All types of organizations and operational processes demand a variety of audits and assessments to evaluate compliance with requirements—ranging from government regulations, to industry codes, to management system standards (e.g., ISO, GFSI), to internal obligations. Audits and assessments capture regulatory compliance status, management system conformance, supplier compliance, adequacy of internal controls, potential risks, and best practices.

Internal audits help identify problems so corrective/preventive actions can be put into place and then sustained and improved prior to third-party certification/compliance audits. Internal audits and assessments also help companies with continuous improvement initiatives.

Understanding the Internal Audit Process

Many organizations conduct internal audits with their own staff to assess conformance and identify opportunities for improvement. For companies large enough to have a dedicated internal audit team (with have no ties to the processes they audit), this may make perfect sense. However, it can take significant resources—time, personnel, money—to conduct all internal audits with internal resources.

It is easy to underestimate what goes into a successful audit and assume that it is more efficient and cost-effective to use internal resources. But that often isn’t the case. Let’s consider what an internal audit entails.

Pre-Audit Preparation

• Research: Auditors must understand the standard they are assessing against (i.e., regulatory, management systems, internal, industry). Effective auditors will also understand industry best practices; related local, state, and/or country-based requirements; processing norms for new product areas; etc. that can impact operational compliance and risks.
• Logistics: Logistics includes coordinating with the facility(ies) to schedule the audit and time with applicable personnel for interviews and, if travel is required, researching/booking flights, booking hotels, arranging for car transportation, etc.
• Document Review: Prior to the onsite audit, auditors should review available documentation (e.g., procedures, policies, programs). This will better inform and guide them on where they should dig more deeply during the audit, as well as help them create effective audit protocol (see below). Pre-audit document review also allows the onsite portion of the audit to remain focused on observing operations, interviewing workers, and verifying physical requirements are being met.
• Audit Protocol/Template: Auditors need to take the time to develop protocol/questions for conducting the audit, as well as standardized reporting templates, before the site visit. A standard protocol will make conducting multiple audits more efficient. Consistent protocols and templates also add value by allowing for direct year-over-year and site-to-site comparisons.

Onsite Audit

• Technical Knowledge: To efficiently conduct an audit, auditors must have a thorough understanding of the standard they are assessing against. In many cases, auditors are asked to juggle multiple areas of focus at once. For example, in a foods facility, the auditor may simultaneously evaluate Food and Drug Administration (FDA), U.S. Department of Agriculture (USDA), Global Food Safety Initiative (GFSI), and facility-specific procedure requirements. For an environmental, health, and safety (EHS) audit, the auditor may simultaneously assess Environmental Protection Agency (EPA), Occupational Safety and Health Administration (OSHA), state agency, and facility-specific requirements. Deep technical knowledge of all the related standards and codes helps to ensure a thorough audit.
• Audit Tools: Having the right tool for the job can make audits significantly more efficient. This includes the audit protocol and templates developed as part of pre-audit preparation, as well as audit tools that may be used to conduct and manage audits more efficiently and effectively.
• Audit Management: Auditors are responsible for building a relationship of trust and openness with the facility quickly, while still maintaining control of the audit. This can be a challenge for internal auditors when interviewing colleagues and assessing internal systems.

Post-Audit Follow-up

• Report: Auditors need to synthesize observations from the audit to create a report that concisely conveys all pertinent information, including nonconformances with the defined standard(s). Auditors provide additional value when they can leverage their industry experience to prioritize findings and identify opportunities for improvement and best practices. Reports are most valuable when finalized within a few weeks of the site visit when information is fresh to facility staff.
• Corrective Actions: After an internal audit, facility staff will inevitably have questions regarding findings and what to do next. Auditors can provide valuable support by offering recommendations, building corrective action plans, and supplying technical guidance.

Many organizations do not have dedicated internal auditors—rather, internal auditing is an “add-on” responsibility—so time spent completing these internal audit activities takes time away from other business responsibilities. This often results in a post-audit period where the internal auditor has significant catchup to complete other work that has been put on the backburner while conducting the internal audit.

Value of a Second-Party Auditor

A second-party auditor can provide an objective assessment of overall compliance status and, in many cases, do it more efficiently than organizations are able to do with their own resources. A second-party auditor has the time required to conduct the audit, travel, review documents, and create a report. Beyond that, a second-party auditor also has audit tools and templates to create efficiencies when conducting the audit and reporting, can consolidate audit trips, and can spend dedicated time completing all audit activities as efficiently as possible without needing to factor in other business responsibilities.

