The second annual World Food Safety Day (WFSD) returns on June 7, 2020 under the theme “Food safety, everyone’s business.”

WFSD was originally declared by the United Nations on June 7, 2019, to draw global attention and inspire action to help prevent, detect and manage foodborne risks, contributing to food security, human health, economic prosperity, agriculture, market access, tourism and sustainable development. 

This year’s celebration focuses on food safety being a shared responsibility—from farm to table—including governments, to producers, to consumers.

A wider reaching global supply chain exposes our food and those companies within the food supply chain to increased risk. KTL is committed to supporting companies in our increasingly complex world with effectively operating across the food supply chain, while managing food safety and quality risks.  

Both the U.S. Food and Drug Administration (FDA) and World Health Organization (WHO) offer a number of resources for companies and individuals to participate in World Food Safety Day and help reduce food safety risks.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

Most regulations, standards, and guidance require audits to be conducted with some established frequency. For many companies, figuring out how to meet these audit requirements amongst travel restrictions, new company safety protocol, and government quarantines related to COVID-19 presents a significant new challenge.

The Online Alternative

Companies come in a variety of sizes with a range of different needs. Because of this, auditing standards remain fairly flexible by design. Fortunately, this allows for online/remote/virtual audits as a viable alternative to onsite audits—provided the audits:

• Are planned well;
• Appropriately leverage technology; and
• Are executed by a team who understands the facility and the requirements.

The ultimate objective of a virtual audit remains the same as an in-person audit: To obtain credible audit evidence to accurately assess compliance/conformance with identified requirements/specifications. The difference lies in the means in which that evidence is collected (i.e., live stream video, surveillance cameras, group web meetings, electronic document review).

Weighing Risks vs. Rewards

Audits can be conducted onsite, remotely, or a combination of the two. In many cases, companies may already be having portions of the audit (e.g., document review) done remotely. Moving the entire audit to the virtual world allows credible evidence to be obtained in unique ways that can offer significant benefits to a company when onsite audits aren’t possible—and even when they are:

• Reduced cost – Online audits eliminate the expenses associated with travel (i.e., mileage, flights, hotels, meals), which can add up depending on the location and duration of the audit.
• Flexible schedule – Remote audits can be conducted on a more flexible time schedule. Auditors do not have to complete work onsite in a set number of days, as is required when traveling to a facility. The auditor can also review areas in question remotely after the audit is technically over. Note that a more flexible time schedule does not necessarily mean less time involved to conduct the audit.
• Social distancing – As CDC guidelines have recommended, it is currently safest to work remotely, when possible, or to remain six feet of social distance to avoid potential transmission of COVID-19. Through the use of technology, virtual audits provide a social distancing extreme.
• Improved systems – Preparing for a virtual audit provides the “push” some organizations need to improve electronic storage systems. To conduct a virtual audit, documents and records must be retained in an organized manner that facilitates easy/quick access. Being able to access all documents remotely is necessary—paper records or documents stored on individual computers/network drives no longer cut it.

At the same time, there are some potential risks to conducting a completely virtual audit, particularly since this practice is relatively new to many organizations:

• Observation/technology limits – Observation of site conditions is limited by the ability to direct live stream video remotely. Technology can create limitations. If the camera can’t see it, neither can the auditor. Poor video quality can impede visual clarity. You don’t know what you don’t know.
• Communication confusion – It can be difficult to read body language and/or interpret emails and phone conversations to make sure communication is clear. This can require revisiting topics/findings several times to ensure accurate evidence is collected.
• Time barriers – There may be time zone and associated scheduling barriers depending on the location of the auditor and the facility.

Considerations and Best Practices

Regardless of the type of audit a facility conducts (i.e., remote, onsite, combination), standard audit best practices should be followed to ensure that audit results are comprehensive and credible. If the company opts for a virtual audit—for any reason—there are a number of considerations and best practices to ensure that the audit effectively fulfills its objectives and alleviates the risks outlined above to the extent possible:

• Site Familiarity – Virtual audits work best if auditors are familiar with the industry and/or operations. While it is not necessary for the auditor to have visited the site before, that type of familiarity with the facility provides the best-case scenario, especially for compliance audits, as it prepares the auditor to know what to look for (and where) and what questions to ask.
• Careful Planning – Much like onsite audits, virtual audits require careful upfront planning on the part of the auditor and the facility—and perhaps to an elevated degree.
  • The facility needs to collect all documents and records prior to the audit and determine best way to present that information remotely (e.g., email/transfer ahead of time, allow access to company Intranet/shared directory space, share during a web meeting).
  • Interviews are best scheduled in advance to ensure availability; however, they can be conducted on an ad hoc basis as need arises.
  • It is best to plot out route and areas of specific focus for the audit ahead of time using a site map as a guide to ensure that all areas are covered and that the audit can be conducted as efficiently as possible using the allocated facility resources. An audit site guide must be assigned who is familiar with the entire facility.
  • Technology needs and requirements must be evaluated, and logistics and access should be tested prior to the audit. It is vital that all cameras, web meetings, shared document space, WiFi, and other technology is working appropriately prior to the audit or a lot of time can be wasted troubleshooting issues.
• Video – Videos should be live. Site walks should be led by a site guide/employee along the planned route with smart phones, iPads, etc., with live streaming capabilities. It is important to ensure that live streaming works within the facility being audited so auditors have a clear view of site conditions. Auditors can also take advantage of any in-house surveillance cameras (e.g., security or quality systems) to provide additional footage of operations, when necessary. In most cases, surveillance footage cannot replace live video.
• Web Meetings – Opening, closing, and daily briefings can be conducted via web meeting. Remote audits provide the flexibility to conduct the audit in segments, with briefings following each segment. This allows the auditor to review video footage, evaluate records, and generate questions to ensure the information collected is accurate and complete.

