The Food Safety Modernization Act (FSMA) includes new requirements for food site inspections. Beyond that, the Act increases the frequency of established inspections. For example, FSMA mandates that high-risk facilities must be inspected within five years of enactment and no less than every three years following the initial inspection. The Act also requires inspection of at least 600 foreign facilities initially and double that number every year for the next five years. Routine inspections from FDA and other enforcement agencies will continue based on schedules to be communicated.

With FSMA rules moving to the compliance stage, food companies must prepare to best respond to the requirements and, correspondingly, to additional inspections beyond GFSI or as part of customer requirements.

Be Prepared

Inspectors will focus heavily on new requirements and the “letter of the law”. Therefore, a well-established inspection program and response that is implemented and tested will help to achieve the most favorable outcome. This is an important area to address, especially given the many changes in compliance under FSMA, greater scrutiny under GFSI, and a rapidly changing responsibility for food safety management resources. It is critical to have established roles, planning, and testing as part of any inspection readiness program.

Inspection Agencies

As reported, the FDA is underfunded to conduct the scheduled inspection of food operations under FSMA. While many inspections will be administered by the FDA, which will continue to expand internal resources, some local agencies are already under contract for conducting inspections that will be much more detailed than visits from them in the past.

These local regulatory agencies, including state health departments, are providing the “boots on the ground” to conduct inspections for direct compliance under FSMA or as a means of communicating more serious issues to the FDA. Based on recent experience, more critical issues are being raised to the FDA level for final action.

Roles and Responsibilities

Regardless of a company’s experience with FDA compliance audits, the new rules and Section 117 cGMPs will require more formalized programs and strong evidence of compliance through internal audits and oversight by Qualified Individuals. Additionally, organizations under the FSMA Preventive Control Rule must have multiple Food Safety Plan Qualified Individuals, Qualified Auditors, competent sanitation management, and competent plant operators. Ultimately, all food company employees must be prepared for their roles in an FDA compliance inspection.

Planning

As preparation for FDA inspections, companies must establish a program to best address an inspection.  The focus must be on compliance to FDA, FSMA, and internal requirements—with the inspection providing this for the company in question. The biggest concern is gaps in compliance or known non-compliances; however, with FSMA there is no tolerance or excuse for ignorance.

A response procedure should be well-orchestrated to meet and respond to the representative of the FDA or the agency visiting the site for an FDA inspection. Along with the immediate response to any inspection (including those planned and those unplanned), food companies should consider the following:

1. Completely develop an FSMA Food Safety Plan to ensure that it is aligned with a possible audit and includes reference to all supporting programs, cCMPs, resource qualifications, and records. The plan must be developed under the oversight, validation, and verification of preventive controls Qualified Individual, as trained, qualified and designated.

2. Have the most appropriate organizational structure (i.e., with Qualified Individuals, Qualified Auditor, sanitation leads and food plant operators) to meet FSMA resources and minimize the organizational impacts.

3. Regularly review the FSMA Food Safety Plan as part of a general and management review process, including the internal audit by the Qualified Auditor, to ensure the up-to-date compliance of the Plan.

4. Review all records to maintain verification requirements for FSMA, as required by Section 117. Ensure that all records are complete, validated, and verified.

5. Conduct mock regulatory inspections to ensure readiness and understanding of the responsibilities of each employee based on their roles in the process. This should include following the program and confirming all actions, roles, and responsibilities. All improvements from this process should be updated into programs and implemented for possible inspection purposes.

6. Ensure compliance with all other regulatory requirements, including FSMA Sanitary Transportation, Foreign Supplier Verification, site registration, and any other related regulatory requirements.

7. Confirm compliance with Management of Change (MOC) to ensure that all building, equipment, and process changes are reflected in current Food Safety Plans and Section 117 cGMPs. This must include product-level specifications, including packaging, ingredients, and processing.

8. Document and update review and mock drills of regulatory inspection programs with any non-conformances addressed as quickly as possible. Consider the process for verifying the inspector’s credentials, opening the session, and ensuring that all required personnel or backups are onsite in the case of an inspection. In cases where all cannot be present or for outside contacts, ensure availability of ownership, corporate compliance management, and designated legal counsel.

Compliance with both FSMA and GFSI requirements means fully conforming with the other. A non-conformance to the GFSI food safety system represents a potential FSMA violation; correspondingly, lack of conformance to FSMA can be a non-conformance to GFSI certification. Criminal violations for non-compliance to FSMA begin with misdemeanor charges starting at $250,000 and up to one year in jail. With these consequences on the line, the importance of FDA inspections must be taken very seriously.

