this, a great deal of focus and effort is put into compliance, strong management systems, well-maintained equipment, and organizational capability.

A key component of organizational capability is the competence of employees. This is critical to an organization’s success—and very relevant to process safety. In fact, process safety competence is both a regulatory requirement and a business improvement driver. But what does competence mean when it comes to the management of process safety?

Defining Competence

Process safety competence is an area that is sometimes misunderstood as simply providing training to employees. However, it is much more. Organizations need to understand the definition of competence and ensure employees have the basic competence required to fulfill their job function successfully.

Competence is often defined as “an individual having the right level of training and experience to enable the successful execution of defined job responsibilities”. By this definition, competence is a step beyond basic job training—one that necessitates understanding and the ability to successfully apply what is learned.

To fulfill this intent, especially for those working on the management of process safety, it is critical that employers have a structured and sustainable approach to ensure process safety competence. This may include a clear process safety competence assurance program. Not only will this assist with regulatory compliance, it is a critical element in the prevention of a process safety incident.

Steps to Ensure Competence

To successfully create an organizational culture that values and emphasizes process safety competence assurance, there are some basic steps that need to be followed, including those outlined below:

• Understand and define positions within the organization that impact or influence process safety.
• Define desired competence levels and requirements for each of these positions.
• Develop an organizational competence matrix for process safety that documents the positions and requirements.
• Assess position holders’ (i.e., employees’) process safety competence against the requirements outlined on the organizational matrix.
• Identify gaps in competence for each individual and develop individual closure plans.
• Work with employees to address identified competency gaps and verify that they have been closed.

When filling a position that has process safety requirements, the identified candidate(s) should undergo an assessment against the defined process safety requirements for the position to ensure they are competent. It is important to ensure the new employee has the required competence before they are appointed or hired. Successful candidates may have some minor gaps that can quickly be rectified, but putting candidates into jobs that impact or influence process safety as “development” or a “learning opportunity” is a large risk to the organization and unfair to the individual. It is also a practice organizations should stop if they are truly committed to process safety.

Maintaining the Commitment to Competence

To further enhance the ongoing process safety competence of an organization, each position that impacts or influences process safety must maintain the required process safety competencies identified on the competence matrix. The commitment must be sustained to be successful; it should not be a one-time effort.

Organizations can do this by:

• Reviewing competence requirements and adjusting the matrix as new requirements are identified;
• Conducting regular assessments to verify employee competence; and
• Providing opportunities for training and experiential learning that ensure process safety competence remains a top priority.