Copyright © Global Coalition for Sustained Excellence in Food & Health Protection, 2011 and ALL subsequent years: Unauthorized use and/or duplication of this material without express and written permission from this blog’s authors and/or owners is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Global Coalition for Sustained Excellence in Food & Health Protection with appropriate and specific reference and/or link to the original content.

Saturday, 6 February 2016

Guarding Against Assumptive & Misleading Conclusions


Announcements of this sort are well and good but I would suggest that you carefully read the policy before assuming that CFIA will accept GFSI certification in lieu of its regulatory oversight. The term “private” used by CFIA to describe these certifications is with deliberate intent. GFSI schemes may be acknowledged by regulatory bodies. This does not necessarily mean that the regulatory bodies endorse or sanction the private certification schemes. It certainly does not mean that the regulators require food business to be certified to the schemes.

In the CFIA Policy for example, CFIA says it has enough confidence to “consider” GFSI certification. What must be understood about this consideration is explained in points that are clearly stated within the policy.
Here are some of the points in the policy statement:

"In determining the level of risk associated with a regulated party or their establishment, the CFIA may assess the requirements of a private certification scheme used by the regulated party against food safety regulatory requirements and factor the assessment results into its risk-based planning and prioritization."

Note, from this statement, that CFIA "may assess", i.e. CFIA is not committing to doing so. CFIA, in this statement, also clearly asserts the superiority of its food safety regulatory requirements over private certifications.

"It should be noted", the statement went on to say, "that there is no requirement by virtue of this policy for a regulated party to become certified to any private certification scheme nor does this negate regulatory oversight."

This point of note clearly and sufficiently states the stance that CFIA has taken with private certification schemes. Food businesses may have private certifications but they are still going to be subject to regulatory oversight (i.e. regulatory inspections or assessments with expected mandatory compliance).

Refer also to point #7 under the heading "Assessment Process". It states:
"Assessment outcomes will not constitute any formal approval, recognition or endorsement of the private certification schemes by the CFIA"

A policy notification email has also been sent out to subscribers by CFIA as provided below:

February 3, 2016

The Canadian Food Inspection Agency (CFIA) has published its Private Certification Policy (Food Safety) http://www.inspection.gc.ca/about-the-cfia/accountability/consultations/regulatory-risk-based-oversight/private-certification-policy/eng/1452808755126/1452808821799, which was developed based on stakeholder feedback. 

This policy will enable the CFIA to enhance its risk-based oversight by considering private certification schemes as one of several factors when planning its activities, and allow the Agency to target its inspection activities in areas of highest risk.  

Private certification schemes are formal, documented food safety systems that are developed and administered by the private sector. The policy does not require a change of regulations and does not replace regulatory oversight. The CFIA will continue to verify compliance with regulatory requirements. 

The CFIA will not recognize or endorse any private certification schemes. All private certification schemes will be assessed individually. An establishment certified by a private certification scheme that the CFIA has assessed may see adjustments in inspection frequencies as the Agency focuses on areas of greatest risk. Industry remains responsible for choosing certification schemes that suit their needs.       

For more information on the policy, please contact:

Program Policy Integration Division
Program Regulatory and Trade Policy Directorate Policy and Programs Branch, CFIA

The U.S FDA-FSMA takes a similar stance as is reflected in the Canadian (CFIA) policy. For example, FDA, under FSMA, recognizes the auditor qualification process of the GFSI schemes but it reserves the right to assess such auditors against expectations under FSMA. You may read the full post on “FSMA Comments Relating to GFSI Schemes 
Posted by Felix Amiri
___________________________________________________________
Felix Amiri is currently the chair of GCSE-Food & Health Protection

FSMA Comments Relating to GFSI Schemes

For the purpose of discussion, this post presents comments taken from the FDA-FSMA Final Rule on Preventive Controls for Human Food. I have highlighted some points that I consider to be of interest. You may share others.