Beyond saving significant resources, using a second party to conduct audits provides significant business value and additional return on investment:

• Objectivity: Enlisting a qualified outside firm to conduct an audit provides a fresh set of unbiased eyes to assess aspects of your program internal staff may not consider or see. Second-party auditors offer broad perspective and knowledge of best management practices from conducting audits across industries and standards. They maintain ongoing, up-to-date awareness of current and pending regulatory requirements that the organization should consider.
• Customizable: The audits themselves can be customized to fit the needs and goals of the organization. A second-party auditor can provide more direct coverage to evaluate specific program effectiveness and allow for a more focused understanding of existing strengths and improvement areas. Whether there is a desire to prepare for unannounced regulatory agency visits, review plans and programs, assess supplier compliance, or even verify applicability, second-party audits can be built to address the organization’s identified concerns and help manage risks.
• Effective Tools: Second-party auditors often bring effective audit tools to help conduct and manage audits. These tools capture regulatory compliance status and certification system conformance more efficiently, track audit progress/completion status by subject, and generate reports that can be used by management to inform decision making. 
• Efficiency: Audits performed internally can take resources away from normal business operations not only when conducting the audit, but also when catching up on daily responsibilities and work that is set aside during the audit. Second-party auditors work with the resources allocated to them to conduct an audit in a timely manner that does not negatively impact business functions. These audits minimize the overall disruption in business compared to internal audits.
• Validation: Second-party auditors validate existing programs and identify areas where best practices can be implemented to further protect the company. They assist in identifying and prioritizing issues before they become violations—focusing on implementing and closing corrective actions. They also provide data and reports that can be shared internally with employees to improve performance or externally with communities or customers to bolster the company’s image.  
• Consistency: Using the same second-party auditor to conduct your audits creates consistency across locations and over time. This allows the organization to establish a benchmark for performance that can be used to help ensure continuous improvement throughout the organization and its supply chain.

Second-party audits are not just about checking boxes—they are about building stronger partnerships, spotting issues early, and keeping your business running smoothly. Don’t wait for nonconformances to catch you off guard. Implementing second-party audits isn’t just a compliance tool, it is a strategic advantage.

The Food Safety Modernization Act’s (FSMA) Preventive Controls for Human Food (PCHF) Rule (21 CFR 117) requires subject food facilities to develop and implement a robust Food Safety Plan that includes an analysis of hazards and risk-based preventive controls (PCs) to minimize or prevent those identified hazards.

One of the key requirements of the PCHF Rule is that certain activities be performed by a Preventive Controls Qualified Individual (PCQI) who is knowledgeable in the development and application of risk-based PCs. At least one PCQI is required at each subject facility, who is responsible for overseeing or performing the following:

• Preparation of the Food Safety Plan.
• Validation and verification of PCs and monitoring activities.
• Records review.
• Annual reanalysis of the Food Safety Plan.

PCQI Training Requirements

Becoming a PCQI requires knowledge in the development and application of risk-based PCs gained either through job experience or through training under a standard Food and Drug Administration (FDA)-recognized curriculum.

The Food Safety Preventive Controls Alliance (FSPCA) PCHF (PCQI) training curriculum, which includes minimum of 22 contact hours, is widely recognized by FDA and industry as the “gold standard” for food safety professionals to obtain the knowledge required to create a Food Safety Plan under the PCHF Rule.

A New Version

On June 30, 2025, FSPCA retired its previous (Version 1.2 (V1.2)) PCHF/PCQI training curriculum; as of July 1, 2025, FSPCA will only conduct and/or approve administration of its new Version 2.0 (V2.0) curriculum. V2.0 is designed to better equip participants with the most current tools and reference materials, new and updated guidance documents, and the latest strategies for managing Food Safety Plans and FDA compliance.

One of the most significant changes to the curriculum includes integrating the FDA’s new Hazard Analysis and Risk-Based Preventive Controls for Human Food draft guidance, which was released in January 2024. The curriculum expands the hazard analysis chapter to show participants how to use the guidance when performing a hazard analysis, takes a deeper dive into specific pathogens of concern for food, and offers more specific examples of chemical and physical hazards.

Other changes include the following:

• More modern format to improve clarity, including using QR codes to provide quick access to supporting documents and resources.
• Knowledge checks at the end of each chapter to help gauge participant understanding throughout training.
• Restructured to follow Hazard Analysis and Critical Control Points (HACCP) principles built on critical control points (CCPs) and expanded using PCs.
• Examples incorporating recent current events (e.g., recalls, economically motivated events).
• Updated model planning examples to support learning objectives.
• Clearer examples of how to document PCs.

Training Renewal

Individuals who received FPSCA training under PCHF/PCQI V1.2 do not need to re-complete the training course again to remain a PCQI. There is no FDA regulatory requirement to renew training to comply with the PCHF Rule. However, some customer and third-party requirements may require renewal.

Beyond requirements, taking the V2.0 course incorporates new FDA guidance information tools and may be valuable for any current PCQI to get new insights into the PCHF Rule and updated resources to help with compliance. All food safety professionals taking the FSPCA PCHF/PCQI course will be trained under the new V2.0 curriculum going forward.

Functionality: What does it do?

Every organization is at risk of incidents, those unplanned events that have the potential to disrupt service and cause significant operational impacts—safety, environmental, food safety, quality, reputational, etc. KTL’s Incident Management Tool provides organizations with an effective system to help manage workplace incidents, track patterns, identify trends, and correct unsafe practices to maintain compliance and prevent future issues.

