The U.S. Food and Drug Administration (FDA) has issued two Food Safety Modernization Act (FSMA) small entity compliance guidance documents to assist small and very small businesses with the implementation of the Preventive Controls for Human Food and Preventive Controls for Animal Food rules.

The guidance outlines who must comply with the rule, who is exempt from parts of the rules or subject to modified requirements, and outlines key information for qualified facilities (i.e., small businesses).

The guidance documents are two of dozens of guidance documents the FDA intends to release as it continues with the implementation of FSMA. The Agency released guidance for both the human and animal food rules in August 2016.

In theory, compliance with the Food Safety Modernization Act (FSMA) is simple. In reality, however, the rules are complex—even convoluted, some may say—guidance is currently limited, and rule interpretations differ, sometimes vastly.

Regardless of those complications, there are a number of actions any company in a food-related industry can take to support FSMA compliance efforts. While this list doesn’t get to the granular level of detail needed to comply with all of the individual rules and requirements, it does provide a high-level overview to get companies started down the right path to compliance.

1. Verify that employees know and understand your company’s food safety and FDA/FSMA requirements. Which rules are applicable? What is required to comply? What are the job requirements?
2. Ensure that building, premises, and processes meet existing physical condition and defense requirements.
3. Ensure that everything from food safety training to operational documentation is current, complete, and detailed. Everything must be documented and verified to demonstrate compliance.
4. Assess your written Food Safety Plan(s) and look for “gaps” in areas, including food safety policies, preventive controls, allergen management, and cGMPs.
5. Confirm your company’s policies are visible, understood, and being followed. It is one thing to have written policies; it is another thing to implement them into the organization.
6. Ensure the adequacy of your supply chain and internal audit program to FSMA requirements. Confirm that you effectively track, monitor, and evaluate your suppliers. FSMA compliance stretches beyond your individual organization throughout the food supply chain.
7. Test and confirm that you are prepared to provide documentation within 24 hours if requested by FDA. An effective document management system can help ensure that you are able to access the required information when you need it.
8. Maintain insurance and ensure your indemnity agreements provide an acceptable level of protection, including letters of guarantee and supplier and recall insurance.
9. Verify foreign suppliers for their compliance with FSMA regulations. Importers will be required to verify that food imported into the United States has been produced to FDA requirements
10. Verify and maintain your mock recall program for any recall circumstance that might occur or be requested by FDA. All issues related to the processing and distribution of safe food will be enforceable by the FDA, including issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain.

Any company that works in a food-related industry needs to determine compliance requirements to implement the appropriate FSMA programs. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.

Every food supply company has an obligation to its customers to provide safe and quality food. In addition, a growing number of retailers and wholesalers require their producers and suppliers to implement compliance and certification programs. Food Safety Modernization Act (FSMA) compliance presents an even greater benefit to food-safe building and equipment programs, as it complements and aligns with GFSI-certified standard requirements (e.g., SQF, IFS, BRC, FSSC 22000) and demonstrates that a company is working actively to manage its food safety risks.

In today’s food safety-focused and competitive climate, it is challenging for companies to devote the resources required to maintain compliance activities at a sustained and satisfactory level—but it is essential.

The following solutions can help keep companies who work with food-related materials on track when it comes to managing food safety and certification requirements and achieving compliance with FSMA’s Preventive Control requirements.

1. What are the issues that food and food industry sites must address to meet general plant control requirements for legal compliance and/or industry certification?

To comply with both regulatory requirements under FDA/FSMA and GFSI industry requirements, food companies must establish control of food safe premises, plants, and food risk zones. With recent changes, compliance is not limited to just companies that manufacture and distribute food product, but also to those that provide food chemicals, packaging, and logistics. The requirements apply to all companies distributing food or food ingredients to the U.S. market.

Food Plant Zoning

• Signage
• Locks and access controls
• Pipe and utility marking
• Floor and area marking and coding
• Labels
• PPI and PPE stations
• Waste and water control
• Color coding/tools/utensils/maps

2. How do the regulatory and certification requirements for food safety impact controls for facilities and equipment?

The regulatory and certification requirements include elements to ensure all aspects of food safety. This includes “Food Safety and Security,” which requires the protection of food against the potential for deliberate or accidental contamination.  This is in addition to the site and general security.

