The FDA Food Safety Modernization Act (FSMA) originated in the mid-2000s when approximately 48 million people were getting sick, 128,000 were hospitalized, and 3,000 died annually from foodborne diseases, according to the Centers for Disease Control (CDC). This resulted in a significant public health burden that is largely preventable.

Signed into law by President Obama on January 4, 2011, FSMA aims to ensure that the food supply is safe—from responding to contamination to preventing it. The Act represents the most sweeping reform of our food safety laws in more than 70 years.

New Rulemaking

Since its passage, food-related industries have been waiting for a number of new rules to be published under FSMA. The new rules being published for enforcement will complement the existing rules in place prior to 2011 and rules that were enforceable at the signing of FSMA, including meeting all of the established requirements under 21 CFR Section 110. These include Inspection of Records; Registration of Food Facilities; FDA Performance Standards; and Authority to Collect Fees, Mandatory Recall Authority, and Administrative Detention.

After numerous delays in rulemaking, court-ordered deadlines for finalizing and publishing seven foundational new rules were established for 2015/2016. Not surprisingly, the FDA declared 2015 “the year of FSMA” at their FSMA Kickoff Meeting for industry stakeholders on April 23, 2015. The new rules include the following final and pending dates:

*Later dates or applicability may be provided for very small companies 
**Dates may be subject to change
***cGMP refers to Current GMPs under FSMA or ones that are current and updated within the past two years

Enforcement

With these new FSMA rules, all issues related to the processing and distribution of safe food will be enforceable by the FDA. This broad authority includes the use of other agencies for enforcement and eliminates the need for the FDA to require judicial approval for investigations, access to information, issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain to ensure the safety of food for the public.

Compliance Requirements

Establishing the rulemaking deadlines is the first step toward implementing the law. Compliance dates—up to one year or longer after publication—require companies to then develop the appropriate programs to meet FDA Guidance Documents pending release. These Guidance Documents are intended to assist industry in program development; however, there is little confidence that these will be issued in a timely manner. Thus, with compliance commencing by September, companies must establish their own programs and use Guidance Documents for eventual comparison.

As the new FSMA rules are published, companies must determine their compliance requirements to ensure the distribution of only pure and unadulterated food product. Each company must assess all aspects of FSMA to first determine which rules are specific to them, their business, and their supply chain and, second, how to best comply. This is challenging, as these programs will be new and not previously tested for compliance. A gap assessment will help companies determine requirements and then develop the required compliance programs by the established dates.

Food Defense and Safety Plan

There is one common need across all FSMA rules that companies should consider: proactively creating a Food Defense and Safety Plan—or updating a current one. Taking a proactive approach to food defense will not only make FSMA adherence less daunting for organizations, but it will also ensure that they are working to avoid the risks associated with food adulteration and contamination.

This also aligns with other existing laws already in place, as site food defense is an imperative required by other laws. Security programs must be established if they are not already implemented. FSMA rules include one against deliberate contamination of food. The FDA and other authorized agencies will look to see if programs are established and that the company has assessed risks, controls access, has an alert system, and has an audit program that is functioning to plan.

Companies must take action to include these within their Food Defense and Safety Plan:

• Ensure the building, premises, and processes meet existing physical and defense requirements
• Verify employees understand the company’s FDA/FSMA requirements with visible evidence
• Assess and audit the written Food Safety Plans and look for gaps/areas to close
• Ensure the integrity of the internal audit program to FDA/FSMA and food safety requirements
• Confirm that the company is prepared to provide documentation in 24 hours if requested by the FDA
• Ensure that all suppliers and indemnity are effectively tracked, monitored, and evaluated
• Prove traceability and maintain a mock recall program for any recall circumstance

Food Safety Management System (FSMS)

Based on the complexity and broad nature of the FSMA rules, it is also recommended that companies move forward with updates to their Food Safety Management Systems (FSMS), which can be adjusted when the final rules are issued. Certification to one of the Global Food Safety Initiative’s (GFSI) benchmarked standards provides some level of compliance, including security and defense.

Preventive Controls

Preventive controls require a final processor or distributor to ensure that the supply chain has effective programs. Preventive controls must go back to the origin of each material. Ultimately, all food ingredients and materials must be included to meet preventive control requirements.