Benefits: Why do you need it?

Built on Microsoft’s Power Platform, KTL’s Incident Management Tool:

• Allows for easy and secure data entry from any device, anytime, anywhere with mobile access.
• Tracks all types of incidents in one system, providing centralized incident data management, trending, and analysis.
• Connects to KTL’s Root Cause Analysis Tool and Corrective and Preventive Action (CAPA) Tracking Log to enhance incident investigations, identify root causes, and track and manage CAPAs to closure.
• Implements workflows to manage incidents, including sending email notifications, routing documents, processing forms, etc.
• Generates customized dashboards that provide visual displays of incident data to help identify opportunities to prevent future incidents.
• Improves compliance by organizing data for reporting to OSHA, EPA, or other regulatory agencies.
• Allows response teams to document and share information as events unfold—from initial emergency response protocols through crisis management steps—so proper decisions can be made and documented for business continuity.

Technology Used

• Power Apps
• Microsoft Dataverse
• Power Automate
• Power BI

Functionality: What does it do?

Root cause analysis (RCA) is a systematic method of problem-solving used to identify the underlying (i.e., root) cause(s) of a problem or incident, alleviate risk, and help ensure that similar problems do not occur in the future. KTL’s RCA Tool walks users through the 5-Why Process, a simple method for conducting an RCA that involves asking the question “Why” enough times (i.e., five times) to get past the symptoms of a problem and down to the underlying root cause of the issue.

Benefits: Why do you need it?

KTL’s RCA Tool ties directly to corrective and preventive actions (CAPAs) to help ensure an RCA is conducted, as needed, for each CAPA. The tool sends a notification to supervisor/management when a CAPA is submitted with a direct link to the CAPA so management can complete the RCA, assigns follow-up actions and sends notifications to the responsible person(s), and keeps records in a central location for audits, regulatory visits, or future data analysis.

Using the RCA Tool offers a simple way to conduct an effective RCA that can help organizations to:

• Reduce the risk of injury and/or death to workers and community members.
• Avoid unnecessary costs resulting from business interruption; emergency response and cleanup; increased regulation, audits, and inspections; and OSHA fines.
• More effectively control hazards, improve process reliability, increase revenues, decrease production costs, lower maintenance costs, and lower insurance premiums.

Technology Used

• SharePoint for data storage
• Power Apps for the user interface
• Power Automate to send notifications

The Safe Quality Food (SQF) Program is a rigorous food safety and quality program. Recognized by the Global Food Safety Initiative (GFSI), the SQF codes are designed to meet industry, customer, and regulatory requirements for all sectors of the food supply chain. SQF certification showcases certified sites’ commitment to a culture of food safety and operational excellence in food safety management.

In mid to late August 2025, SQF will be releasing Edition 10 to align the code with the latest GFSI benchmarking criteria, updated regulatory requirements, and scientific changes. According to the SQF Institute (SQFi), SQF Edition 10 is designed to reshape how food manufacturers approach safety, culture, change management, and continuous improvement. Edition 10 is scheduled for implementation with audits beginning April 2026.

Key Updates

According to SQFi, Edition 10 represents a strategic evolution in food safety management, focusing on three critical areas:

1. Food Safety Culture. Edition 9 elevated food safety culture by requiring senior leadership to lead and support a food safety culture within the site. Edition 10 aims to transform food safety from a procedural requirement to an organizational mindset by mandating robust Food Safety Culture Plans that demonstrate comprehensive strategies for the following:
   • Effective communication.
   • Comprehensive employee training.
   • Systematic feedback.
   • Continuous improvement.
2. Change Management. Edition 10 implements a mandatory change management clause that requires organizations to develop documented procedures for handling all types of changes (i.e., equipment, processes, personnel). The intent is to help organizations better identify and manage risks and prevent potential incidents.
3. Environmental Monitoring. Edition 10 requires a risk-based assessment to determine environmental monitoring needs. This will allow sites to develop monitoring strategies and programs based on their specific operational risks and environments.

In addition, Edition 10 includes the following updates:

• Documentation: Requirements for documentation are now contained in a single structured section to simplify compliance and improve auditor efficiency.
• Training: Edition 10 includes enhanced training and competency assessments so personnel at all levels understand and are prepared to maintain food safety standards.
• SQF pre-audit: The concept of pre-audits (i.e., internal audits) is reintroduced to help sites better prepare for certification.

Planning for Change

For companies that are SQF-certified, now is the ideal time to assess current SQF program elements, identify improvements that are internally desirable and required by the new standard, and implement those updates that will make the SQF program more useful to the business. This can be done through a series of phases to ensure adoption throughout the organization.

Phase 1: SQF Assessment

An assessment should begin by reviewing the following:

• Existing SQF programs, processes, and procedures.
• Existing document management systems.
• Employee training tools and programs.