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations to industry codes, to system standards (i.e., ISO), to internal corporate requirements.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

By combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and computerized systems and tools, companies are better able to capture and analyze audit data, and then use that information to improve business performance. Having auditing software of some sort can greatly streamline productivity and enhance quality, especially in industries with many compliance obligations.

The following tips can help ensure that companies are getting the most out of their auditing process:

1. Have a computerized system. Any system is better than nothing; functional is more important than perfect. The key is to commit to a choice and move forward with it. Companies are beginning to recognize the pitfalls of “smart people” audits (i.e., an audit conducted by an expert + notebook with no protocols or systems). While expertise is valuable, this approach makes it difficult to compare facilities and results, is not replicable, and provides no assurance that everything has been reviewed. A defined system and protocol helps to avoid these pitfalls.

2. Invest time before the audit. The most important time in the audit process is before the audit begins. Do not wait until the day before to prepare. There is value in knowing the scope of the audit, understanding expectations, and developing question sets/protocol. This is also the time to ensure that the system collects the data desired to produce the final report.
   

3. Capture data. Data is tangible. You can count, sort, compare and organize data so it can be used on the back end. Data allows the company to produce reports, analytics, and standard metrics/key performance indicators.
   

4. Don’t forget about information. Information is important, too. The information provides descriptions, directions, photos, etc. to support the data and paint a complete picture.
   

5. Be timely. Reports must be timely to correct findings and demonstrate a sense of urgency. Reports serve as a permanent record and begin the process of remediation. The sooner they are produced, the sooner corrective actions begin.
   

6. Note immediate fixes. During the audit, there may be small things uncovered that can be fixed immediately. These items need to be recorded even if they are fixed during the audit. Unrecorded items “never happened”. Correspondingly, it is important to build a culture where individuals are not punished for findings, as this can result in underreporting.
   

7. Understand the audience. Who will be reading the final report? What do they need to know? What is their level of understanding? Not all data presentation is useful. In fact, poorly presented data can be confusing and cause inaction. It is important to identify key data, reports desired, and the ways in which outputs can be automated to generate meaningful information.
   

8. Compare to previous audits. The only way to get an accurate comparison is if audits have a common scope and a common checklist/protocol. Using a computerized system can ensure that these factors remain consistent. Comparisons reinforce and support a company’s efforts to maintain and improve compliance over time.
   

9. Manage regulatory updates. It is important to maintain a connection to past audits and the associated compliance requirements at the time of the audit. Regulations might change and that needs to be tracked. Checklists, however, may remain the same. Companies should have a process for tracking regulatory updates and making sure that the system is updated appropriately.
   

10. Maintain data frequency. For data, the frequency is key. Consider what smaller scope, higher frequency audits look like. These can allow the company to gather more data, involve more people, and improve the overall quality and reliability of reports.

A well-designed and well-executed auditing program—with analysis of audit data—provides an essential tool for improving and verifying business performance. Audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. And using a technology tool or system to manage the audit makes that information even more useful.

This year is being described as “the year of FSMA compliance,” as many compliance dates for the various FSMA rules fall in 2017. As one might expect, the FSMA law and rules include many aspects of the established Global Food Safety Initiative (GFSI) standard; however, there are also differences in how they are applied to create better food safety enforcement.

At the most basic level, GFSI is an industry conformance standard for certification, while FSMA is a compliance regulation that must be met. However, both work together to ensure companies are effectively managing food safety.

GFSI Conformance

The GFSI is facilitated by the industry network of The Consumer Goods Forum. It provides a very solid foundation and supporting objective of “safe food for consumers everywhere”.

GFSI was originally established based on a growing pattern of food safety outbreaks throughout the international marketplace. This led to the proactive development of GFSI standards as an alternative to the more limited and less effective customer audits in place at the time. An important part of this outcome was that CEOs in the food industry—not a regulatory body—determined the need to address food safety through the GFSI food safety standard.

With its beginning as a benchmarking organization, GFSI has since evolved throughout the food supply chain as a strong means for achieving global food safety. It is now established, growing, and improving across the primary supply chains within the global food market.

As such, much work to address food safety has been accomplished by GFSI over the past sixteen years. In fact, the industry-driven aspect of GFSI along the food supply chain has led many companies to achieve levels of food safety comparable to those required to achieve FSMA compliance. Based on its collaboration of food safety experts, GFSI provides for a significant evolution of food safety programs and supports those requiring FSMA compliance.