Companies all over the world are working through a transition period right now, where they are trying to establish what a new “normal” looks like when it comes to operating practices, employee health and safety, business continuity, and compliance. Audits are one piece of the overall puzzle that can be transitioned somewhat seamlessly with the right planning and technology in place to ensure ongoing compliance.

The following information outlines provisions the GFSI-benchmarked schemes are taking to account for audit disruptions due to COVID-19, as of April 21, 2020.

FSSC 22000

www.fssc22000.com

Re-Certification Audits (V5 upgrade audits)

• A risk assessment will be completed.
• The decision from the risk assessment could lead to extension to the current V4.1 Certificate of up to 6 months.
• The full V5 re-certification audit will need to take place within 6 months.
• The new V5 certificate will have dates aligned with the current certification cycle.

Surveillance Audits (V5 upgrade audits)

• A risk assessment will be completed.
• The decision from the risk assessment could lead to:
  • Maintaining the current V4.1 Certificate
  • Suspending the V4.1 Certificate
  • Postponement of the surveillance/periodical V5 upgrade audit by a maximum of 6 months.

BRC GS

www.brcgs.com

Recertification Audit

Where the site is operational, but a physical audit cannot occur on or before the due date and will result in an existing certificate expiring, a certificate extension of up to 6 months validity may be issued based on:

• The successful completion of a risk assessment by the certification body confirming it is appropriate to continue certification.
• The certification body completing a discussion with the site and review of procedures in place to establish the impact of COVID-19 extraordinary circumstances to the site operations and the effective implementation of an emergency response plan.
  • Certifications can only be extended by the current certification body.
  • Sites with C & D grades may not be extended.
  • For BRCGS Packaging, any extended certificates will be against Version 5.

IFS

www.ifs-certification.com

IFS is subject to the decisions of local authorities and cannot provide a general statement (each situation need to be assessed individually). In the case that an audit cannot be performed on time:

• This will result in the certificate not being renewed.
• An exceptional extension of the existing IFS Certificates is not possible.

Due to precautions taken by local authorities, it may not be possible to carry out audits. In this case, existing IFS certificates remain valid until the end of their term and then lose their regular validity.

IFS appeals to retailers and their suppliers to contact and find bilateral solutions so that supplier contracts can be maintained. The IFS will make it visible in the database if IFS certificates could not be renewed due to COVID-19.

SQF

www.sqfi.com

A certifying body can request to SQF for a site to have a one-time 6-month extension from the certificate expiration date.

• Request may not occur until site is within the audit window of the audit.
• Certifying body will conduct a risk assessment to understand and determine if there is a need to extend the certificate following the IAF Informative Document for Management of Extraordinary Events or Circumstances Affecting ABs, CABs, and Certified Organizations (IAF ID 3:2001).
• Certifying body will submit a change request and Notification Form to SQF for approval.
• Requests will be considered by the SQF Compliance Manager in consultation with the technical team and applicable certifying body and/or legal counsel.
• If the risk assessment identified a low risk of continued certification for a site, SQF will approve and certifying body will extend the expiration date for 6 months from the recertification date.
• Sites that are in the process of switching to a new certifying body, the certifying body that holds the current site’s certificate will be required to conduct the risk assessment to determine the risk level to the existing certificate.
• Unannounced audits can be waived up to 5/31/2020. Any waived must be conducted in 2021.

KTL will continue to track these changes and their impacts on the food industry. We hope KTL can be a trusted resource on many levels now and as we eventually return to “business as usual”.

At the most basic level, a root cause is the fundamental reason—or the highest-level cause—for the occurrence of a problem, incident, or event. The root cause sets in motion the entire cause-and-effect reaction that ultimately leads to the problem. Getting to the root cause of any problem is important not just for resolving the issue at hand, but for identifying underlying issues to ensure that similar problems do not occur in the future. This starts with a process called the root cause analysis (RCA).

What Is the Root Cause Analysis (RCA)?

A root cause can be permanently eliminated through process improvement. RCA is a method of problem-solving used to identify the underlying (i.e., root) cause(s) of a problem/incident. RCA can be used to solve problems and provide preventive actions for:

• Major accidents
• Everyday incidents
• Minor near misses
• Human errors
• Maintenance problems
• Medical mistakes
• Productivity issues
• Manufacturing mistakes
• Environmental releases
• Risk analysis, risk mapping

RCA is a systematic process based on the basic idea that effective management requires more than merely putting out fires. RCA focuses on finding a way to prevent these fires from recurring. Rather than just treating symptoms, RCA seeks to identify and address the true, underlying concerns that contribute to a problem or event.