An indicated key area of use for 3rd-party certification schemes such as the GFSI schemes relate to imported food. The FSMA proposal is to have FDA-accredited 3rd-party auditors that may be involved as part of the Foreign Supplier Verification Program (FSVP). This leaves at least two important questions:

1.     What would happen to the accreditation if an FDA-accredited 3rd-party certifies a number of exporters that subsequently cause food poisoning outbreaks in the U.S?

2.  Will such performance of the accredited parties be tracked with any actions taken? If not, where does the proposed accreditation leave us . . . in make-belief land?

FDA 3rd party auditor accreditation under FSVP is becoming quite the rage but mark my words: It's only a matter of time (perhaps after a few unpleasant occurrences) before this seemingly great accreditation idea is re-visited, seriously revised or repealed altogether.

The following is only an excerpt of comments and responses: 

 III. General Comments on the Proposed Rule
(Comment 8) Some comments ask us to re-evaluate the proposed human preventive controls rule, compare it with existing programs, and identify a mechanism for integrating compliance verification with existing industry and governmental programs. These comments note that many handlers/ processors use and understand voluntary food safety management systems such as HACCP and HACCP based certification programs (e.g., certification to Global Food Safety Initiative (GFSI) benchmark schemes) and ask us why we proposed to create a separate inspection framework for FSMA, without integrating that inspection framework with existing programs.
(Response 8) We decline this request. As previously discussed, we are establishing this rule as required by section 103 of FSMA (78 FR 3646 at 3657–3659 and 3668–3669). However, where compliance with this rule mirrors compliance with existing regulatory requirements, there is no need to duplicate existing records, which may be supplemented as necessary to include all of the required information. (See also Response 5 regarding implementation of a national Integrated Food Safety System.)
 C. Proposed § 117.126(b)—Contents of a Food Safety Plan
We proposed that the written food safety plan must include the written hazard analysis, preventive controls (including the supplier program and the recall plan), procedures for monitoring the implementation of the preventive controls, corrective action procedures,

and verification procedures. As discussed in more detail in section XLII, we have revised the phrase ‘‘supplier program’’ to ‘‘supply-chain program’’ throughout the regulatory text. In the remainder of this document, we use the phrase ‘‘supply-chain program’’ in section headings and when referring to the provisions of the final rule. We continue to use the term ‘‘supplier program’’ when describing the proposed provisions and the comments regarding the proposed provisions.
(Comment 382) Some comments ask us to recognize that existing HACCP plans, such as those developed in accordance with the EU 2004 Food Hygiene law and GFSI-compliant food safety plans, can satisfy the requirements for what must be in a food safety plan.
(Response 382) To the extent that an existing HACCP plan or GFSI-compliant food safety plan includes all required information, a facility can use such plans to meet the requirements of this rule. We expect that many existing plans will need only minor supplementation to fully comply with these requirements. Relying on existing records, with supplementation as necessary to demonstrate compliance with the requirements of the human preventive controls rule, is acceptable (see § 117.330).
A. Flexibility in the Requirements To Validate Preventive Controls
 With some exceptions (see discussion of proposed § 117.160(b)(3) in section XXXIII.D), we proposed that you must validate that the preventive controls identified and implemented in accordance with proposed § 117.135 to control the significant hazards are adequate to do so (proposed § 117.160(a)).
(Comment 496) Some comments ask whether we will endorse certification under GFSI as satisfying the requirements for validation.
(Response 496) GFSI was established to support improvements in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide (Ref. 83). GFSI has developed a guidance document that specifies a process by which food safety schemes may gain recognition by GFSI, the requirements to be put in place for a food safety scheme seeking recognition by GFSI, and the key elements for production of safe food or feed, or for service provision (e.g., contract sanitation services or food transportation), in relation to food safety (Ref. 83). We have no plans to endorse certification under GFSI (or any other standard setting organization) as satisfying the requirements for validation. However, to the extent that scientific and technical information available from GFSI or another standard setting organization provides evidence that a control measure, combination of control measures, or the food safety plan as a whole is capable of effectively controlling the identified hazards, a facility may use such information to satisfy the validation requirements of the rule.
B. Proposed § 117.180(c)—Qualification Requirements
1.    Proposed § 180(c)(1)—Preventive Controls Qualified Individual (PCQI):