FSMA Compliance

During a similar timeframe, the United States identified food safety as a major concern for the public. In the 1990s, a growing number of food outbreaks from biological contamination continued to spread, prompting the addition of controls within both the USDA and FDA. These brought the mandated requirement for Hazards and Critical Control Points (HACCP) and supporting Good Manufacturing Practices (GMPs) to specific industry sectors. However, these efforts were measured to have limited effect, as the outbreaks continued.

By the early 2000s, the public concern for food safety continued, and the FDA was determined to make changes. Along with Congress, the FDA commissioned research into the underlying issues that were resulting in the growing number and severity of food outbreaks. This research was being conducted and analyzed just as GFSI was determining its final group of benchmarked standards. At the same time, GFSI was positioned to be advanced into the U.S. market by food industry leaders, including Cargill, McDonalds, Walmart, Kroger, Coca Cola and Wegmans.

The outcomes from the FDA studies determined that the GMPs (in existence for the past 40 years) were not effectively implemented across the U.S. food industry. Further, the studies indicated that the ability to prevent food safety issues through specific controls would provide a means for reducing the number of foodborne illness.

This effort led to the development of FSMA, which passed in January 2011. Additional FSMA rules have since been published, starting in September 2016. The FSMA rules represent a rewrite of the existing FDA food safety regulations. However, with the FSMA law taking several years to roll out, the existing FDA laws remain in effect until they are replaced. These actions expand the FDA’s jurisdiction now and until full compliance of FSMA.

Bringing GFSI and FSMA Together

The presence of GFSI in the U.S., as well as the GFSI certification of many suppliers to U.S. food importers, provides for a synergy between the GFSI standard and the FSMA law being enforced throughout the U.S. and its foreign suppliers. GFSI’s global focus provides the structure to adapt and meet many of the FSMA requirements, with the ability to expand to all FSMA requirements.

As one would expect, the FSMA law and rules include several aspects of the GFSI standard; however, there are many differences in how each is applied to encourage better food safety enforcement. For instance, GFSI has the advantage of providing the time to develop programs, and thousands of companies are certified to the various programs under the standard. Conversely, FDA is implementing FSMA compliance over several years, with 2017 being a big year for compliance (based on the rules’ published dates, company size and industry segment).

In this new order of food safety in the U.S., those companies that have achieved GFSI certification should have an advantage over those who do not, provided they can align their GFSI programs with the FSMA law requirements. However, there is also a benefit to starting with FSMA and moving to a GFSI certification.

Existing GFSI certifications provide an established framework, with many of the program requirements similar to those required by FSMA. For example, personnel are required by both to establish HACCP and Food Safety Plans, as well prerequisite procedures (PRPs) and current-Good Manufacturing Practices (cGMPs). The challenges are ensuring the complete development of these food safety procedures to guarantee they meet both GFSI and FSMA requirements.

As another example, personnel requirements are similar but different under FSMA and GFSI, which calls for training, updating and qualifying resources. Ultimately, advanced HACCP training under GFSI provides the means for establishing a Qualified Individual under FSMA, but it requires expanding the training to include FSMA Preventive Controls and procedures. The resulting plan is the Food Safety Plan, which can be based on HACCP but with the proper additions to meet FSMA requirements.

Global Food Safety Conference

The upcoming Global Food Safety Conference (February 27 – March 3 in Houston, Texas) provides an opportunity for those seeking compliance to FSMA or certification to a scheme within the GFSI Standard to get a deeper understanding of food safety. With 2017 being the year of FSMA compliance, it is very appropriate that the Global Food Safety Conference be held in the U.S. this year. The conference will provide U.S. companies attending, as well as foreign suppliers of products to the U.S. market, an educational opportunity and forum to reach out to experts from industry, government, and academia to better understand these two key areas for food safety program development. Some of the topics to be addressed at the conference include the following:

• Food safety management commitment and corporate governance
• Required training of food safety roles, including management, staff and operations
• Specific requirements of the documented food safety program or written programs under FSMA
• FDA requirements of the past and existing requirements prior to FSMA and the relationship of these as comparable to GFSI
• Implications for FDA enforcement under FSMA of these previous requirements and program requirements that may need to be formalized under FSMA
• The proof of evidence with supporting records required by FSMA that may be addressed in part by existing or GFSI-level food safety programs
• How to adapt a FSMA-level food safety plan and preventive controls cGMPs from existing programs, including GFSI, or develop these to function with existing programs
• Levels and numbers of qualified individuals, qualified auditors and competent sanitation for oversight and management of FSMA food safety plans
• Management reanalysis and update of the written FSMA programs to ensure compliance and readiness for inspection by FDA FSMA investigators
• Process used to ensure compliance with FSMA Preventive Controls and the other FSMA rules being issued in 2017 and 2018, including Foreign Suppler Verification, Sanitary Transportation and Intentional Adulteration