This documentation review and program assessment will help to identify elements of the existing SQF program that are acceptable, those that show opportunities for improvement, and those that may be missing, including those needed for development and implementation to meet the requirements of SQF Edition 10.

Phase 2: SQF Program Updates

The assessment will inform a plan for updating the SQF certification program, including major activities, key milestones, and expected outcomes. Development/update activities included on the plan may include the following:

• Developing new or updating current SQF programs, processes, and procedures with missing Edition 10 requirements, including new procedures for change management and environmental monitoring.
• Updating training programs with any new and additional requirements, focusing on enhanced competency assessments.
• Revising document register to align with SQF Edition 10 changes.
• Updating records and forms with any new/additional requirements.
• Updating Food Safety Policy to include new food safety culture requirements.

When implementing program updates, leveraging existing management system and certification program elements and utilizing proven approaches can greatly streamline the process.

Phase 3: Training

To ensure staff are prepared to implement and sustain the updated SQF Edition 10 program, training is important. This includes training for affected staff on applicable requirements; specific plans, procedures, and Good Manufacturing Practices (GMPs) developed to achieve compliance; and the certification roadmap to prepare for future audits.

Following this plan now will help companies ensure they maintain their SQF certification when audits begin under SQF Edition 10 in April 2026 and demonstrate their ongoing commitment to meeting customer and regulatory requirements, protecting the company brand, and keeping consumers safe.

The Occupational Safety and Health Administration (OSHA) uses inspections to help ensure employers provide safe and healthy workplaces. In April 1999, OSHA implemented its first nationwide Site-Specific Targeting (SST) plan to conduct comprehensive programmed inspections in non-construction worksites with 20 or more employees. The SST inspection program has been renewed and updated since that time, and on May 20, 2025, OSHA issued the most recent directive for its SST inspection program. This new version is more narrowly focused, prioritizing programmed inspections at establishments with high or upward-trending injury and illness rates, as well as those that failed to submit required information.

Key Changes

The SST program uses injury and illness data that employers submit under 29 CFR 1904.41 through OSHA Form 300A. The new SST directive was updated to rely on data from calendar year (CY) 2023 versus CY 2021, reflecting OSHA’s continued efforts to allocate enforcement resources based on the most recent injury and illness data. OSHA then uses this data to target and identify facilities for a potential SST inspection, as follows:

• High-rate establishments: Facilities with elevated Days Away, Restricted, or Transferred (DART) rates for CY 2023. Importantly, OSHA will set one DART rate of manufacturing and a different DART rate for non-manufacturing to provide for equal targeting from both groups.
• Upward-trending establishments: Facilities with rates at or above twice the private sector national average in CY 2022 that have continued to trend upward annually from CY 2021-2023.
• Low-rate establishments: Those with low DART rates. Low-rate facilities will be randomly selected for inspection to verify the reliability of Form 300A data.
• Non-responders: Facilities that failed to submit CY 2023 Form 300A data, as required. A random sample of non-responders will be inspected to discourage employers from not reporting.

What’s Involved

Based on data collected and the above criteria, OSHA Area Offices (AOs) select facilities to target for planned SST inspections. The SST inspections are comprehensive in scope and may be expanded with justification (e.g., including health hazards based on prior inspection history in industry classification).

During the SST inspection, the Certified Safety and Health Official (CSHO) will do the following:

• Review data. The CSHO will review available OSHA 300 Logs, Form 300A summaries, and 301 Incident Reports for CY 2021, 2022, and 2023.
• Conduct a facility walkthrough. During the walkthrough, the CSHO will evaluate potential hazards in all areas of the workplace; however, the focus will largely be on those areas where the facility has had documented injuries and illnesses.
• Evaluate employee exposures. The CSHO will pay particular attention to hazards observed during the walkthrough, discussed in employee interviews, and/or identified on OSHA 300 Logs and 301 Incident Reports.
• Assess the safety and health management system. The SST inspection will focus on whether the management system is adequate to identify and address the elevated injury and illness rates.
• Conduct a closing conference. The CSHO will discuss with the employer identified hazards, gaps in reporting practices, and deficiencies in the safety and health management system during the closing conference.

What You Can Do

The updated SST inspection program update reflects OSHA’s ongoing commitment to data-driven enforcement and targeted inspections in general industry. Correspondingly, accurate data is critical. Facilities must have their OSHA recordkeeping and reporting practices in check. Not only should records be verified as accurate and complete, but each accident should have a documented corrective action. This information should be checked, and any additional actions should be made to fully comply with Occupational Safety and Health (OSH) Act requirements.