Equipment and Facility Controls

• Locks
• Lockout/Tagout systems
• Seals and tags
• Labels
• Security gates/fences/areas
• Closures/caps
• Storage/containment
• Emergency and response kits

3. What are the food safety requirements for controlling food, non-food, and food contact materials?

A key focus for compliance includes the control of food and contact materials. This includes direct control, evidence of communication, and direction of employees to avoid the misuse or contamination/cross-contamination of the food product. Control of utensils and tools used in the food processing areas represents a major area of inspection as part of the audit process.

Material Controls/Non-Food/Chemical

• Locked and rated cabinets
• Floor markings
• Message boards
• HMIS/NFPA programs
• HazMat labels, inventory tags, and forms

4. How is foodplant building maintenance addressed in food safety compliance?

The first requirement of a food industry plant is to ensure the proper building elements of construction and design. Once commissioned for food products or distribution, the facility must be maintained to its original level commissioned as fit for use.

Building Maintenance

• Access and premise food maintenance
• Exterior building envelope
• Internal building envelope
• Doors and locks
• Process areas and critical maintenance (lubrication, PM, etc.)
• Sanitary, employee areas, break rooms
• Water drains, and waste control

5. What security requirements do food industry sites need to consider to meet regulations or GFSI industry certifications?

Food plants are included under the Department of Homeland Security (DHS) as requiring developed and implemented security programs. The registration of food plants under the FDA certification required by DHS is a key aspect of being approved and registered to operate for food sites.

Security (Food Safety and Security)

• Premises security fences, gates, locks
• Passkey and key control systems
• Badges and badge readers
• Video security and alarms
• Building and equipment locks and access controls
• Equipment and storage seals and programs
• Security cabinets and storage
• Tamper-evident seals
• Signage – warning and informational

6. How are hazard warnings dealt with in a food operation both to communicate with employees and visitors and to show evidence of compliance?

Compliance with food safety requirements provides that companies communicate with employees and visitors on the conditions for access to the food operation. To do so, it is expected that communication is established through various means to ensure notification of all related parties, including employees, visitors, truck drivers, service providers, contract employees, and contractors.

Hazard Warnings

• Signage (building, equipment) – warning, hazard, directional, stop
• GMPs
• Labels and marking equipment and utilities
• Floor markings
• Conformities and allergens
• Inspection and approval directions
• Information boards
• Location control

7. How are warnings provided within a food plant for activities and people?

Compliance with food safety requirements provides that higher risk direction is maintained to ensure the protection of food operations. This includes both documented and posted warnings to achieve communication at this level.

Directional Warnings

• Premise directional signs
• Food safety signage (GMPs, receipt, processing, release, shipping)
• High-risk equipment labeling, process warning signs and directions
• PPE
• Emergency response
• Food safety mapping and locations
• Employee sanitation
• Employee rules
• Employee hazard communication

8. What requirements do food operations need to maintain to ensure the understanding of food safety throughout the organization?

Food safety requirements provide that management must ensure that food safety compliance is established throughout the organization and related parties. This can be accomplished through various means, including postings, signage, marking, mapping to enhance traditional methods of training, and meetings.

Organization

• Visual workplace
• Charting
• Information boards
• Employee communication
• Hazard communication
• Food plant zoning
• Mapping
• Directional location information
• Preventive controls
• Process requirements

9. What are specific controls necessary for safe food operation based on the identification of key infrastructure elements of a food operation?

Food operations are expected to maintain up-to-date engineering information, drawings and schematics, and related identification. This requirement is to ensure that all aspects of commissioning for food operation are maintained, with the assurance that physical identification and inspection of all related areas and fixtures is also demonstrated and maintained. Specific marking, labeling, identification, storage locations, tagging, and seals provide a means of meeting these requirements.

Tagging/Labeling

• Truck and transport container tagging and sealing
• Pipe and utility marking (engineering and plumbing drawings)
• Shadow boards/tool and parts storage
• Identification and warning labels
• Process equipment identification
• Key program tagging (pest control, waste, etc.)
• Service ID tagging (inspections)
• PM tagging for food compliance (critical equipment)

10. What provisions are there for asset management within a food operation?

Food safety regulations and standards require that all assets determined to be critical or to be maintained to achieve food safety be managed and maintained. To accomplish this program, means of achieving control over these assets must be developed, implemented, maintained, and evident.