Kestrel has been a long-time advocate of GFSI, performing site certification program development support for hundreds of companies. We have served as a GFSI Stakeholder, Technical Working Group participant, and panelist at previous GFSI Global Food Safety Conferences. We look forward to seeing you at the 2017 GFSI Global Food Safety Conference and to helping you navigate GFSI conformance and FSMA compliance requirements.

Kestrel is pleased to be growing our resources to the food industry with the addition of Senior Consultant Roberto Bellavia.

Roberto comes to Kestrel following a successful career with US Foods, where he provided leadership for quality and food safety programs; managed and developed HACCP, GMP, SSOP, and SOP programs; and planned and implemented GFSI certification for FSSC 22000 at 13 national locations.

At Kestrel, Roberto will be serving as project manager for food safety-related projects and supporting clients in developing and implementing GFSI schemes and supplier approval programs. He will focus on meat, dairy, RTE, bakery, and other related food industry segments.

Roberto holds a number of food qualifications that will enhance Kestrel’s ability to serve the food industry, including GFSI, HACCP, GMP, SSOP, SOP, FSPCA, Lead Auditor certifications. He has nearly 20 years of food quality experience and a Master’s Degree in Animal Production Science from the University of Camerino in Italy.

Compliance with the Food Safety Modernization Act (FSMA) has presented a new and difficult challenge for the industry, the public, and the FDA since it passed on January 4, 2011. When it comes to the Preventive Controls Rule, the prime question for companies, regardless of size, is whether they have aligned their preventive controls development with existing HACCP programs to meet current FSMA requirements.

Overview of Requirements

Under the Preventive Controls Rule, registered food facilities must evaluate and implement preventive control provisions to meet the requirements and the compliance deadline. The most urgent concerns for companies subject to the Preventive Controls Rule include developing a Preventive Controls Program, identifying a Preventive Controls Qualified Individual (PCQI), and implementing a Food Safety Plan.

The following areas are all included under the FSMA Preventive Controls Rule:

• Hazard Analysis. Companies must identify and evaluate known and reasonably foreseeable hazards.
• Preventive Controls. Preventive controls must be implemented to significantly minimize or prevent the occurrence of hazards.
• Monitoring. Preventive controls must be monitored for effectiveness.
• Corrective Actions. Procedures for addressing failures of preventive controls and prevention of affected food from entering commerce are required.
• Verification. Facilities are required to verify that preventive controls, monitoring, and corrective actions are adequate.
• Recordkeeping. Records must be kept for two years.
• Written Plan and Documentation. A written plan must document and describe procedures used to comply with requirements.
• Qualified Individual. A Qualified Individual who has been adequately trained must be present at the facility to manage the preventive controls for the site and the products processed and distributed at/from the site.

Failure to implement preventive controls (a/k/a Hazard Analysis and Risk-based Preventive Controls (HARPC)) for qualified sites may result in fines and possible jail sentences.

Key Questions

The following questions can help organizations assess their compliance with the Preventive Controls Rule and better determine their current state of planning for FSMA compliance:

• • In determining the appropriate preventive controls under FSMA for your food operation, have you evaluated your compliance requirements and categories?
  • Have you assessed hazards outside or not part of your existing HACCP flows for determining preventive controls?
  • Are the preventive controls you have identified supported by science-based justification?
  • Is the science-based information supported by means such as statistical methods, published reports, peer review, industry/second-party verification, or other documentation?
  • Have you determined the program requirements for preventive controls for implementation in your Food Safety Management System (FSMS), as required by the FSMA Food Safety Plan requirement?
  • Have the cGMP-based policy, procedure, work instruction, test/validation, forms, and records criteria been established for preventive controls at your food operation(s)?
  • Have you determined the functional organizational responsibilities of preventive controls, your preventive control Food Safety Plan, and Qualified Individual?
  • Does organizational responsibility include oversight by process owners of preventive controls and comprehensive FSMA management?
  • Will completion of your program, as documented with cGMPs and a validated Food Safety Plan, meet FSMA and customer deadlines?
  • Will internal auditing of program elements meet established timing and allow for preventive control and Plan verification and management review?