Why is this important? If you just treat the symptoms of the problem, that alleviates them for the short term, but it does nothing to prevent the problem from coming back again. Lasting solutions address the underlying factors—the root cause(s)— that create the problem in the first place. Targeting corrective measures at the identified root causes, subsequently, is the best way to alleviate risk and ensure that similar problems do not occur in the future.

Best Practice

Both the Occupational Safety and Health Administration (OSHA) and Environmental Protection Agency (EPA) encourage organizations to conduct RCA following an incident or near miss at a facility. In fact, facilities covered by OSHA’s Process Safety Management (PSM) standard are required to investigate incidents that resulted in (or could have reasonably resulted in) a catastrophic release of highly hazardous chemicals. Similarly, EPA’s Risk Management Program (RMP) regulations require regulated facilities to conduct incident investigations. In addition, certain management systems, including ISO and Responsible Distribution (National Association of Chemical Distributors) to name just a few, also require RCA.

Whether an organization is subject to PSM, RMP, or management system standards, identifying the root cause of any incident or problem through RCA is a best practice that can significantly benefit organizations by identifying underlying issues to ensure that similar problems do not occur in the future. So, how do you effectively implement RCA?

Six-Step Process

RCA can be broken down into a simple six-step process, as outlined below.

Step 1: Identify and Clearly Describe the Problem

The first step is to understand and document the problem/issue/incident that actually occurred. This might involve interviewing key staff, reviewing security footage, investigating the site, etc. to get an accurate account of the issue. Certainly safety- or security-related incidents might require an immediate fix or prompt action before the carrying out the complete RCA. This is always the first priority.

Some problems are easier to define than others based on what happened and the extent of the issue. When defining and describing the problem, it is important to be as descriptive as possible, as this will aid in future steps to identify the root cause(s).

For example, the first description below is somewhat vague. The second description provides an additional level of detail that more fully documents the situation:

1. A forklift driver wasn’t wearing his seatbelt. (vague)
2. During a walkthrough of the warehouse on 2/1/20, it was observed that forklift driver John Smith, who is a contract employee, was not wearing his seatbelt while operating the forklift. (clear)

Step 2: Identify Possible Causes…Why?

There are several methods for identifying possible root causes. One of the most common is known as the “5 Why Method”. This approach simply involves asking the question “Why” enough times (i.e., five times) until you get past all the symptoms of a problem and down to the underlying root cause of the issue. The detailed problem description put together during Step 1 serves as the starting point for asking “Why”.

Let’s take our problem description from above a step further to identify the possible causes using the 5 Why Method.

Step 3: Identify Root Cause(s)

At this point, the 5 Why Method is leading you to the core issue that set in motion the entire cause-and-effect reaction and, ultimately, that led to the identified problem(s). It’s now time to determine whether the five whys have dug deep enough. Where does your questioning lead you? Is there one root cause or are there a series of root causes contributing to this incident? Often, there are multiple root causes that may be factors to address when preventing future incidents.

In our forklift operator case, the 5 Why Method points to the lack of a standardized checklist of all items to be trained on—including forklift training—prior to a new contract employee coming onsite.

Step 4: Corrective and/or Preventive Action Taken

Based on the identified root causes, it then becomes possible for the facility to determine what corrective and/or prevention actions (CAPAs) can be taken to fix the problem and, just as important, prevent it from occurring in the future. For our example, there are a number of potential CAPAs:

• Stop the employee from operating the forklift and educate him on seatbelt policy prior to resuming work
• Review contract/temp employee training program
• Retrain shift managers on training expectations
• Obtain training records for contract/temp employees
• Provide refresher/retraining, as necessary
• Add signage to forklifts and warehouse bulletin boards about seatbelt policy

Step 5: Analyze Effectiveness

The effectiveness of whatever action is taken in step 4 needs to be evaluated to determine whether it will resolve the root cause. If not, another CAPA should be explored, implemented, and analyzed to assess its impact on the issue/problem. If it is a root cause, it should help to resolve the issue and you should move on to step 6 below.

Let’s return to our example. You might ask, “Was the retraining effective?” An evaluation shows the following:

• Yes, the employee continues to operate the forklift using seatbelt.
• Yes, subsequent walkthroughs of the warehouse over the next six months have not resulted in any additional seatbelt violations.
• The next contract/temp employee brought on to assist during the busy end-of-year season was required to produce current training.

Step 6: Update Procedures, as necessary

As CAPAs are implemented, once they prove effective, related policies and procedures must be updated to reflect any changes made. This step ensures the outcomes of the RCA will be integrated into operations and used to prevent similar incidents from happening in the future.