We proposed that to be a preventive controls qualified individual, the individual must have successfully completed training in the development and application of risk-based preventive controls at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to develop and apply a food safety system. We also proposed that this individual may be, but is not required to be, an employee of the facility.
(Comment 562) Some comments ask us to work with industry to establish a national training curriculum and standards for knowledge requirements before the final rule is issued. Comments recommend that curriculum and training requirements be consistent with already existing standards, including Better Process Control School, International HACCP, GFSI, Seafood HACCP, and those trainings offered by Cooperative Extension or State Agriculture departments. Some comments ask us to allow flexibility for industry to continue current training programs without receiving express approval from the FSPCA. Other comments ask that a standardized curriculum for training a preventive controls qualified individual be harmonized with the GFSI requirement.
(Response 562) As discussed in Response 2, the FSPCA is establishing a standardized curriculum. The curriculum will focus on the specific requirements of the human preventive controls rule. Training providers do not need approval from the FSPCA to use the curriculum.
B. Appropriate Supplier Verification Activities ((Final § 117.410(b))
We proposed to require that appropriate supplier verification activities include: (1) Onsite audits; (2) sampling and testing of the raw material or ingredient, which may be conducted by either the supplier or receiving facility; (3) review by the receiving facility of the supplier’s relevant food safety records; or (4) other appropriate supplier verification activities based on the risk associated with the ingredient and the supplier (proposed § 117.136(c)(1))
(Comment 673) Some comments support the inclusion of other appropriate supplier verification activities based on the risks associated with the ingredient and the supplier because it provides flexibility for facilities to design risk-based programs that are appropriate for their operations. Comments suggest other verification activities may include receiving raw materials and other ingredients from a supplier without a full audit report if the supplier maintains certification to a standard recognized by GFSI; providing for documentary verification (such as fact-specific questionnaires and representations exchanged between the supplier and the receiving facility); and confirming that a facility, especially a small manufacturing facility, is licensed by the appropriate State or local regulatory authority.
(Response 673) We are retaining this provision to allow other appropriate supplier verification activities based on supplier performance and the risk associated with the raw material or other ingredient. We have revised the regulatory text to refer to ‘‘supplier performance and the risk associated with the raw material or other ingredient’’ because ‘‘supplier performance’’ is more appropriate than ‘‘risk associated with the supplier.’’ We use the term ‘‘risk’’ as defined by the Codex Alimentarius Commission to be ‘‘a function of the probability of an adverse health effect and the severity of that effect, consequential to a hazard(s) in food’’ (Ref. 90). As discussed in section XLIV.D, the considerations for supplier performance, which can be related to the probability of a hazard in the raw material or ingredient and the severity of adverse health effects that can result, are broader than this. We agree that a supplier’s certification to a GFSI scheme that considers FDA food safety regulations can be a consideration in the determination of the type and frequency of the verification activity conducted. Similarly, fact-specific questionnaires and representations exchanged between the supplier and the receiving facility can be a consideration in the determination of the type and frequency of the verification activity conducted. Confirming that a facility is licensed by the appropriate State or local regulatory authority should not serve as the only verification that a supplier is controlling the hazard, because the requirements for a license and the degree of inspectional oversight could vary greatly. We do provide for modified supplier verification activities for qualified facilities, which are very small businesses (§ 117.430(c)).
C. Purpose of Supplier Verification Activities for Raw Materials and Other Ingredients (Final § 117.410(c))