Companies must have their training, planning and development underway to comply or face possible violations, fines, and penalties under FDA enforcement. These questions will help identify the areas in need of attention to ensure that companies have aligned their preventive controls development with existing HACCP programs to meet requirements and any pending deadlines.

The U.S. Food and Drug Administration (FDA) has issued two Food Safety Modernization Act (FSMA) small entity compliance guidance documents to assist small and very small businesses with the implementation of the Preventive Controls for Human Food and Preventive Controls for Animal Food rules.

The guidance outlines who must comply with the rule, who is exempt from parts of the rules or subject to modified requirements, and outlines key information for qualified facilities (i.e., small businesses).

The guidance documents are two of dozens of guidance documents the FDA intends to release as it continues with the implementation of FSMA. The Agency released guidance for both the human and animal food rules in August 2016.

In theory, compliance with the Food Safety Modernization Act (FSMA) is simple. In reality, however, the rules are complex—even convoluted, some may say—guidance is currently limited, and rule interpretations differ, sometimes vastly.

Regardless of those complications, there are a number of actions any company in a food-related industry can take to support FSMA compliance efforts. While this list doesn’t get to the granular level of detail needed to comply with all of the individual rules and requirements, it does provide a high-level overview to get companies started down the right path to compliance.

1. Verify that employees know and understand your company’s food safety and FDA/FSMA requirements. Which rules are applicable? What is required to comply? What are the job requirements?
2. Ensure that building, premises, and processes meet existing physical condition and defense requirements.
3. Ensure that everything from food safety training to operational documentation is current, complete, and detailed. Everything must be documented and verified to demonstrate compliance.
4. Assess your written Food Safety Plan(s) and look for “gaps” in areas, including food safety policies, preventive controls, allergen management, and cGMPs.
5. Confirm your company’s policies are visible, understood, and being followed. It is one thing to have written policies; it is another thing to implement them into the organization.
6. Ensure the adequacy of your supply chain and internal audit program to FSMA requirements. Confirm that you effectively track, monitor, and evaluate your suppliers. FSMA compliance stretches beyond your individual organization throughout the food supply chain.
7. Test and confirm that you are prepared to provide documentation within 24 hours if requested by FDA. An effective document management system can help ensure that you are able to access the required information when you need it.
8. Maintain insurance and ensure your indemnity agreements provide an acceptable level of protection, including letters of guarantee and supplier and recall insurance.
9. Verify foreign suppliers for their compliance with FSMA regulations. Importers will be required to verify that food imported into the United States has been produced to FDA requirements
10. Verify and maintain your mock recall program for any recall circumstance that might occur or be requested by FDA. All issues related to the processing and distribution of safe food will be enforceable by the FDA, including issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain.

Any company that works in a food-related industry needs to determine compliance requirements to implement the appropriate FSMA programs. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.

Every food supply company has an obligation to its customers to provide safe and quality food. In addition, a growing number of retailers and wholesalers require their producers and suppliers to implement compliance and certification programs. Food Safety Modernization Act (FSMA) compliance presents an even greater benefit to food-safe building and equipment programs, as it complements and aligns with GFSI-certified standard requirements (e.g., SQF, IFS, BRC, FSSC 22000) and demonstrates that a company is working actively to manage its food safety risks.

In today’s food safety-focused and competitive climate, it is challenging for companies to devote the resources required to maintain compliance activities at a sustained and satisfactory level—but it is essential.

The following solutions can help keep companies who work with food-related materials on track when it comes to managing food safety and certification requirements and achieving compliance with FSMA’s Preventive Control requirements.

1. What are the issues that food and food industry sites must address to meet general plant control requirements for legal compliance and/or industry certification?

To comply with both regulatory requirements under FDA/FSMA and GFSI industry requirements, food companies must establish control of food safe premises, plants, and food risk zones. With recent changes, compliance is not limited to just companies that manufacture and distribute food product, but also to those that provide food chemicals, packaging, and logistics. The requirements apply to all companies distributing food or food ingredients to the U.S. market.

Food Plant Zoning

• Signage
• Locks and access controls
• Pipe and utility marking
• Floor and area marking and coding
• Labels
• PPI and PPE stations
• Waste and water control
• Color coding/tools/utensils/maps

2. How do the regulatory and certification requirements for food safety impact controls for facilities and equipment?

The regulatory and certification requirements include elements to ensure all aspects of food safety. This includes “Food Safety and Security,” which requires the protection of food against the potential for deliberate or accidental contamination.  This is in addition to the site and general security.