In our current example, this might mean that the Contractor Policy is updated to include a new section specific to the hiring of contract/temp employees with the following requirements:

• Obtain valid training certificates for work performed
• Ensure Managers conduct on-the-job training for contract/temp employees specific to work performed

Benefits of RCA

Following these six steps will help to ensure a thorough investigation that identifies the root cause(s) versus just symptoms is conducted. It further ensures that any changes related to the root cause are integrated into the organization to prevent similar events from happening again. In the end, the RCA process can help:

• Reduce the risk of injury and/or death to workers and community members
• Reduce the potential for environmental damage
• Avoid unnecessary costs resulting from business interruption; emergency response and cleanup; increased regulation, audits, and inspections; and OSHA or EPA fines
• Improve public trust by maintaining an incident-free record
• More effectively control hazards, improve process reliability, increase revenues, decrease production costs, lower maintenance costs, and lower insurance premiums

KTL recently announced our partnership with Martin Mantz Compliance Solutions (Martin Mantz), developer of the GEORG Compliance Management System® software. KTL is providing regulatory compliance expertise to the German-based company as it expands its offerings to clients with operations in the United States.

In this recent article, our partners at Martin Mantz discuss how Rudolph Logistics Group, an international logistics service provider from Germany, is using GEORG as a compliance solution to provide employees clear information in accordance with ISO standards on:

• Tasks – what they have to do
• Responsibilities for implementation – who needs to do it
• Date/time of completion – when it needs to be done
• Description of the way the task is to be performed – how the task must be fulfilled

The objective is to simplify requirements to the extent possible so employees can focus on tasks to be completed without needing to interpret complicated and extensive guidelines. Read more…

KTL is pleased to announce our partnership with Martin Mantz Compliance Solutions (Martin Mantz), developer of the GEORG Compliance Management System® software. KTL is providing regulatory compliance expertise to the German-based company as it expands its offerings to clients with operations in the United States.

“Martin Mantz has created something unique with the GEORG software in that it simplifies and provides an interpretation of legal and technical requirements in a customer-specific database,” KTL Principal Lisa Langdon states. “KTL’s understanding of industrial operations, as well as U.S. legal and technical requirements (e.g., EPA, OSHA, FDA, ISO), allows us to translate these requirements into simple tasks in the GEORG system that employees can follow to help fulfill regulatory requirements.”

How GEORG Works

GEORG is used to make the requirements of standards and regulations comprehensible and transparent. KTL specializes in the practical mapping of legal requirements and audits. These audits allow KTL to create technical content for the GEORG system based on facility-specific applicability. We then work directly with the company to delegate the identified tasks. If there are revisions in the standards/regulations, KTL works in the system to ensure tasks are updated to meet regulatory requirements.

The benefits of this approach include:

• Effectiveness – All tasks are assigned, easily formulated, and regularly updated.
• Efficiency – The effort and expertise required to understand complicated regulations is reduced.
• Transparency – Responsibilities are clear and easily visible to all employees.
• Conformity – Compliance status within the system reflects the degree of fulfilment of the related requirements.

Faber-Castell Expands GEORG Implementation to U.S. Subsidiary

Faber-Castell Cosmetics, an internationally renowned Martin Mantz customer with worldwide operations, is already benefitting from the Martin Mantz-KTL partnership. After successful implementation of the GEORG software in their German facilities, Martin Mantz has worked with KTL to expand usage to Faber-Castell’s subsidiary in the U.S.

About Martin Mantz Compliance Solutions
Martin Mantz Compliance Solutions, based in Grosswallstadt and Leipzig, Germany, offers its contractual partners services in the area of ​​legal organization (GEORG) of companies to avoid organizational negligence and compliance violations. This includes consulting and provision of the compliance software GEORG Compliance Management System®, implementation of the technical and legal modules, as well as construction and maintenance of the customer-specific database. https://www.martin-mantz.de/

About Kestrel Tellevate LLC
KTL is a multidisciplinary consulting firm that specializes in providing environmental, health, and safety (EHS) and food safety management and compliance consulting services to private and government clients. Our primary focus is to build strong, long-term client partnerships and provide tailored solutions to address regulatory requirements. KTL’s services include management system development and implementation, auditing and assessments, regulatory compliance assistance, information management solutions, and training. KTL is a Small Business Administration-registered company with headquarters in Madison, WI and Atlanta, GA and offices across the Midwest and Washington, D.C. www.kestreltellevate.com

To ensure companies uphold standards (internal or external) and continuously improve performance, audits are critical. In short, there are three primary purposes of auditing:

1. Verify conformance with the standard/requirement – Are we doing what the standard/requirement says we must do?
2. Verify implementation of stated procedures – Are we following the steps in our documented procedures?
3. Evaluate effectiveness – Are we accomplishing our goals and objectives?

For an audit to be effective, appropriate mechanics must be in place when it comes to planning, execution, and reporting.

PLANNING

As with most things, your execution will only be as good as your plan. All good audits must begin with planning. This involves everything from planning for your team, to planning out the scope of the audit, to planning all the associated logistics.

Auditors: Who Is on the Team?