We proposed to require that a supplier program include verification activities, as appropriate to the hazard and documentation of these activities, to verify that: (1) The hazard is significantly minimized or prevented; (2) the incoming raw material or ingredient is not adulterated under section 402 of the FD&C Act or misbranded under section 403(w) of the FD&C Act; and (3) the incoming raw material or ingredient is produced in compliance with the requirements of applicable FDA food safety regulations   (proposed § 117.136(a)(3)(ii)). We have revised the provision to specify that the supply-chain program must provide assurance that a hazard requiring a supply-chain-applied control has been significantly minimized or prevented. If the supply-chain program provides assurance that a hazard requiring a supply-chain-applied control has been significantly minimized or prevented, it is not necessary to also specify that the incoming raw material or ingredient is not adulterated under section 402 of the FD&C Act or misbranded under section 403(w) of the FD&C Act. We also have deleted the requirement that the verification activities must verify that the incoming raw material or ingredient is produced in compliance with the requirements of applicable FDA food safety regulations and instead focused that requirement as a factor that must be considered in approving suppliers and determining the appropriate supplier verification activities and the frequency with which they are conducted rather than as one of the stated purposes of the supply-chain program. See the regulatory text of § 117.410(d)(i)(iii)(B).
(Comment 683) Some comments support the provision for audits when there is a reasonable probability that exposure to the hazard will result in serious adverse health consequences or death to humans. Some of these comments state that audits should be the default verification activity in order to eliminate facilities choosing the lowest cost option regardless of whether it was best for food safety. Other comments state that audits would be the best option for facilities that cannot visit each supplier annually and that onsite inspection can identify problems in ways that paperwork reviews cannot. However, other comments oppose this requirement. Some of these comments express concern that this requirement does not allow the necessary flexibility for a facility to tailor an effective supplier program based upon risk. Other comments state that annual audits are neither the preferred nor the most effective verification measure and express concern that the provision sets a precedent that annual audits are the preferred or most effective verification measure and that other verification activities often can help paint a more accurate picture of a supplier over time. Other comments express concern that audits only give a ‘‘snapshot’’ of a supplier’s performance at a given time and ask that we not overemphasize audits.
(Response 683) We are retaining this provision as proposed. As we indicated in the Appendix of our 2013 proposed preventive controls rule, an increasing number of establishments are requiring, as a condition of doing business, that their suppliers become certified to food safety management schemes that involve third-party audits (78 FR 3646 at 3818–3820); republished in its entirety with corrected reference numbers on March 20, 2013, 78 FR 17142 at 17149–17151). An online survey of retail suppliers noted that such certification enhanced their ability to produce safe food (Ref. 94). We agree that onsite audits can identify problems in ways that paperwork reviews cannot. Because an audit involves more than simply observing the facility producing a food product, we believe it is more than just a ‘‘snapshot’’ of the supplier’s programs. As discussed in Response 669, onsite audits can include observations, records review and employee interviews. The requirement to conduct an annual audit in specified circumstances is risk-based because the specified circumstances are limited to situations where there is a reasonable probability that exposure to the hazard in the raw material or other ingredient will result in serious adverse health consequences or death to humans. The food safety controls applied by suppliers of such raw materials or other ingredients are more important than for other types of hazards because of the serious adverse health consequences that can occur if the hazards are not controlled. Annual audits are required of certification schemes that are benchmarked to the Global Food Safety Initiative Guidance Document for GFSI recognition (Ref. 95). We disagree that this requirement does not provide flexibility in choosing verification activities; in recognition that other verification activities can help paint a more accurate picture of a supplier over time, we have provided for alternative verification activities or audit frequencies if the receiving facility documents its determination that other verification activities and/or less frequent onsite auditing of the supplier provide adequate assurance that the hazards are controlled (see § 117.430(b)(2)).
A. Requirements Applicable to an Onsite Audit (Final § 117.435(a) and (b))