FDA seeks for companies to assess risks and implement preventive controls in their supply chain. For this, companies must understand where the risks are and if appropriate controls are implemented. A key issue to consider is how regulators and suppliers have different senses of what appropriate controls really are for this important goal of FSMA.

Qualified Individuals

Another key aspect of FSMA and a change to past FDA requirements is to establish and maintain Qualified Individuals and Food Safety Lead/Teams to ensure that each location’s food safety system is adequately managed. Key requirements include the following:

• Identify a qualified lead food site operator at all times
• Be ready for an inspection with a well-scripted inspection program
• Keep the communication list within the company current, including regulatory service providers
• Food Safety Lead must be present during food operations for release of safe food
• Qualified back-ups must be established for the primary Food Safety Qualified Individual or Lead

Actions to Take

Any company that produces or distributes food product or material needs to determine compliance requirements to implement the appropriate FSMA programs. The best method for determining program development needs is to conduct an action-oriented gap assessment of current programs to FSMA requirements. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.

Every food product and service company has an obligation to its customers to provide safe and quality food. A well-designed and well-executed food safety auditing program—with data trend analysis—provides an important tool for ensuring food safety. Auditing captures compliance status, Food Safety Management System conformance, adequacy of internal controls, potential risks, and best practices.

Combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and information technology systems and tools helps to ensure that food companies have the resources needed to get the most out of their food safety audits.

These resources may include:

• A reliable tool for conducting certification audits
• A systematic method of tracking audit status, schedule, and auditor capabilities
• Detailed audit and nonconformance data trending to help focus on risk areas for improvement
• Tracking of corrective actions
• Reports on performance metrics that allow the company to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions

The goal should be to effectively capture and analyze audit data and then use that information to improve food safety and quality, achieve certification requirements, and enhance overall business performance.

Technology Integration: Case Study

The following case study shows how integrating information technology into the auditing process can enhance data collection, analysis, and reporting capabilities.

This food manufacturer wanted to better track and manage its audit status and use the data collected to help focus on risk areas for improvement. Working with Kestrel’s food safety and IT experts, the company decided to use dynaQ™, Kestrel’s web-based assessment tool.

Kestrel took the following project approach to ensure that the company would be able to efficiently conduct its audits and, just as important, analyze audit data to uncover areas of nonconformance and opportunities to improve performance and reduce business risks.

Part 1: Project Kickoff – Identify and define initial dynaQ™ configuration, customization, training, and implementation scopes. Kestrel customized the existing platform to create nearly custom software to meet the organization’s needs.

Part 2: Project Launch and Training – Provide intensive training to ensure key staff knows how to conduct relevant inspections and are versed on reporting and data trends. At the end of the training session, staff was ready to work independently with dynaQ™.

Part 3: Implementation and Project Support – Continue training users on the dynaQ™ auditing process and provide ongoing support. The key factor in any audit program’s success is staff adoption. Ongoing support ensures that the company realizes maximum benefit.

Implementation has involved using dynaQ™ to facilitate a number of activities:

• Collect and analyze data from:
  • Daily pre-op and ATP inspections
  • Monthly GMP and glass & brittle plastic inspections
  • Twice daily operations inspections
  • ISO 22000 conformance audits under FSSC22000
  • ISO/TS22002-1 conformance audits
• Create a new form and process to facilitate the nature of quality evaluations, using dynaQ™ to compile the results
• Track noncompliance records (NRs) as the plant is notified

By integrating information technology into the auditing process, this two-month pilot project has resulted in the following benefits to the company:

• More effective pre-op
• Increased line utilization
• Immediate QA evaluation capability
• Improved efficiency and speed of data collection and report generation
• Enhanced ability to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions
• Improved data security

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations, to industry codes, to system standards (e.g., ISO), to internal corporate requirements. Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement.

Routine internal audits are becoming a larger part of organizational learning and development. They provide a valuable way to communicate performance to decision makers and key stakeholders. Even more importantly, audits help companies identify areas of noncompliance and opportunities for improvement.