Depending on the size and complexity of the audits, audit teams need to be selected. These individuals must be independent of the area being audited and trained in the basic elements of the facility’s management system and/or programs. Team members will be led by a trained auditor. The auditor’s responsibilities include the following:

• Comply with and communicate audit requirements
• Prepare working documents under the direction of the Lead Auditor
• Plan and carry out the assigned responsibilities within the scope of the audit
• Collect and analyze evidence to draw conclusions
• Document audit observations and findings
• Report audit results to Lead Auditor
• Retain and safeguard audit documents
• Cooperate with and support the Lead Auditor
• Assist in writing the report

As indicated above, one person on the team is typically designated the Lead Auditor. This individual will coordinate audit assignments and address any questions/concerns that may arise. Specifically, the Lead Auditor has the following responsibilities:

• Assigns team members specific management system/program elements, functions, or activities to audit
• Provides instructions on the audit procedure to follow
• Makes changes to work assignments, as necessary, to ensure the achievement of audit objectives

Audit Objectives, Scope, and Plans: What Are We Auditing?

The audit is all about:

1. Conformance – auditing sections of the standard/requirements to determine if the system conforms
2. Implementation – auditing work instructions to see if they are being followed

In determining the audit scope, it is importation to define what is to be audited (e.g., policy, planning, implementation, checking/corrective action, management review). If the organization has more than one physical location, the scope may outline what physical locations and/or organizational activities are to be audited (e.g., production lines or departments). These factors will ultimately also help determine the length of the audit.

Logistics: How Are We Going to Do This?

There are many things to factor into the audit from a logistical standpoint for it to go smoothly. Safety should always be of utmost concern. What precautions do auditors need to take? Is there any PPE that might be necessary? Do auditors need any special safety training introduction or training before conducting the audit? Consider the facility. Auditors need to understand the operation/activity being audited. In line with this, the auditor must also have an understanding of whether there is any equipment or special resources needed, ranging from technical support (e.g., tablets, smartphones) to lunch. Finally, it is important to make sure there are no conflicts of interest when it comes to the auditor and the facility that is being audited.

EXECUTION

Once planned appropriately, audits should be conducted according to the program elements. Interviews and objectives evidence will both provide the support needed to conduct a valid audit.

Program Elements

The auditor must know in advance which elements are being covered in an audit so he/she can:

1. Control the pace of the audit.
2. Guide the course of the audit.

That being said, additional audit activities should not be restricted if other issues arise.

Auditing should only be done against current controlled work instructions or procedures related to the program elements. Procedures that are being used in the field must be verified. Historical and/or uncontrolled procedures should not be used.

Auditors must remember that they are creating a record. Notes should include statements, document numbers, identifiers (e.g., department, area), positions. Common pitfalls to be avoided in taking notes include abbreviations, no location identifier for observations, no document references, illegible, pejorative, cryptic. These things all impact the credibility of the audit.

Interviews

The goal of an interview in the audit is to obtain valid information. However, how questions are asked will impact the answer. Auditors must prepare and know what questions need to be asked and how to ask them in advance of the audit. Creating an atmosphere of trust and open communication is key to getting open and honest responses. Remember, the goal is to audit the system, not the interviewee.

The following are good rules of thumb for conducting effective audit interviews:

• Direct questions to the person who does the job, not to the supervisor.
• Never talk down to anyone.
• Speak the person’s language.
• Speak clearly and carefully.
• LISTEN!
• Use who, what, where, when and why in your questioning vs. can or does.

Objective Evidence

Objective evidence provides verifiable information, records, or statements of fact. This is vital in any audit report. Objective evidence can be based on any of the following:

• Interviews
• Examination of documents
• Observation of activities and conditions
• Results of measurements
• Tests
• Other means within the scope of the audit

Evidence should be firsthand evidence based on witnessed fact, not supposition, presumption, hearsay, rumor, or conjecture. It can be qualitative or quantitative, but it should be repeatable.

REPORTING

Findings form the basis of the report. Findings can be classified in one of two ways:

• Nonconformance is the observed absence of or lapse in a required procedure or the total breakdown of a procedure that can cause a negative impact on the organization’s environmental performance. These can fall into a few categories:
  • Does not meet the requirements of the standard. This may include issues identified with records, procedures, work instructions, and use of controlled documents.
  • Is not fully implemented. Most commonly, these implementation nonconformances may relate to training, communication, and documentation.
  • Is improperly implemented. This is often demonstrated by worker lack of understanding, improper implementation of written work instruction, or missing stated required deadlines.
• Opportunity for improvement is just that—an opportunity to improve management to either reduce impacts, minimize legal requirements, prevent future nonconformances, or improve business performance.

The following examples and tips can serve as guidelines for writing useful and more concrete findings that will the company to identify opportunities for improvement:

• Do not overstate conclusions.
  • Poor: The procedure for handling spent light bulbs is being ignored.
  • Better: Three spent fluorescent bulbs were found in the general trash.
• State the problem clearly and exactly.
  • Poor: Instruments are not being calibrated.
  • Better: The sampling and analytical instruments in the wastewater treatment plant are not calibrated.
• Avoid generalities.
  • Poor: The area’s empty drum management process is inadequate.
  • Better: The hi-lo driver in the area handling empty drums was not trained on hazardous material handling.
• Communicate the extent of the problem fully.
  • Poor: All cardboard in the catalytic converter area is being sent to the compactor.
  • Better: None of the cardboard in the catalytic converter area was being stored and/or evaluated for reuse as dunnage.
• Do not focus on criticisms of individuals.
  • Poor: Jim Jones had no understanding of the safety policy.
  • Better: Discussions with several employees indicated that the safety policy was not fully understood.
• Give specific references.
  • Poor: Hazardous waste area inspections have not been conducted.
  • Better: Weekly hazardous waste storage area inspections (VMEWP-008) have not been conducted since June 2002.
• Avoid indirect expressions.
  • Poor: There were occasions when the reports were not filed on time. It appears the air monitoring equipment is not calibrated.
  • Better: Reports were filed late on ten occasions in 2002. There were no records of air monitoring equipment calibrations for 2001 or 2002.