Equipment and Facility Controls

• Locks
• Lockout/Tagout systems
• Seals and tags
• Labels
• Security gates/fences/areas
• Closures/caps
• Storage/containment
• Emergency and response kits

3. What are the food safety requirements for controlling food, non-food, and food contact materials?

A key focus for compliance includes the control of food and contact materials. This includes direct control, evidence of communication, and direction of employees to avoid the misuse or contamination/cross-contamination of the food product. Control of utensils and tools used in the food processing areas represents a major area of inspection as part of the audit process.

Material Controls/Non-Food/Chemical

• Locked and rated cabinets
• Floor markings
• Message boards
• HMIS/NFPA programs
• HazMat labels, inventory tags, and forms

4. How is foodplant building maintenance addressed in food safety compliance?

The first requirement of a food industry plant is to ensure the proper building elements of construction and design. Once commissioned for food products or distribution, the facility must be maintained to its original level commissioned as fit for use.

Building Maintenance

• Access and premise food maintenance
• Exterior building envelope
• Internal building envelope
• Doors and locks
• Process areas and critical maintenance (lubrication, PM, etc.)
• Sanitary, employee areas, break rooms
• Water drains, and waste control

5. What security requirements do food industry sites need to consider to meet regulations or GFSI industry certifications?

Food plants are included under the Department of Homeland Security (DHS) as requiring developed and implemented security programs. The registration of food plants under the FDA certification required by DHS is a key aspect of being approved and registered to operate for food sites.

Security (Food Safety and Security)

• Premises security fences, gates, locks
• Passkey and key control systems
• Badges and badge readers
• Video security and alarms
• Building and equipment locks and access controls
• Equipment and storage seals and programs
• Security cabinets and storage
• Tamper-evident seals
• Signage – warning and informational

6. How are hazard warnings dealt with in a food operation both to communicate with employees and visitors and to show evidence of compliance?

Compliance with food safety requirements provides that companies communicate with employees and visitors on the conditions for access to the food operation. To do so, it is expected that communication is established through various means to ensure notification of all related parties, including employees, visitors, truck drivers, service providers, contract employees, and contractors.

Hazard Warnings

• Signage (building, equipment) – warning, hazard, directional, stop
• GMPs
• Labels and marking equipment and utilities
• Floor markings
• Conformities and allergens
• Inspection and approval directions
• Information boards
• Location control

7. How are warnings provided within a food plant for activities and people?

Compliance with food safety requirements provides that higher risk direction is maintained to ensure the protection of food operations. This includes both documented and posted warnings to achieve communication at this level.

Directional Warnings

• Premise directional signs
• Food safety signage (GMPs, receipt, processing, release, shipping)
• High-risk equipment labeling, process warning signs and directions
• PPE
• Emergency response
• Food safety mapping and locations
• Employee sanitation
• Employee rules
• Employee hazard communication

8. What requirements do food operations need to maintain to ensure the understanding of food safety throughout the organization?

Food safety requirements provide that management must ensure that food safety compliance is established throughout the organization and related parties. This can be accomplished through various means, including postings, signage, marking, mapping to enhance traditional methods of training, and meetings.

Organization

• Visual workplace
• Charting
• Information boards
• Employee communication
• Hazard communication
• Food plant zoning
• Mapping
• Directional location information
• Preventive controls
• Process requirements

9. What are specific controls necessary for safe food operation based on the identification of key infrastructure elements of a food operation?

Food operations are expected to maintain up-to-date engineering information, drawings and schematics, and related identification. This requirement is to ensure that all aspects of commissioning for food operation are maintained, with the assurance that physical identification and inspection of all related areas and fixtures is also demonstrated and maintained. Specific marking, labeling, identification, storage locations, tagging, and seals provide a means of meeting these requirements.

Tagging/Labeling

• Truck and transport container tagging and sealing
• Pipe and utility marking (engineering and plumbing drawings)
• Shadow boards/tool and parts storage
• Identification and warning labels
• Process equipment identification
• Key program tagging (pest control, waste, etc.)
• Service ID tagging (inspections)
• PM tagging for food compliance (critical equipment)

10. What provisions are there for asset management within a food operation?

Food safety regulations and standards require that all assets determined to be critical or to be maintained to achieve food safety be managed and maintained. To accomplish this program, means of achieving control over these assets must be developed, implemented, maintained, and evident.