Asset Management

• Critical equipment management
• Building maintenance management
• Project equipment and building materials management
• Asset inventory and verification management
• Active versus inactive assets (in-service, out-of-service management)
• Asset disposal management
• Inventory status management – available, on-hold, disposition
• Storage location management

Hazard Analysis and Critical Control Points (HACCP) is a process control system designed to identify and prevent microbial and other hazards in food production. The HACCP system is used at all stages of the food chain, from food production to packaging and distribution.

HACCP includes steps designed to identify food safety risks, prevent food safety hazards before they occur, and address legal compliance. The most important aspect of HACCP is that it is a preventive system rather than an inspection system of controlling food safety hazards. Prevention of hazards cannot be accomplished by end product inspection. Controlling the production process with HACCP offers the best approach.

Breaking It Down

Kestrel follows twelve steps to help ensure the successful implementation and integration of HACCP throughout a company:

1. Assemble a HACCP team with the appropriate product-specific knowledge and expertise to develop an effective Food Safety Plan. The team should comprise individuals familiar with all aspects of the production process, plus specialists with expertise in specific areas, such as engineering or microbiology. It may be necessary to use external sources of expertise in some cases.
2. Describe the product in full detail, including composition, physical/chemical structure, microcidal/static treatments, packaging, storage conditions, and distribution methods.
3. Identify the intended/expected use of the product by the end user. It is also important to identify the consumer target groups. Vulnerable groups, such as children or the elderly, may need to be considered specifically.
4. Construct a flow diagram that provides an accurate representation of each step in the manufacturing process—from raw materials to end product—and may include details of the factory and equipment layout, ingredient specifications, features of equipment design, time/temperature data, cleaning and hygiene procedures, and storage conditions.
5. Perform an on-site confirmation of the flow diagram to confirm that it is aligned with actual operations. The operation should be observed at each stage and any discrepancies between the diagram and normal practice should be recorded and amended. It is essential that the flow diagram is accurate since the hazard analysis and identification of Critical Control Points (CCPs) rely on the data it contains.
6. Conduct a hazard analysis for each process step to identify any biological, chemical, or physical hazards. This assessment also includes rating the hazard using a risk matrix, determining if the hazard is likely to occur, and identifying the preventive controls for the process step.
7. Determine Critical Control Points (CCPs)—those areas where previously identified hazards may be eliminated. The final HACCP Plan will focus on the control and monitoring of the process at these points.
8. Establish critical limits and develop processes that limit risk at CCPs. More than one critical limit may be defined for a single step. Criteria used to set critical limits must be measurable and include rating and ranking of hazards for each step of the flowchart.
9. Monitor CCPs and develop processes for ensuring that critical limits are followed. Monitoring procedures must be able to detect loss of control at the CCP and should provide this information in time to make appropriate adjustments so that control of the process is regained before critical limits are exceeded. Where possible, process adjustments should be made when monitoring results indicate a trend towards a loss of control at a CCP.
10. Establish preplanned corrective actions to be taken for each CCP in the HACCP plan that can then be applied when the CCP is not under control. If monitoring indicates a deviation from the critical limits for a CCP, action (e.g., proper isolation and disposition of affected product) must be taken that will bring it back under control.
11. Establish procedures for verification to determine whether the HACCP system is working correctly. Verification procedures should include detailed reviews of all aspects of the HACCP system and its records. The documentation should confirm that CCPs are under control and should also indicate the nature and extent of any deviations from the critical limits and the corrective actions taken in each case.
12. Establish proper documentation and recordkeeping for all HACCP processes to ensure that the business can verify that controls are in place and are being properly maintained.

Developing and implementing a HACCP program requires a significant investment of time and effort. Though HACCP continues to evolve, it is up to the company to design and customize HACCP programs to make them effective and workable. These twelve steps break HACCP into manageable chunks and will help ensure that the company is consistently and reliably producing safe food that will not cause harm to the consumer.