Audits are a skilled activity. They provide the basis for assessment of conformance and, correspondingly, company actions to improve performance. For audits to be valuable, however, the audit process must be consistent and controlled. Clearly and correctly documented nonconformances lead to appropriate corrective actions—the mechanism for translating audits into improvements.

The audit report communicates the information, findings and opinions derived from the audit.  The report communicates either acceptability of the current status of the management system or reports non-conformances that need corrective action. The following outlines the suggested steps for reporting audit results.

Step 1. Assess the Status of Current Internal Controls

One of the auditor’s main responsibilities is to evaluate whether the current internal controls that govern the management system are adequate. Do the audits:

• Highlight areas of concern or hazards that may be a failure waiting to happen?
• Focus attention of the 20% of the factors that cause 80% of the problems?
• Help to eliminate ineffective controls or make existing controls better?
• Aid in the detection and prevention of deficiencies or non-conformances?
• Look through and investigate possible “homeblindness”?
• Verify the management system links are supportive and feed each other information to assure continual improvement?

The auditors must constantly challenge the status quo and push the management system forward beyond its comfort level.

Step 2. Prepare Audit Report

Most facilities use a formal audit report system. The audit report format is prescribed and followed by the auditor. The auditor typically states:

• Date and time of audit
• Department audited
• Management system clauses audited to
• Personnel interviewed
• Documents reviewed
• Summary of findings
• Conformance or non-conformance determination

Step 3. Discuss Audit Findings

The lead auditor will then take the completed audit report and review the contents with the affected department head. Upon acceptance by the department head, the final audit report should then be signed by the department head verifying acceptance and responsibility for any change(s) required.

Step 4. Determine Plan of Action

The entire reason for conducting internal management system audits is to verify conformance and continually improve on the management system. Therefore, it is extremely important that all identified non-conformances are corrected in a timely manner.

Some companies place all audited non-conformances into their corrective/preventive action process for tracking purposes. Others place only critical non-conformances into the corrective/preventive action process. Regardless of the mechanics of tracking the identified audited non-conformances, it is imperative that corrective action is taken.

Once the corrective action is in place, the auditors should review the actions taken and verify the root cause was identified properly and resolved. An accept or reject decision can then be rendered for the change action.

If acceptable, no further action is required, and the issue is considered resolved. If unacceptable, the department head must complete a new root cause analysis, develop a new action plan, and put the new action plan into place. The auditors will now review the new action plan and make a determination of acceptance or rejection.

Audit Team Members

It is advisable to rotate your internal management system audit team members. This will allow for fresh perspective and a new set of eyes to look at the management system. This serves many purposes:

• Gives a specific timeframe of responsibly for those thinking of enlisting as an auditor
• Allows for gradual increase of responsibility over time; new auditors learn and perform audits, older auditors become mentors for the new auditors, graduates leave program and are viewed by company personnel as “knowledge experts” on the management system
• Allows for fresh perspective on auditing
• Trains numerous employees on the management system
• Reinforces the concept of continuous improvement

Are You Prepared?

Use your answers to the questions below to evaluate your preparation for reporting audit results.

• Has the auditor evaluated the current internal controls for suitability, adequacy, and effectiveness?
• Does the auditor have hard copy evidence of conformance and/or non-conformance?
• Have all questions prepared prior to the audit been satisfactorily answered and explained?
• Is the audit report clear, concise, and informative?
• Does the department head agree or disagree with the findings?
• Are all identified non-conformances tracked and resolved in a timely manner?
• Based on audit non-conformances, are procedures and work instructions being changed and improved?
• Do employees understand the management system is being audited, not the employee?
• Is change readily accepted by company personnel?

All materials that are part of the food supply chain, including food packaging and contact materials, can significantly influence food safety. Inadequate packaging can fail to protect food properly or allow for contamination or adulteration. Producing safe food demands food safety management and compliance from all who contribute to the final food packaging and contact materials—those supplying materials, making the packaging, manufacturing food contact materials, and distributing the final packaged products.

Setting the Standard

Under the Global Food Safety Initiative (GFSI) standards, major schemes (e.g., IFS PACsecure, the BRC Global Standard for Packaging, SQF Packaging, and FSSC 22000) provide guidance for the producers of packaging materials to ensure the safety and quality of food and non-food products.

The GFSI standards are described as different but equal. It is important that companies determine the best fit of the GFSI options for their own company requirements. All of the standards help manufacturers, packers/fillers, and retailers demonstrate that every reasonable measure has been taken to avoid a food safety incident. Qualified legal reviews have shown that these GFSI benchmarked standards also meet nearly all of the food safety requirements of FDA/FSMA.

