With the passage of the Food Safety Modernization Act (FSMA) in 2011, the food industry overseen by FDA experienced the most extensive regulatory overhaul in the last 70 years. In the years since, auditing, which is used to both evaluate whether a food safety system is appropriate and effective, and to verify whether it is in compliance with certain industry or government standards, is also in a whirlwind of transition.
For instance, in 2010, the year before FSMA was signed into law, a cut green bean processor in the U.S. would have undergone regulatory inspections as well as several customer audits, either via first-party audits performed by the customer’s staff or third-party audits conducted by an outside company. As a condition of supplying a major retailer such as Walmart, the processor would also have been required to participate in a third-party audit for one of the Global Food Safety Initiative (GFSI) certifications, which is a food safety auditing platform that established a standardized level of global food safety requirements almost two decades ago.
However, in 2019 under new FSMA regulations, the farm supplying green beans to that processor is now also experiencing its first round of regulatory inspections on the federal level. What’s more, certain segments of its supply chain that were somewhat overlooked in the past (e.g., harvesters, packing facilities, etc.) are now also subject to regulatory inspections and may opt to seek out third-party auditing to confirm that their food safety management systems address all FSMA requirements.
In the current food safety auditing climate, that means that more than half of U.S. food facilities have five or fewer audits a year while a third have anywhere from six to 20 audits annually, according to a spring 2019 poll of U.S. food businesses by Lloyd’s Register.
“It remains to be seen if the volume of customer audits and request or requirements for GFSI third-party audits will decrease as FSMA implementation and regulatory inspections ramp up over in the coming years,” says Willette Crawford, principal, Food Safety and Regulatory Compliance at Katalyst Consulting. Yet regardless of what’s coming in the future, the food safety auditing industry is currently straddling two approaches as it attempts to efficiently integrate FSMA requirements into existing food safety management systems.
Prior to FSMA, although FDA required Hazard Analysis and Critical Control Points (HACCP) for seafood and juices, it was not required for the bulk of FDA-regulated products. In fact, the Federal Food, Drug, and Cosmetic Act of 1938 was the last major federal legislation passed to improve food safety for FDA-regulated facilities in the U.S.
To fill this gap in regulation and streamline auditing, a group of major retailers came together in 2005 to create GFSI, an auditing platform that made HACCP a fundamental food safety requirement for a scheme to be recognized by GFSI, setting the baseline above FDA’s regulatory requirements at that time. Individual GFSI schemes include FSSC 2200, SQF, and BRC, all of which have been widely used by industry and executed by third-party auditors internationally for the last 15 years.
A series of high-profile and deadly foodborne illness outbreaks, many tied to imported foods, prompted Congressional action. Signed into law in 2011, FSMA directed FDA to develop U.S. food safety regulations focused on prevention across the entire supply chain. Under one of FSMA’s seven rules, the Preventive Controls Rule for Human Food, FDA’s regulations now require that domestic food facilities and those importing to the U.S. develop, document, implement, validate, and keep records of a food safety plan. This food safety plan must identify food safety hazards and adulteration risks associated with the specific foods and processes involved, assess the level of risk involved, and implement controls to minimize those risks. The plan must verify that the controls used are effective, and define the corrective actions necessary to address deviations from applied controls. FSMA includes a similar rule for animal foods, and a Produce Safety Rule that addresses farm food safety.
FSMA’s Preventive Controls rules also require that food companies verify their supply chain for raw materials and ingredients, and require an audit of any supplier that controls a serious hazard not otherwise controlled downstream in the supply chain. FSMA dictates that the audit must cover the applicable regulations, be performed by a “qualified auditor,” and verify that the suppliers’ controls for the hazard identified are effective and used consistently. This also applies to imported foods under FSMA’s Foreign Supplier Verification Program (FSVP) rule. As supplier verification audits must cover all regulations applicable to the suppliers’ products, this process can involve using more than one type of audit document.
“A great deal of confusion seems to persist regarding the difference between HACCP and Preventive Controls despite FDA’s education and outreach efforts,” says Crawford. While FSMA’s preventive controls approach to controlling hazards incorporates the use of risk-based HACCP principles in its development, it goes further in many regards such as requiring a recall plan for each product for which a hazard requiring a preventive control has been identified.