 We proposed that an onsite audit of a supplier must be performed by a qualified auditor. If the raw material or ingredient at the supplier is subject to one or more FDA food safety regulations, an onsite audit must consider such regulations and include a review of the supplier’s written plan (e.g., HACCP plan or other food safety plan), if any, including its implementation, for the hazard being audited (proposed § 117.136(d)). We have revised ‘‘including its implementation’’ to ‘‘and its implementation’’ to emphasize that implementation of the plan is distinct from the plan itself (e.g., § 117.126(c) establishes the recordkeeping requirement for the food safety ‘‘plan,’’ and § 117.190 lists implementation records). As discussed in section XLIV.D, we have revised the requirements for considering supplier performance to provide that the receiving facility may, when applicable, consider relevant laws and regulations of a country whose food safety system FDA has officially recognized as comparable or has determined to be equivalent to that of the United States, and information relevant to the supplier’s compliance with those laws and regulations, rather than consider applicable FDA food safety regulations and information relevant to the supplier’s compliance with applicable FDA food safety regulations. We have made a conforming change to the requirements for an onsite audit to clarify that an onsite audit may consider relevant laws and regulations of a country whose food safety system FDA has officially recognized as comparable or has determined to be equivalent to that of the United States.
(Comment 699) Some comments express concern about the multiple audits that facilities are subject to each year and ask us to encourage those subject to the rule to accept an audit performed by any of the ‘‘bona fide authorities’’ where it is warranted. Other comments note that food manufacturers conduct their own audits and have developed extensive expertise in doing so, and oppose any supplier verification requirement that would affect those audits. Other comments ask us to allow audits such as GFSI benchmark schemes to satisfy supplier verification requirements to avoid adding a new audit to audits currently being conducted. Some comments express concern that requiring a new audit in addition to audits already being conducted could lead to auditor shortages and unnecessary additional costs.
(Response 699) We expect that a facility will adopt an approach to audits that works best for the facility and minimizes the number of audits conducted for the same facility. An employee of a receiving facility may perform an audit, provided that the employee satisfies the criteria established in the rule for qualified auditors. Under § 117.3 and § 117.180, a qualified auditor is a   qualified individual (as defined in § 117.3) and has technical expertise obtained through education, training or experience (or a combination thereof) necessary to perform the auditing function. See Response 700, in which we discuss auditor qualifications with respect to the GFSI’s auditor competency model, noting that the provisions for auditor competency for GFSI are consistent with our definition of a qualified auditor. GFSI schemes that consider FDA food safety regulations and include a review of the supplier’s written HACCP plan (or other food safety plan), if any, and its implementation, with respect to the hazard being controlled are likely to satisfy the requirements for an onsite audit. We expect that audits being conducted for other purposes will also be used to satisfy supplier verification audit requirements and such audits will be adjusted as needed to conform to the requirements of this rule.
(Comment 700) Some comments assert that GFSI-benchmarked audits and other similarly accredited audits should be considered equivalent to onsite audits.
(Response 700) See our description of GFSI in Response 496. The GFSI guidance document requires audit scheme owners to have a clearly defined and documented audit frequency program, which must ensure a minimum audit frequency of one audit per year of an organization’s facility (Ref. 83), and a GFSI-compliant food safety scheme must include procedures for conducting internal audits (Ref. 95). To be used to satisfy the requirements of this rule, a GFSI-benchmarked audit, as with any audit, must address all requirements of this rule, including the requirement to consider applicable FDA food safety regulations and include a review of the supplier’s written plan (e.g., HACCP plan or other food safety plan), if any. As discussed in our memorandum on supplier programs (Ref. 83), the GFSI guidance document also specifies that the person who performs the audit needs to be qualified to do so. As described in ‘‘GFSI Food Safety Auditor Competencies,’’ the GFSI’s auditor competency model lists three main components for auditor competencies: (1) Auditing skills and knowledge; (2) technical skills and knowledge; and (3) behavior and systems thinking (Ref. 96). Within each main component, GFSI provides details of specific tasks and the required auditor knowledge and skills to perform the specific tasks (Ref. 96). The provisions for auditor competency are consistent with our definition of a qualified auditor.

Summary of the U.S FDA position under FSMA:
GFSI covers some aspects that are recognized and may be acceptable under FSMA. You may follow GFSI or any schemes that you wish but be sure that all FSMA rules and requirements are met.
The Canadian CFIA takes a similar stance as is reflected in the FDA-FSMA comments. For example, CFIA says it has enough confidence to “consider” GFSI certification but it has ". . . no requirement by virtue of this policy for a regulated party to become certified to any private certification scheme nor does this negate regulatory oversight." You may read the full post  discusing the CFIA Policy.
Posted by Felix Amiri
___________________________________________________________
Felix Amiri is currently the chair of GCSE-Food & Health Protection