But beyond recordkeeping and reporting, facilities can take steps to avoid an SST inspection altogether by making sure they have the processes, programs, and systems in place—and documented—to protect employees’ safety and health:

• Develop comprehensive safety programs and a robust safety management system. A compliance management information system can provide a centralized location to track and manage all safety-related information (e.g., policies, procedures, and practices) to not only help ensure going compliance but to also provide the documentation required should an inspection occur.  
• Regularly assess the level of existing OSHA programs against compliance issues and potential accidents. Identify what may need to change in the facility’s OSHA compliance programs and practices to ensure their effectiveness and then implement and document appropriate corrective actions.
• Maintain robust occupational health and safety and incident. Information technology (IT) tools, such as KTL’s OSHA 300 Power App, with its comprehensive intake form tailored to OSHA 300 and OSHA 300A requirements, make it easier to collect, search, and analyze data—and maintain OSHA compliance. Using a digital forms further helps ensure no crucial data points are missed and makes it easy to filter, search, and analyze records and data to offer deeper insights into safety performance.
• Understand what to expect from an OSHA inspection. Educate staff on the process a CSHO will follow and make sure team members understand their roles in the inspection. Prepare staff to respond appropriately to the CSHO’s questions and, importantly, make sure they know how to locate requested documentation.
• Train employees. All employees should receive ongoing training to fully understand and follow safety processes and procedures. Training should focus on worker knowledge and understanding their responsibilities to comply with identified requirements.

Functionality: What does it do?

Having a simple, centralized system to manage, track, communicate, and report compliance program information can enable staff to complete required tasks, improve compliance performance, and support operational decision-making. Microsoft SharePoint® provides a powerful platform that helps organizations manage, share, and collaborate on documents and information to create operational efficiencies.

Implementing a system like this may seem overwhelming. One of the most difficult aspects can simply be determining how to get started. Starting small—with a single team or department—is often the best approach. Focusing on core SharePoint features, such as document management and lists, provides users with an easy to grasp introduction to the system. As comfort grows, SharePoint can then be expanded to support broader business processes and integrations with other Microsoft Power Platform® tools.

Benefits: Why do you need it?

SharePoint provides a simple, centralized solution for managing everyday business tasks using familiar technology. The platform gives users the opportunity to start small and build additional functionality and business efficiencies. For example:

• Document management in SharePoint allows businesses to store, organize, and collaborate on files in a secure and centralized environment.
• Lists function like spreadsheets or lightweight databases, ideal for tracking information, managing tasks, or logging activities.

Both of these features are “out of the box” functionalities of SharePoint that are easy to deploy and use, while delivering significant impacts to business efficiency and better control over business documents and data.

Technology Used

• SharePoint Site/Pages
• Document Libraries and Lists

Risk-based concepts are everywhere. Most decisions we make—knowingly or not—are based on assessing the probability of an outcome or risk. Sometimes the potential outcomes of a decision are clear; sometimes it takes considerable analysis to draw conclusions regarding potential outcomes (i.e., what could go wrong?) and the likelihood and severity of those outcomes (i.e., how bad could it be?).

When it comes to environmental, health, and safety (EHS), it takes significant scientific knowledge, deep understanding of exposure, and a systematic process (i.e., an environmental risk assessment) to identify and evaluate risks and then make decisions on how to mitigate, manage, or remove them. We recently sat down with KTL Senior Consultant and risk expert Margaret Roy to talk more about the concept of risk and risk assessments.

Q: What is a risk assessment?

A: Risk assessment is a general term that summarizes an approach to identify uncertainties (i.e., risk), rate or gage the magnitude of the risk(s), and then develop a strategy to manage or reduce those risks. Managing risk is about managing uncertainties.

For example, you may choose to wait a few days to drive through a mountain pass that is expected to receive snow. You may or may not get stuck or involved in a car accident—it is uncertain—but you reduce your risk of an incident by waiting until after the storm and the roads have been cleared. In this case, a simple risk assessment was completed to manage the uncertainties associated with driving through a snowy mountain pass. Other management strategies could have been to take an alternate route or to drive a vehicle better suited for snowy conditions.

Q: What is an environmental risk assessment?

A: An environmental risk assessment characterizes the nature and magnitude of health risks to humans and ecological receptors from stressors (i.e., physical, chemical, or biological) that may be present in environmental media such as soil, drinking water, or air.

We are exposed to a variety of chemicals (e.g., that new car smell) and biological agents (e.g., the common cold) every day, and health-based risk assessments help manage what and how much we are exposed to. Human health risk assessments address questions such as:

• What types of health problems may be caused by an agent (like a chemical or radiation)?
• What is the chance that people will experience health problems when exposed to different levels of these agents?
• What is a “safe” level?
• Who is being exposed (children, the elderly)?

Ecological risk assessments ask the same questions as human health risk assessments, but for an ecosystem. Ecological risk assessments address questions such as:

• Would metals in a stream near an old abandoned mine damage the population of fish in the stream? If the fish population is impacted, what about the birds, mammals, reptiles, and amphibians that may live near the stream?
• Can the application of an insecticide harm an endangered bird species?
• What are the long-term effects on the ecosystem in a bay following the accidental release of oil from a tanker?

Q: What do environmental risk assessments evaluate?