Crawford also stresses that by this September, most of the FSMA compliance deadlines, which were staggered over a series of years based on risk and operation size, will have passed. And while she says FDA has used its discretion on what to enforce while the industry becomes more familiar with the new requirements, inspections and enforcement of FSMA rules such as preventive controls, FSVP, and produce safety have already begun.
“At this point, industry should already be complying and analyzing their food safety program and documentation for gaps in compliance, as well as identifying and mitigating weak points in their supply chain,” says Crawford.
Auditing Gets a New Role
While auditing has always served to assist food companies with identifying and correcting gaps in their safety practices, third-party auditing now has a new role. Designed to help FDA expand its regulatory reach on imported foods, FSMA’s Accredited Third-Party Certification rule outlines that third-party certification bodies that meet FDA’s accreditation criteria can conduct audits and issue certifications on foreign suppliers of FDA-designated high-risk foods.
These third-party certification audits fall into two categories: consultative and regulatory. Consultative audits can serve as readiness audits that assist foreign companies in understanding gaps in practice that need to be addressed to become compliant with the appropriate FSMA regulations. A regulatory audit of foreign facilities is required for FDA certification, and can also be used for verifying compliance of a company’s supply chain under FSVP. These certification audits are the basis for participating in FSMA’s Voluntary Qualified Importer Program (VQIP), which offers importers expedited review and entry of food into the U.S.
In addition to the new auditing opportunities that FSMA presents, third-party auditors continue to audit food facilities against safety program schemes such as GFSI, which are still recognized internationally and are required by some retailers. “It isn’t that GFSI audits weren’t comprehensive, in fact they have made tremendous strides in improving food safety, but they lack a required reporting feature that documents the detail that FDA wants to see,” says Patricia “Trish” A. Wester, CEO, The Association for Food Safety Auditing Professionals (AFSAP).
In fact many in the industry recommend companies striving to be FSMA compliant make sure they are GFSI certified, which will get their operation 80 percent of the way there. “Regulators all over the world, not just in the U.S., are struggling with implementation of regulation,” says Véronique Discours-Buhot, the director of GFSI. “We are all short on resources and an organization like GFSI can be part of the solution.”
In the meantime, FSMA compliance is creeping its way into the existing GFSI food safety standards. “What we’re seeing as a certification body is that when, for instance, FSSC 2200 was last updated, it now encompasses many of the FSMA requirements,” says Jennifer Lott, senior food safety auditor at SGS. “So in the new version of FSSC, you now have to look at vulnerability assessments, food defense, and how you’re meeting all those extra requirements of the FSMA law and all of its regulations.”
While existing food safety plans may encompass some of FSMA, they are not interchangeable as an FDA certification audit goes beyond the traditional food safety elements and focuses on compliance with specific regulations. “Food safety auditors are currently in a transition from these bigger, broader, every-question-you-can-think-of-food-safety-event type of audits such as GFSI,” says Wester, “to very specific FSMA audits that say, ‘Look at this cook step and this regulation. Are they doing it right?’ We are not accustomed to reporting that level of detail on a specific hazard or regulation.”
An Increasing Number of Audits
While FSMA is, at least for the time being, increasing the number of third-party audits, SGS’s Lott says she’s noticed another reason for the growing number of audits. “Walmart tells a supplier, ‘If you want to sell your product in our store, you have to be GFSI certified,’ a company gets that certification, then looks at all their raw material suppliers and says, ‘Why don’t we get all them GFSI certified as well?’” she says. This trickle-down effect has even reached packagers in a supply chain as their product includes a surface that has contact with food, she says, which buyers want to get GFSI certified as well.
In addition, the journey from farm to fork has become increasingly complex, says Stuart Kelly, head of Commercial at Lloyd’s Register. “Fifty years ago, the average supermarket stocked 200 items, 70 percent of which were processed within 100 miles,” he says. “Today, supermarkets stock around 39,000 items, and on average these items have travelled 1,500 miles before they’re consumed.” He adds that the more complex the supply chain, the higher the risk of foodborne illness hazards. “This complicates auditing but also makes it more important than ever to ensure safe, sustainable, and responsibly sourced food,” he says.