Asset Management

• Critical equipment management
• Building maintenance management
• Project equipment and building materials management
• Asset inventory and verification management
• Active versus inactive assets (in-service, out-of-service management)
• Asset disposal management
• Inventory status management – available, on-hold, disposition
• Storage location management

Hazard Analysis and Critical Control Points (HACCP) is a process control system designed to identify and prevent microbial and other hazards in food production. The HACCP system is used at all stages of the food chain, from food production to packaging and distribution.

HACCP includes steps designed to identify food safety risks, prevent food safety hazards before they occur, and address legal compliance. The most important aspect of HACCP is that it is a preventive system rather than an inspection system of controlling food safety hazards. Prevention of hazards cannot be accomplished by end product inspection. Controlling the production process with HACCP offers the best approach.

Breaking It Down

Kestrel follows twelve steps to help ensure the successful implementation and integration of HACCP throughout a company:

1. Assemble a HACCP team with the appropriate product-specific knowledge and expertise to develop an effective Food Safety Plan. The team should comprise individuals familiar with all aspects of the production process, plus specialists with expertise in specific areas, such as engineering or microbiology. It may be necessary to use external sources of expertise in some cases.
2. Describe the product in full detail, including composition, physical/chemical structure, microcidal/static treatments, packaging, storage conditions, and distribution methods.
3. Identify the intended/expected use of the product by the end user. It is also important to identify the consumer target groups. Vulnerable groups, such as children or the elderly, may need to be considered specifically.
4. Construct a flow diagram that provides an accurate representation of each step in the manufacturing process—from raw materials to end product—and may include details of the factory and equipment layout, ingredient specifications, features of equipment design, time/temperature data, cleaning and hygiene procedures, and storage conditions.
5. Perform an on-site confirmation of the flow diagram to confirm that it is aligned with actual operations. The operation should be observed at each stage and any discrepancies between the diagram and normal practice should be recorded and amended. It is essential that the flow diagram is accurate since the hazard analysis and identification of Critical Control Points (CCPs) rely on the data it contains.
6. Conduct a hazard analysis for each process step to identify any biological, chemical, or physical hazards. This assessment also includes rating the hazard using a risk matrix, determining if the hazard is likely to occur, and identifying the preventive controls for the process step.
7. Determine Critical Control Points (CCPs)—those areas where previously identified hazards may be eliminated. The final HACCP Plan will focus on the control and monitoring of the process at these points.
8. Establish critical limits and develop processes that limit risk at CCPs. More than one critical limit may be defined for a single step. Criteria used to set critical limits must be measurable and include rating and ranking of hazards for each step of the flowchart.
9. Monitor CCPs and develop processes for ensuring that critical limits are followed. Monitoring procedures must be able to detect loss of control at the CCP and should provide this information in time to make appropriate adjustments so that control of the process is regained before critical limits are exceeded. Where possible, process adjustments should be made when monitoring results indicate a trend towards a loss of control at a CCP.
10. Establish preplanned corrective actions to be taken for each CCP in the HACCP plan that can then be applied when the CCP is not under control. If monitoring indicates a deviation from the critical limits for a CCP, action (e.g., proper isolation and disposition of affected product) must be taken that will bring it back under control.
11. Establish procedures for verification to determine whether the HACCP system is working correctly. Verification procedures should include detailed reviews of all aspects of the HACCP system and its records. The documentation should confirm that CCPs are under control and should also indicate the nature and extent of any deviations from the critical limits and the corrective actions taken in each case.
12. Establish proper documentation and recordkeeping for all HACCP processes to ensure that the business can verify that controls are in place and are being properly maintained.

Developing and implementing a HACCP program requires a significant investment of time and effort. Though HACCP continues to evolve, it is up to the company to design and customize HACCP programs to make them effective and workable. These twelve steps break HACCP into manageable chunks and will help ensure that the company is consistently and reliably producing safe food that will not cause harm to the consumer.

The FDA Food Safety Modernization Act (FSMA) originated in the mid-2000s when approximately 48 million people were getting sick, 128,000 were hospitalized, and 3,000 died annually from foodborne diseases, according to the Centers for Disease Control (CDC). This resulted in a significant public health burden that is largely preventable.

Signed into law by President Obama on January 4, 2011, FSMA aims to ensure that the food supply is safe—from responding to contamination to preventing it. The Act represents the most sweeping reform of our food safety laws in more than 70 years.

New Rulemaking

Since its passage, food-related industries have been waiting for a number of new rules to be published under FSMA. The new rules being published for enforcement will complement the existing rules in place prior to 2011 and rules that were enforceable at the signing of FSMA, including meeting all of the established requirements under 21 CFR Section 110. These include Inspection of Records; Registration of Food Facilities; FDA Performance Standards; and Authority to Collect Fees, Mandatory Recall Authority, and Administrative Detention.