The FDA Food Safety Modernization Act (FSMA) originated in the mid-2000s when approximately 48 million people were getting sick, 128,000 were hospitalized, and 3,000 died annually from foodborne diseases, according to the Centers for Disease Control (CDC). This resulted in a significant public health burden that is largely preventable.

Signed into law by President Obama on January 4, 2011, FSMA aims to ensure that the food supply is safe—from responding to contamination to preventing it. The Act represents the most sweeping reform of our food safety laws in more than 70 years.

New Rulemaking

Since its passage, food-related industries have been waiting for a number of new rules to be published under FSMA. The new rules being published for enforcement will complement the existing rules in place prior to 2011 and rules that were enforceable at the signing of FSMA, including meeting all of the established requirements under 21 CFR Section 110. These include Inspection of Records; Registration of Food Facilities; FDA Performance Standards; and Authority to Collect Fees, Mandatory Recall Authority, and Administrative Detention.

After numerous delays in rulemaking, court-ordered deadlines for finalizing and publishing seven foundational new rules were established for 2015/2016. Not surprisingly, the FDA declared 2015 “the year of FSMA” at their FSMA Kickoff Meeting for industry stakeholders on April 23, 2015. The new rules include the following final and pending dates:

*Later dates or applicability may be provided for very small companies 
**Dates may be subject to change
***cGMP refers to Current GMPs under FSMA or ones that are current and updated within the past two years

Enforcement

With these new FSMA rules, all issues related to the processing and distribution of safe food will be enforceable by the FDA. This broad authority includes the use of other agencies for enforcement and eliminates the need for the FDA to require judicial approval for investigations, access to information, issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain to ensure the safety of food for the public.

Compliance Requirements

Establishing the rulemaking deadlines is the first step toward implementing the law. Compliance dates—up to one year or longer after publication—require companies to then develop the appropriate programs to meet FDA Guidance Documents pending release. These Guidance Documents are intended to assist industry in program development; however, there is little confidence that these will be issued in a timely manner. Thus, with compliance commencing by September, companies must establish their own programs and use Guidance Documents for eventual comparison.

As the new FSMA rules are published, companies must determine their compliance requirements to ensure the distribution of only pure and unadulterated food product. Each company must assess all aspects of FSMA to first determine which rules are specific to them, their business, and their supply chain and, second, how to best comply. This is challenging, as these programs will be new and not previously tested for compliance. A gap assessment will help companies determine requirements and then develop the required compliance programs by the established dates.

Food Defense and Safety Plan

There is one common need across all FSMA rules that companies should consider: proactively creating a Food Defense and Safety Plan—or updating a current one. Taking a proactive approach to food defense will not only make FSMA adherence less daunting for organizations, but it will also ensure that they are working to avoid the risks associated with food adulteration and contamination.

This also aligns with other existing laws already in place, as site food defense is an imperative required by other laws. Security programs must be established if they are not already implemented. FSMA rules include one against deliberate contamination of food. The FDA and other authorized agencies will look to see if programs are established and that the company has assessed risks, controls access, has an alert system, and has an audit program that is functioning to plan.

Companies must take action to include these within their Food Defense and Safety Plan:

• Ensure the building, premises, and processes meet existing physical and defense requirements
• Verify employees understand the company’s FDA/FSMA requirements with visible evidence
• Assess and audit the written Food Safety Plans and look for gaps/areas to close
• Ensure the integrity of the internal audit program to FDA/FSMA and food safety requirements
• Confirm that the company is prepared to provide documentation in 24 hours if requested by the FDA
• Ensure that all suppliers and indemnity are effectively tracked, monitored, and evaluated
• Prove traceability and maintain a mock recall program for any recall circumstance

Food Safety Management System (FSMS)

Based on the complexity and broad nature of the FSMA rules, it is also recommended that companies move forward with updates to their Food Safety Management Systems (FSMS), which can be adjusted when the final rules are issued. Certification to one of the Global Food Safety Initiative’s (GFSI) benchmarked standards provides some level of compliance, including security and defense.

Preventive Controls

Preventive controls require a final processor or distributor to ensure that the supply chain has effective programs. Preventive controls must go back to the origin of each material. Ultimately, all food ingredients and materials must be included to meet preventive control requirements.