A: Whether focused on human health or ecological impacts, at its core, an environmental risk assessment is exposure analysis—who is exposed to what, where, and how much? Everything has the potential to be poison; what makes the difference is the exposure or dose. Think about water consumption as an example. Drinking water is a healthy habit; however, too much water (gallons of water in an hour) can lead to water intoxication, which can result in negative health impacts or even death. The dose is what makes the poison.

For there to be negative health impacts, there need to be three key elements present. Together, these elements create a complete exposure pathway:

1. Stressor. Environmental risk assessments generally consider chemicals such as benzene and acetone, as well as inorganics like mercury or arsenic.  
2. Exposure. A person or animal ingests or inhales the chemical, or it is absorbed through the skin.
3. Toxic Effect. The recipient experiences some sort of negative impact or toxic effect.

For example, we can ingest water without any ill effects, but past a certain amount, electrolytes in your body go out of balance. For lead, exposure to a child over time can lead to developmental and lifelong health issues.

Q: What is the process for conducting an environmental risk assessment?

A: The process for conducting an environmental risk assessment has been developed by the scientific community over the past 60 years. The Environmental Protection Agency (EPA) and many states publish guidance documents and analyses of chemical toxicity that are applied using the following process:

1. Define the Problem: What are the chemicals, where are the chemicals (e.g., drinking water, air), what are the concentrations of the chemicals?
2. Quantify the Exposure: Who is being exposed? For example, is it a residential community, a worker, or bird in a forest?
3. Calculate the risk: Risk is defined by comparing the exposure dose to a safe concentration.

Risk assessment is much more than just a number. As part of the risk assessment, risk characterization must consider multiple variables, and then apply a big dose of common sense: Who is exposed, is it a vulnerable group like children? How do the chemicals move in the environment or change in our bodies? Are some of the assumptions used in developing the risk assessment overly conservative given the site conditions (e.g., does a bird really live on the site its whole life and consume only earthworms?)? Risk characterization is a very thoughtful process that considers the big picture of the risk assessment.

Q: How certain are the results of an environmental risk assessment?

It is important to note that all risk assessments carry some level of uncertainty, as risk assessors must often estimate exposure, use their own experience and judgment, and rely on scientific research to calculate risks. This is why it is important that the risk assessor have substantial knowledge and understanding of exposure in a variety of technical areas, including:

• Ecology
• Toxicology/ecotoxicology
• Analytical chemistry
• Soil/sediment
• Geology/hydrogeology
• Surface water/groundwater modeling
• Demographics/population biology
• Statistics
• Communication
• COMMON SENSE 

Good risk assessments discuss data gaps and other limitations in models and assumptions used to estimate exposures. Note that because of the inherent uncertainties, risk assessment is often an iterative process that involves screening initial information, identifying gaps, refining the scope of the assessment, and then collecting and assessing additional data.

Q: How are risk assessment results used?

A: Put simply, risk assessment informs risk management decisions. Risk management integrates the results of the risk assessment with other considerations (e.g., economic implications, legal concerns) to determine what risk reduction/management activities should be implemented. Importantly, risk assessment/management pays particular attention to connections. What is all connected? Where is the contaminant traveling? How does one decision to manage risk impact the rest of the supply chain or ecosystem?

There are many different ways risk assessment is used, including the following:

• Evaluating the likelihood that observed effects are caused by past or ongoing exposure to specific stressors and then predicting the likelihood of future effects.
• Supporting many types of actions, including:
  • Regulating hazardous waste sites, industrial chemicals, and pesticides.
  • Reusing property and material (e.g., soil, gray water, brownfield sites).
  • Protecting ecosystems from chemical, physical, or biological stressors.
  • Setting environmental limits for chemicals.
  • Conducting Superfund site remediation.
• Providing information to risk managers that can be used to:
  • Communicate with interested parties.
  • Limit exposure to the ecological stressor.
  • Negotiate remediation options with stakeholders (e.g., brownfields sites).
  • Develop monitoring plans to confirm risk reduction and ecosystem recovery.

Q: How do I know if I need an environmental risk assessment and how do I proceed?

Environmental risk assessments are often driven by regulatory programs. For example, if you own a gas station and you have a leaking unground storage tank (LUST), then your company may enter a state’s LUST program. The risk assessor would help figure out where to sample to understand how far the contamination has traveled, who may be exposed, and how much soil should be remediated or removed to mitigate the risks. There is a risk that gasoline could leach down to the groundwater. If the groundwater is a drinking water source, then many people could be exposed. Removing the soil may be the best way to mitigate the risk to groundwater.

Risk assessment, in general, is also a tool that can—and should—be used to evaluate the risks associated with business decisions. For example, a local farm has access to an irrigation well, but the groundwater is known to have low levels of solvent. Risk assessment could be applied to assess whether the irrigation water is safe for the workers to be directly exposed to, but also if the water is safe to use on the agricultural crops. The assumptions used in the exposure analysis could be tailored specifically to the conditions at the local farm so the best decisions on use of the irrigation water can be made.