After numerous delays in rulemaking, court-ordered deadlines for finalizing and publishing seven foundational new rules were established for 2015/2016. Not surprisingly, the FDA declared 2015 “the year of FSMA” at their FSMA Kickoff Meeting for industry stakeholders on April 23, 2015. The new rules include the following final and pending dates:

*Later dates or applicability may be provided for very small companies 
**Dates may be subject to change
***cGMP refers to Current GMPs under FSMA or ones that are current and updated within the past two years

Enforcement

With these new FSMA rules, all issues related to the processing and distribution of safe food will be enforceable by the FDA. This broad authority includes the use of other agencies for enforcement and eliminates the need for the FDA to require judicial approval for investigations, access to information, issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain to ensure the safety of food for the public.

Compliance Requirements

Establishing the rulemaking deadlines is the first step toward implementing the law. Compliance dates—up to one year or longer after publication—require companies to then develop the appropriate programs to meet FDA Guidance Documents pending release. These Guidance Documents are intended to assist industry in program development; however, there is little confidence that these will be issued in a timely manner. Thus, with compliance commencing by September, companies must establish their own programs and use Guidance Documents for eventual comparison.

As the new FSMA rules are published, companies must determine their compliance requirements to ensure the distribution of only pure and unadulterated food product. Each company must assess all aspects of FSMA to first determine which rules are specific to them, their business, and their supply chain and, second, how to best comply. This is challenging, as these programs will be new and not previously tested for compliance. A gap assessment will help companies determine requirements and then develop the required compliance programs by the established dates.

Food Defense and Safety Plan

There is one common need across all FSMA rules that companies should consider: proactively creating a Food Defense and Safety Plan—or updating a current one. Taking a proactive approach to food defense will not only make FSMA adherence less daunting for organizations, but it will also ensure that they are working to avoid the risks associated with food adulteration and contamination.

This also aligns with other existing laws already in place, as site food defense is an imperative required by other laws. Security programs must be established if they are not already implemented. FSMA rules include one against deliberate contamination of food. The FDA and other authorized agencies will look to see if programs are established and that the company has assessed risks, controls access, has an alert system, and has an audit program that is functioning to plan.

Companies must take action to include these within their Food Defense and Safety Plan:

• Ensure the building, premises, and processes meet existing physical and defense requirements
• Verify employees understand the company’s FDA/FSMA requirements with visible evidence
• Assess and audit the written Food Safety Plans and look for gaps/areas to close
• Ensure the integrity of the internal audit program to FDA/FSMA and food safety requirements
• Confirm that the company is prepared to provide documentation in 24 hours if requested by the FDA
• Ensure that all suppliers and indemnity are effectively tracked, monitored, and evaluated
• Prove traceability and maintain a mock recall program for any recall circumstance

Food Safety Management System (FSMS)

Based on the complexity and broad nature of the FSMA rules, it is also recommended that companies move forward with updates to their Food Safety Management Systems (FSMS), which can be adjusted when the final rules are issued. Certification to one of the Global Food Safety Initiative’s (GFSI) benchmarked standards provides some level of compliance, including security and defense.

Preventive Controls

Preventive controls require a final processor or distributor to ensure that the supply chain has effective programs. Preventive controls must go back to the origin of each material. Ultimately, all food ingredients and materials must be included to meet preventive control requirements.

FDA seeks for companies to assess risks and implement preventive controls in their supply chain. For this, companies must understand where the risks are and if appropriate controls are implemented. A key issue to consider is how regulators and suppliers have different senses of what appropriate controls really are for this important goal of FSMA.

Qualified Individuals

Another key aspect of FSMA and a change to past FDA requirements is to establish and maintain Qualified Individuals and Food Safety Lead/Teams to ensure that each location’s food safety system is adequately managed. Key requirements include the following:

• Identify a qualified lead food site operator at all times
• Be ready for an inspection with a well-scripted inspection program
• Keep the communication list within the company current, including regulatory service providers
• Food Safety Lead must be present during food operations for release of safe food
• Qualified back-ups must be established for the primary Food Safety Qualified Individual or Lead

Actions to Take

Any company that produces or distributes food product or material needs to determine compliance requirements to implement the appropriate FSMA programs. The best method for determining program development needs is to conduct an action-oriented gap assessment of current programs to FSMA requirements. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.