As FDA increases regulatory inspections under FSMA and third-party auditors are beginning to issue FDA certifications, the food safety auditing industry is going to be under a lot of pressure. “This industry is going to grow tremendously,” says SGS’s Lott. “And auditors are an aging population. We need to focus on how we can get young people qualified faster to answer that demand.”
Lack of qualified auditors has always plagued the industry, even before FSMA and the recent uptick of audits. “Auditors are typically independent contractors who often do two or three audits a week, spending Monday to Friday on the road,” says Wester. “How does one maintain a life or a family—let alone write their audit reports—with that kind of schedule? We don’t have enough auditors, and the ones we do have burn out too quickly.”
What’s more, many job postings for auditors require so many years of auditing experience or specialized knowledge in a specific food sector or certification scheme that it filters out most new job seekers. “We need to work out entry-level positions for auditors,” says Wester, who helped start an association to represent those in the auditing industry. “Let them start at low-risk foods and then climb up to high-risk and reward them with pay increases.”
Meanwhile Martin Fowell, director of Auditing Operations at Mérieux NutriSciences, says that they have been working with the U.S. Department of Labor on an apprenticeship program to help alleviate some of the pressures they’re seeing on auditor capacity.
But it isn’t just auditor capacity that’s a challenge—it’s auditor competency as well. GFSI recently created “knowledge exams,” also known as GFSI Auditor Exams, to offer a consistent method to assess auditor knowledge across a range of relevant skills for all GFSI-recognized programs, as well as cover HACCP and Good Manufacturing Practice (GMP) requirements, and standard auditing skills such as sampling and evidence gathering.
While this exam well help ensure a baseline of expertise, GFSI’s Discours-Buhot also says that the challenge of auditor competence stems from the fact that a good auditor does a lot more than check off boxes. “We need auditors who have not just technical but human skills,” she says, “to be able to investigate, but also be able to chat with the employees in their own language.”
Whether an audit is being done for internal assessment, toward certification, or to comply with regulation, those in the field say food companies often have an unrealistic expectation of what an audit can accomplish. “Some view these certification audits as a kind of zero-risk insurance when in fact, the auditor is taking only a snapshot of one moment in time,” says Discours-Buhot. “As an industry, we need to better communicate that the certificate is only one of the tools used to mitigate risk when it comes to foodborne illness.”
Food safety is everyone’s business, according to Wester, not just the auditor. “Every person on every line plays a critical role in producing safe food,” she says. “They are the ones who see everything and should be empowered to act when necessary. Because even the best auditor is in a facility for only a couple of days.”
Guidelines for the Fresh Tomato Supply Chain
United Fresh Produce Association recently released the updated version of the Food Safety Programs & Auditing Protocol for the Fresh Tomato Supply Chain, commonly known as the “Tomato Metrics.” These metrics were initially developed in 2009, endeavoring to harmonize food safety audit standards for the fresh tomato supply chain. It was this original effort that led to the development of the Produce GAPs Harmonized Standard.
The Tomato Working Group recommended a new structure for the Tomato Metrics in which tomato operations will use the Harmonized Standard (or other similar GAP audit) as the base food safety protocol, with the Tomato Metrics added as an industry-specific addendum. With the revision, the Tomato Metrics are limited to areas that are either unique to the tomato industry, or not necessarily unique, but not currently in the Harmonized Standards.
This update of the Tomato Metrics corresponds with the September 2018 publication of the Tomato Guidelines, 3rd ed. Together, these resources provide in-depth information and auditing protocols for the recommended food safety practices intended to minimize the microbiological hazards associated with fresh and fresh-cut tomato products.
“We hope that the new format of these metrics will encourage continued use of these standards, achieving our ultimate goal of food safety standard harmonization, and reduced audit fatigue among produce growing and handling operations,” says Emily Griep, manager of food safety, United Fresh.
The Tomato Guidelines can be downloaded for free by visiting www.unitedfresh.org.—FQ&S