FDA seeks for companies to assess risks and implement preventive controls in their supply chain. For this, companies must understand where the risks are and if appropriate controls are implemented. A key issue to consider is how regulators and suppliers have different senses of what appropriate controls really are for this important goal of FSMA.

Qualified Individuals

Another key aspect of FSMA and a change to past FDA requirements is to establish and maintain Qualified Individuals and Food Safety Lead/Teams to ensure that each location’s food safety system is adequately managed. Key requirements include the following:

• Identify a qualified lead food site operator at all times
• Be ready for an inspection with a well-scripted inspection program
• Keep the communication list within the company current, including regulatory service providers
• Food Safety Lead must be present during food operations for release of safe food
• Qualified back-ups must be established for the primary Food Safety Qualified Individual or Lead

Actions to Take

Any company that produces or distributes food product or material needs to determine compliance requirements to implement the appropriate FSMA programs. The best method for determining program development needs is to conduct an action-oriented gap assessment of current programs to FSMA requirements. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.

Every food product and service company has an obligation to its customers to provide safe and quality food. A well-designed and well-executed food safety auditing program—with data trend analysis—provides an important tool for ensuring food safety. Auditing captures compliance status, Food Safety Management System conformance, adequacy of internal controls, potential risks, and best practices.

Combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and information technology systems and tools helps to ensure that food companies have the resources needed to get the most out of their food safety audits.

These resources may include:

• A reliable tool for conducting certification audits
• A systematic method of tracking audit status, schedule, and auditor capabilities
• Detailed audit and nonconformance data trending to help focus on risk areas for improvement
• Tracking of corrective actions
• Reports on performance metrics that allow the company to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions

The goal should be to effectively capture and analyze audit data and then use that information to improve food safety and quality, achieve certification requirements, and enhance overall business performance.

Technology Integration: Case Study

The following case study shows how integrating information technology into the auditing process can enhance data collection, analysis, and reporting capabilities.

This food manufacturer wanted to better track and manage its audit status and use the data collected to help focus on risk areas for improvement. Working with Kestrel’s food safety and IT experts, the company decided to use dynaQ™, Kestrel’s web-based assessment tool.

Kestrel took the following project approach to ensure that the company would be able to efficiently conduct its audits and, just as important, analyze audit data to uncover areas of nonconformance and opportunities to improve performance and reduce business risks.

Part 1: Project Kickoff – Identify and define initial dynaQ™ configuration, customization, training, and implementation scopes. Kestrel customized the existing platform to create nearly custom software to meet the organization’s needs.

Part 2: Project Launch and Training – Provide intensive training to ensure key staff knows how to conduct relevant inspections and are versed on reporting and data trends. At the end of the training session, staff was ready to work independently with dynaQ™.

Part 3: Implementation and Project Support – Continue training users on the dynaQ™ auditing process and provide ongoing support. The key factor in any audit program’s success is staff adoption. Ongoing support ensures that the company realizes maximum benefit.

Implementation has involved using dynaQ™ to facilitate a number of activities:

• Collect and analyze data from:
  • Daily pre-op and ATP inspections
  • Monthly GMP and glass & brittle plastic inspections
  • Twice daily operations inspections
  • ISO 22000 conformance audits under FSSC22000
  • ISO/TS22002-1 conformance audits
• Create a new form and process to facilitate the nature of quality evaluations, using dynaQ™ to compile the results
• Track noncompliance records (NRs) as the plant is notified

By integrating information technology into the auditing process, this two-month pilot project has resulted in the following benefits to the company:

• More effective pre-op
• Increased line utilization
• Immediate QA evaluation capability
• Improved efficiency and speed of data collection and report generation
• Enhanced ability to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions
• Improved data security

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations, to industry codes, to system standards (e.g., ISO), to internal corporate requirements. Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement.

Routine internal audits are becoming a larger part of organizational learning and development. They provide a valuable way to communicate performance to decision makers and key stakeholders. Even more importantly, audits help companies identify areas of noncompliance and opportunities for improvement.