The GFSI standards address the requirements to assure food safety by applying the Hazard Analysis and Critical Control Points (HACCP) and Good Manufacturing Practice (GMP) principles specific to food packaging risk and this sector of the food industry. The standards help manufacturers take responsibility by establishing a recognized Food Safety Management System (FSMS).

Each food packaging standard follows a defined documentation program for GFSI certification, and may fit specific packaging applications and food risk differently. As a general example, the FSSC 22000 certification scheme uses ISO 22000 and PAS 223 to identify the requirements for certification and to define a set of food safety requirements, as listed in sections 4-8 of the standard (see table below).

Preparing for Certification

Taking measures upfront to adhere to food safety standards helps assure that food packaging will meet in-use demands and regulatory requirements so that the food contents can be enjoyed safely. To prepare for certification, companies should:

• Identify regulatory requirements, which may include commissioning of plant and equipment to confirm compliance with food safety requirements
• Set clear target dates for assessment and implementation
• Establish an informed and thorough materials evaluation process
• Identify and document food safety hazards and relevant control measures (HACCP/GMP)
• Identify applicable GMPs (e.g., pest control, equipment & building maintenance, housekeeping & cleaning)
• Establish a robust FSMS that aligns with existing management systems (i.e., quality, environmental, health & safety)
• Implement any needed structural improvements
• Institute ongoing material and packaging testing protocols, as well as strict handling and use requirements

Case Study: Food-Grade Paper Mill

Kestrel has been involved with a number of paper and packaging facilities considering expanding production operations to manufacture food-grade product that meets GFSI, FSSC 2200, GMP, HACCP, and customer requirements. The following provides an example of how a Kentucky-based paper mill commissioned its site to manufacture paper products to meet the needs of food customers nationwide.

Phase 1: HACCP/GMP Compliance Analysis

Due to the recent changes in regulatory and certification requirements, this paper mill needed to be confirmed or commissioned as food-material compliant to continue its food-grade materials manufacturing. Building on its existing management system documentation, originally designed and certified to ISO 9001, the mill determined that it would comply with FDA food contact paper requirements and sought alignment with the GFSI FSSC 22000 standard.

Kestrel conducted a preliminary GMP/HACCP certification analysis to provide a third-party audit report on the mill’s compliance to regulatory and industry standards. The desktop, physical site, and process reviews included analysis of the following:

• Site HACCP program
• Risk analysis assessment
• GMP requirements under FDA
• Supplier program and receipt of goods
• Customer requirements and release of goods
• CAPA management
• Food safety objectives/policy

Based on this assessment, Kestrel established a project workplan and estimated timeline to develop and implement a food safety management program for both FDA and GFSI FSSC 22000 certification requirements.

Phase 2: GMP/HACCP FSMS

The mill proceeded with establishing the required programs for compliance to regulatory and industry standards for the manufacture of food-grade product meeting the processing requirements under GMP and HACCP. Specific project goals for this phase included:

• Designing and implementing a sustainable and compliant FSMS
• Developing a system that fully complies with all the FDA and industry (GFSI/HACCP) programs, procedures, and metrics
• Using a design and implementation process that draws from existing business/management systems and documentation
• Using a process that actively engages the workforce in the design/development, implementation, and ongoing improvement activities of the FSMS to create a participative food-safe packaging culture
• Using a scalable design and implementation process that is responsive to the company’s resources

Kestrel began this phase of the project by focusing on foundational management system elements and working stepwise through the GMP and HACCP programs. Project tasks included:

• Completing food safe packaging compliance register
• Conducting physical review
• Developing HACCP/preventive controls plan
• Creating GMP requirements list
• Developing food safety plan policies/procedures
• Determining second level procedures and work instructions
• Developing/providing training modules
• Conducting internal audits
• Starting management reviews
• Commencing program integrity audits and status updates
• Integrating with current corrective actions and management processes
• Starting FSSC certification process (staged)

Kestrel’s most recent review and assessment of the mill’s management systems and approaches to food safety standards indicate that the overall business integrity and compliance is at the highest level in respect to food safety packaging standards. A legal review has confirmed that the process and developed programs also meet food safety legal requirements.

Benefits

The flexible packaging industry has experienced rapid growth. Ongoing innovation has led to more new materials being used, growth in packaging formats, extreme in-use conditions, and increasingly more stringent FDA regulations and food safety standards. Commissioning plants for food safety is vital to operating within the food industry.

A company’s achievement as a reliable supplier is linked to its capability to provide safe products. In addition, adhering to food safety standards:

• Allows manufacturers to report on their status to key stakeholders (e.g., food retailers, customers)
• Covers areas of hygiene and product safety throughout the packaging industry
• Helps ensure that suppliers are also following good hygiene practices to complete the due diligence chain
• Ensures that a sustainable quality and product safety system is established and continually improved

Auditing is a management tool that can be used to evaluate and monitor the internal performance and compliance of your company with regulations and standards. An audit can also be used to determine the overall effectiveness of an existing system within your company.

How do you incorporate compliance auditing best practices to help maximize compliance, efficiency, and value of your audit? Here are five critical factors for value-added audits.