Risk assessment is a strategy that can be applied to all sorts of different businesses and industries, but conducting a health-based risk assessment requires specialized expertise. Bringing in a risk expert is prudent to help ensure that the entire exposure pathway is evaluated and the most effective risk management solutions can be identified and implemented.

The food system and supply chains continue to change and evolve at an accelerated pace. The Department of Health and Human Services (HHS), Food and Drug Administration (FDA), and U.S. Department of Agriculture (USDA) have taken a number of significant food safety regulatory actions in the first quarter of 2025, including announcing HHS’s intent to explore potential rulemaking to eliminate the self-affirmed Generally Recognized as Safe (GRAS) pathway and proposing to extend the compliance date for the Food Traceability Rule by 30 months.

The regulatory landscape is shifting, and regulatory changes continue to come fast and furious. The following recent actions (amongst others) have the potential to significantly impact food companies across the U.S.

Updated Allergen Guidance

On January 6, 2025, the FDA published a revised fifth edition of its food allergen guidance for industry, Questions and Answers Regarding Food Allergens, including the Food Allergen Labeling Requirements of the Federal Food, Drug, and Cosmetic Act. The guidance is intended to help the food industry meet requirements for accurately labeling FDA-regulated foods with the big 9 food allergens (i.e., milk, eggs, fish, crustacean shellfish, tree nuts, wheat, peanuts, soybeans, and sesame) to protect consumers with food allergies.

The guidance includes updates reflecting FDA’s current thinking on food allergen labeling topics, including the following:

• Information regarding sesame as a major food allergen.
• Expanded interpretations of milk and eggs as major food allergens to include milk from ruminant animals other than cows and eggs from birds other than chickens.
• Adjustments to remove certain tree nuts, including coconuts, from the list of major food allergens.

Companies should reference the updated guidance to ensure they understand these changes, accurately evaluate the food safety and allergen risks of their products, and update manufacturing and labeling practices to remain in compliance with food allergen labeling requirements.

Withdrawal of Salmonella Framework

On July 29, 2024, the USDA Food Safety and Inspection Service (FSIS) issued its proposed rule and determination to more effectively reduce Salmonella contamination and illnesses associated with raw poultry products. The proposed framework presented a systematic approach to addressing Salmonella contamination at the poultry slaughter and processing stages, including the first enforceable standards to prevent raw chicken carcasses, chicken parts, ground chicken, and ground turkey products that contain any type of Salmonella at or above 10 CFU per gram/mL from entering the market. It also required poultry companies to establish microbial monitoring programs (MMPs) incorporating statistical process controls (SPCs) to identify and prevent pathogen contamination throughout the slaughter system. 

FSIS received over 7,000 public comments on the proposed framework and announced a Notice of Withdrawal on April 25, 2025, retracting the proposed rule and determination to allow the Agency to further assess its approach. FSIS cites the following areas as garnering the most comments—both positive and negative:

• FSIS’s legal authority to propose final product standards.
• Proposed Salmonella levels and serotypes for the final product standards.
• Proposed use of SPC monitoring.
• Scientific and technical information used to support the proposed framework.
• Potential economic impacts.
• Potential impacts on small poultry growers and processors.

The comments also suggested several alternative approaches to address Salmonella illnesses associated with poultry products. FSIS is taking all of this under advisement as it reassesses its approach to Salmonella and whether an update to the current standards is warranted.

Phasing Out Synthetic Dyes

HHS and FDA announced on April 23, 2025 that they are taking immediate action to phase out eight petroleum-based synthetic dyes in foods and to fast-track review and approval of natural alternatives. These dyes are found in hundreds of products, including candy, cereals, beverages, and even medications.

Many synthetic dyes currently used in the U.S. have been banned or restricted in the European Union since 2010. In November 2023, California became the first state in the U.S. to ban four food additives (Red No. 3, brominated vegetable oil, potassium bromate, and propylparaben) in foods sold in California through the California Food Safety Act, and in March 2025, West Viriginia signed one of the most comprehensive food dye bans into law. Now the FDA is taking the following significant actions to remove synthetic dyes from all U.S. products:

1. Establish a national standard and timeline for the food industry to transition from synthetic dyes to natural alternatives.
2. Revoke authorization of Citrus Red No. 2 and Orange B in the next few months.
3. Work with industry to remove the remaining six synthetic dyes from the food supply by the end of 2026. This includes FD&C Green No. 3, Red No. 40, Yellow No. 5, Yellow No. 6, Blue No. 1, and Blue No. 2.
4. Fast-track authorization of four new natural color additives, including calcium phosphate, Galdieria extract blue, gardenia blue, and butterfly pea flower, and accelerate review of others.
5. Partner with the National Institutes of Health (NIH) to further research how food additives impact children’s health.
6. Request food companies remove FD&C Red No. 3 sooner than the January 15, 2027 or January 18, 2028 deadlines established by FDA on January 15, 2025.