For some audits, a company may work with a third-party auditor. This can be valuable in getting an objective assessment of overall compliance status if executed effectively. Here are some best practice tips to help prepare for an internal audit—and ensure that it goes smoothly:

1. Audit scope: Make sure that the scope of the audit is well defined and documented (i.e., regulations, management system standards, company policies). This also involves identifying which areas and functions onsite are included. For example, if contractors are leasing space, are their areas in scope or out? What about other onsite lessees, if any?
2. Documents, plans, and records: Prior to the audit, ask the auditor for a list of documents they may be looking for (e.g., OSHA logs, past audit findings). Depending on the nature of the audit, it can be an extensive list and knowing ahead of time will save time and money. If possible, collect all records in advance and have them easily accessible. If corporate policy allows, it is often advisable to send current versions of all facility-specific plans, permits, and other documents to the auditor in advance of the audit to aid in preparation and create a more efficient use of time onsite. When the auditor arrives, make sure you know where relevant records are and that they are available to the auditor (i.e., not locked up in someone else’s office). Records should be organized by type in separate folders and sorted by date. Not only does that save time, it creates less likelihood of a record being overlooked. In most cases, electronic versions of records are sufficient, as long as they can be easily retrieved and viewed on the computer.
3. Interviews: Advise individuals who may be interviewed during the audit about the purpose of the audit. Communicate well in advance of the audit so that employees aren’t caught off guard when they see an individual walking around taking notes and pictures. Prepare your employees; encourage them to cooperate and provide helpful information when asked. Every employee should:
   • Be aware of the company quality/environmental/safety/food safety policy and able to state it in their own words.
   • Be aware of the quality/environmental/safety/food safety objectives the company has set for the current time period (i.e., what the company is working on to improve the current “state”).
   • Understand how they “make a difference” (i.e., how just by doing their jobs, they are following company policy and objectives and impacting performance).
   • Be knowledgeable about the procedures and practices required for doing their job properly.
4. Schedule: Ask for an audit schedule. This can help you plan for when certain “in-the-know” people need to be available. This can save valuable time—especially for those individuals—and help ensure that those you absolutely need for the audit are available when you need them.
5. Be available: Questions often arise during an audit. It is helpful to assure that qualified and knowledgeable personnel are available to answer questions and clarify information during the audit, in addition to being present during the audit debriefing.
6. Housekeeping: Good housekeeping puts auditors at ease. Conversely, lax housekeeping is often a harbinger of compliance issues and may put auditors on heightened alert.
7. Care of a third-party auditor: Make sure there is adequate work space available for the auditor to review records and other documents—with power, a desk or table, good lighting, and access to internet/email to exchange documents during the audit.
8. Confidentiality: If the audit scope involves regulatory compliance and the company has elected to employ audit privilege mechanisms, make sure that all parties are aware of the means to be taken to ensure that audit privilege is preserved (e.g., marking notes and documents, limiting distribution of output, adhering to state-specific requirements).

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. Addressing all (or those specified in the applicable regulation) of the eight compliance functions outlined below can be instrumental in establishing or improving a company’s capability to comply.

1. Inventory means taking stock of what you have. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what you do – raw material handling, storage, production processes, fueling, maintenance, etc.)
   • Human resources (i.e., who does what)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)

The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities.

2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training follows once you have your permits and plans in place. It is crucial to train employees to follow the plans so they can effectively execute their responsibilities and protect themselves and the community. Training should cover operations, safety, security, and environment.
5. Practices in place involve doing what is required to follow the terms of the permits and related plans. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required process.
6. Monitoring & inspections provide compliance checks to ensure that the site is operating within the required limits/parameters and that the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with the regulatory agency on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). This documentation helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Enhances confidence in compliance practices by others, providing an indication of commitment, capability, and reliability
• Creates a strong foundation to answer auditors’ questions (agencies, customers, certifying bodies, internal)
• Establishes compliance practices for when an incident occurs
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know

On August 14, the U.S. Food and Drug Administration issued guidance to clarify that a waiver to the Food Safety Modernization Act (FSMA) Sanitary Transportation of Human and Animal Food final rule (Sanitary Transportation rule) covers retail food establishments that sell food for humans, including those that sell both human and animal food, but does not apply to establishments that only sell food for animals.