For some audits, a company may work with a third-party auditor. This can be valuable in getting an objective assessment of overall compliance status if executed effectively. Here are some best practice tips to help prepare for an internal audit—and ensure that it goes smoothly:

1. Audit scope: Make sure that the scope of the audit is well defined and documented (i.e., regulations, management system standards, company policies). This also involves identifying which areas and functions onsite are included. For example, if contractors are leasing space, are their areas in scope or out? What about other onsite lessees, if any?
2. Documents, plans, and records: Prior to the audit, ask the auditor for a list of documents they may be looking for (e.g., OSHA logs, past audit findings). Depending on the nature of the audit, it can be an extensive list and knowing ahead of time will save time and money. If possible, collect all records in advance and have them easily accessible. If corporate policy allows, it is often advisable to send current versions of all facility-specific plans, permits, and other documents to the auditor in advance of the audit to aid in preparation and create a more efficient use of time onsite. When the auditor arrives, make sure you know where relevant records are and that they are available to the auditor (i.e., not locked up in someone else’s office). Records should be organized by type in separate folders and sorted by date. Not only does that save time, it creates less likelihood of a record being overlooked. In most cases, electronic versions of records are sufficient, as long as they can be easily retrieved and viewed on the computer.
3. Interviews: Advise individuals who may be interviewed during the audit about the purpose of the audit. Communicate well in advance of the audit so that employees aren’t caught off guard when they see an individual walking around taking notes and pictures. Prepare your employees; encourage them to cooperate and provide helpful information when asked. Every employee should:
   • Be aware of the company quality/environmental/safety/food safety policy and able to state it in their own words.
   • Be aware of the quality/environmental/safety/food safety objectives the company has set for the current time period (i.e., what the company is working on to improve the current “state”).
   • Understand how they “make a difference” (i.e., how just by doing their jobs, they are following company policy and objectives and impacting performance).
   • Be knowledgeable about the procedures and practices required for doing their job properly.
4. Schedule: Ask for an audit schedule. This can help you plan for when certain “in-the-know” people need to be available. This can save valuable time—especially for those individuals—and help ensure that those you absolutely need for the audit are available when you need them.
5. Be available: Questions often arise during an audit. It is helpful to assure that qualified and knowledgeable personnel are available to answer questions and clarify information during the audit, in addition to being present during the audit debriefing.
6. Housekeeping: Good housekeeping puts auditors at ease. Conversely, lax housekeeping is often a harbinger of compliance issues and may put auditors on heightened alert.
7. Care of a third-party auditor: Make sure there is adequate work space available for the auditor to review records and other documents—with power, a desk or table, good lighting, and access to internet/email to exchange documents during the audit.
8. Confidentiality: If the audit scope involves regulatory compliance and the company has elected to employ audit privilege mechanisms, make sure that all parties are aware of the means to be taken to ensure that audit privilege is preserved (e.g., marking notes and documents, limiting distribution of output, adhering to state-specific requirements).

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. Addressing all (or those specified in the applicable regulation) of the eight compliance functions outlined below can be instrumental in establishing or improving a company’s capability to comply.

1. Inventory means taking stock of what you have. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what you do – raw material handling, storage, production processes, fueling, maintenance, etc.)
   • Human resources (i.e., who does what)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)

The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities.

2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training follows once you have your permits and plans in place. It is crucial to train employees to follow the plans so they can effectively execute their responsibilities and protect themselves and the community. Training should cover operations, safety, security, and environment.
5. Practices in place involve doing what is required to follow the terms of the permits and related plans. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required process.
6. Monitoring & inspections provide compliance checks to ensure that the site is operating within the required limits/parameters and that the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with the regulatory agency on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). This documentation helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Enhances confidence in compliance practices by others, providing an indication of commitment, capability, and reliability
• Creates a strong foundation to answer auditors’ questions (agencies, customers, certifying bodies, internal)
• Establishes compliance practices for when an incident occurs
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know

On August 14, the U.S. Food and Drug Administration issued guidance to clarify that a waiver to the Food Safety Modernization Act (FSMA) Sanitary Transportation of Human and Animal Food final rule (Sanitary Transportation rule) covers retail food establishments that sell food for humans, including those that sell both human and animal food, but does not apply to establishments that only sell food for animals.