The FDA is planning to proceed without any statutory or regulatory changes, relying instead on the voluntary efforts of the food industry in complying. The Agency is taking steps to issue guidance and provide regulatory flexibility to industry to remove the synthetic dyes as quickly as possible from the market.

In most cases, companies will need to:

• Inventory existing products and their ingredients to determine which products use synthetic dyes.
• Reformulate affected products to use natural color alternatives, test new recipes, and, potentially, make other recipe changes.
• Identify and approve new suppliers of alternative ingredients.
• Update label design, adjust ingredient panels, and modify any relevant nutritional claims.

Stay Focused

Change is happening, and companies in the food industry need to pay attention and be prepared:

• Conduct a comprehensive food safety and quality gap assessment. Know your operations, inventory your ingredients, understand your supply chain. This assessment should be the starting point for understanding your regulatory and certification obligations and current compliance status—and for ensuring you are prepared to meet pending regulatory developments.
• Train your staff. Every change discussed above requires employee understanding. Train your team routinely on requirements, responsibilities, processes, expectations, etc.
• Seek third-party oversight. Having external experts periodically look inside your company can help determine regulatory applicability, provide an objective view of what is really going on, prepare for audits, and implement corrective/preventive actions that help ensure compliance. An outside expert can often provide the “big picture” view of what you have vs. what you need; how your plans, programs, and requirements intersect; and how you can best comply with changing requirements.

Virtually every regulatory agency has regulations that require companies to fulfill very specific compliance requirements. Sometimes, there is overlap and businesses may be required to comply with similar—yet different—regulations from two different agencies. Using containers to store hazardous waste products is one of those tricky situations.

Different Definitions

Containers used for hazardous materials or waste are regulated under the Department of Transportation’s (DOT) Hazardous Materials Regulations (HMR) (49 CFR 173.29) and the Environmental Protection Agency’s (EPA) Resource Conservation and Recovery Act (RCRA) Hazardous Waste Requirements (40 CFR 261.7). The confusion between these rules comes in the definition of empty, which changes significantly from one agency to the next.

For both agencies, the definition of empty dictates how containers that once held hazardous waste and/or hazardous materials are managed (i.e., shipped and disposed of). However, a container can meet the criteria for emptiness according to EPA but still not be considered empty according to DOT for transportation purposes. It is important to understand the different definitions to be able to comply.

EPA RCRA-Empty

The EPA regulations regarding management of empty containers and residues establish procedures for determining if a container is empty (i.e., no longer contains hazardous waste) and defining when hazardous waste residue in an empty container is exempt from regulation. According to EPA, an empty chemical container has been removed of all materials or liquids via commonly employed practices (e.g., pumping, pouring, or aspirating). But what does this actually mean?

RCRA-empty conditions differ based on whether the container is holding non-acute hazardous waste, acute hazardous waste, or hazardous waste in compressed gas form, as shown in the table below.

Containers that meet the definition of RCRA-empty are exempt from requiring specialized management as a hazardous waste. RCRA-empty containers can be disposed of at an authorized municipal solid waste landfill, recycled through a legitimate recycler, or reused onsite. Reuse requires properly emptying the container to avoid mixing incompatible substances that may create human health or environmental concerns. If a container is not found to be RCRA-empty, any residues removed from the container must be managed as hazardous waste under Subtitle C.

DOT Empty

DOT is responsible for hazardous materials shipping regulations. Unlike RCRA, DOT hazards are not defined by the quantity of material in the container; rather, the properties of the material dictate hazards. Even when a container appears empty, the hazardous material residue may still pose a hazard under the HMR. Per 49 CFR 173.29(a), these containers must follow the same rules as full hazmat containers when it comes to shipment. This includes having shipping papers, placards, labels, and markings, as well as providing training for employees who prepare the containers (full or empty) for shipping.

A container that once held hazardous materials is only considered exempt from HMR under the following conditions:

• The container remains unused.
• The container has been thoroughly cleaned and sufficiently purged of vapors to eliminate potential hazards.
• The container has been refilled with non-hazardous material to neutralize any remaining hazards from residue.

In addition, if the material inside the container is a DOT Class 9 material and meets the definition of RCRA-empty, the container is exempt from both EPA hazardous waste and DOT hazardous material shipping requirements.

Containers that meet the DOT criteria for being truly empty must have any hazard labels, markings, or placards that would be visible in transportation removed, covered, or obliterated to ensure emergency responders can correctly identify that the package contains no regulated hazardous materials.

Empty, Full, or Both?

In short, it is possible to have a container that EPA considers empty, but DOT does not. In this case, if you plan to ship the container, you would not have to follow any EPA hazardous waste rules, but DOT HMR would still apply when shipped.

A regulatory applicability assessment is a good first step in determining which regulations apply if you store hazardous waste in containers and/or plan to ship hazardous materials. If DOT’s HMR and EPA’s RCRA Hazardous Waste Requirements, it is then important to understand the distinction between the rules regarding what is considered empty to comply with both agency’s requirements.