1. Goal Aligned with Business Strategy

There are many reasons why companies conduct audits:

• Support commitment to compliance
• Avoid penalties
• Meet management system requirements
• Meet corporate or customer mandates
• Support acquisition or divestiture
• Assess organizational structure and competency
• Identify cost saving and pollution prevention opportunities
• Determine alignment with strategic direction

It is vital to define and understand the goal of your compliance audit program before beginning the audit process. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. Not establishing a clear, concise goal can lead to a waste of resources.

Audit goals and objectives should be nested within the company business goals, key performance objectives, and values. An example of a goal might be to effectively measure environmental compliance while maintaining a reasonable return on investment.

Once the goal is established, it is important to communicate it across all functions of the organization to get company-wide support. Performance measurements should also be communicated and widely understood.

2. Management Buy-in

The audit program must have upper management support to be successful. Management must exhibit top-down expectations for program excellence, view audits as a tool to drive continuous improvement, and work to imbed audits within other improvement processes. Equally important, management must not use audit results to take punitive action against any person or department.

3. Documented Audit Program Systematically Applied

Describe and document the audit process for consistent, efficient, effective, and reliable application. Audit procedures should be tailored to the specific facility/operation being audited. A documented program will include the following:

• Scope. The scope discusses what areas/media/timeframe will be audited. The scope of the audit may be limited initially to what is manageable and can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. It may also be limited by identifying certain procedural or regulatory shifts and changes. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices. It is important at the scoping stage to address your timeline. Audits should be scoped to make sure you get them done but also to make sure you have audited all compliance areas in an identified timeframe.
• Criteria. Compliance with requirements will clearly be covered in an audit, but what about other opportunities for improvement (e.g., pollution prevention, energy savings, carbon reduction)? All facilities need to be covered at the appropriate level, with emphasis based on potential compliance and business risks. Assess the program strengths, redundancy, integration within the organization, and alignment with the program goal. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. As protocols are updated, the ability to evaluate continuous improvement trends must be maintained.
• Auditor training (i.e., competency, bias). A significant portion of the audit program should be conducted by knowledgeable auditors (e.g., independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.

Training should be done throughout the entire organization, across all levels:
+ Auditors are trained on both technical matters and program procedures.
+ Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
+ Line operations are trained on compliance procedures and company policy/systems.

Consider having auditor training conducted by an outside source to teach people how to decide what to audit and follow a trail. It can also work well to train internal auditors by having them audit alongside an experienced 3rd party.

• Audit conduct (i.e., positive approach). A positive approach and rationale for the audit must be embraced. Management establishes this tone and sets the expectation for cooperation among all employees. Communication before, during, and after the audit is vital in keeping things positive. It is important to stress the following:
  • Auditor interviews are evaluating systems, not personal behaviors.
  • The audit is an effective tool to improve performances.
  • Results will not be used punitively.
• Audit reporting. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted. Documentation is essential, and reporting should always align with program goals and follow legal guidance. There is variability in what gets reported and how based on the company’s objects. For example:
  • Findings only vs. opportunities for improvement and best management practices?
  • Spreadsheet vs. long format report?
  • Scoring vs. prioritization of findings (beware of the unintended consequences of scores!)?
  • Recommendations for corrective actions included or left for separate discussion?

• Corrective and preventive action. Corrective actions require corporate review, top management-level attention, and management accountability for timely completion. A robust root cause analysis helps ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should be to also look for other drums that might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
• Follow-up and frequency. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Those accountable for performance need to be provided information as close to “real time” as possible. There are several levels of audit frequency, depending on the type of audit:
  • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine day-to-day operational responsibilities
  • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
  • As needed: For issue follow-up
  • Infrequent: Comprehensive, independent – conducted every three to four years

4. Robust Corrective Action Program

As mentioned above, corrective actions are a must. If there is no commitment to correction, there is no reason to audit. A robust root cause analysis is essential. This should be a formal, yet flexible, approach. There should be no band-aids. Mistake-proof corrections and include metrics where possible. In the drum example given above, a more robust corrective action program would look at the root cause: Why was the drum mislabeled? Did the person know to label it? If so, why didn’t they do it?

The correction itself is key to the success of the audit program. Establish the expected timeframe for correction (including addressing preventive action). Establish an escalation process for delayed corrections. Corrective actions should be reviewed regularly by upper management using the existing operations review process. There must also be a process for verification that the correction has been made; the next audit cycle may not be sufficient.

Note also that addressing opportunities for improvement, not just non-compliance findings, may increase the return on investment associated with conducting an audit.

5. Sharing of Findings and Best Practices

Audit results should be communicated to increase awareness and minimize repeat findings. Even if conducted under privilege, best practices and corrections can and should still be shared.  Celebrate the positives and creative solutions. Stress the value of the audit program, always providing metrics and cost avoidance examples when possible. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.

Value-Added Audit

An audit can provide much additional value and return on organization if it is planned and managed effectively. This includes doing the following:

• Align program goal with business strategy to secure top-down buy-in
• Expand criteria beyond compliance
• Gain goodwill through positive approach
• Document program and results
• Monitor for timely, effective corrective action
• Share opportunities for improvement