Clause 3 - Food safety and quality management system - Global Standard Food Safety, Issue 9 Audit

Title Page

Site conducted
The company’s processes and procedures to meet the requirements of this Standard shall be documented to allow effective, consistent application, facilitate training, and support due diligence in the production of a safe product.
Conducted on
Prepared by
Location

3.1 Food safety and quality manual

SOI - The company’s processes and procedures to meet the requirements of this Standard shall be documented to allow effective, consistent application, facilitate training, and support due diligence in the production of a safe product.
3.1.1 The site’s procedures, working methods and practices shall be collated in the form of a printed or electronic quality manual.
3.1.2 The food safety and quality manual shall be fully implemented and the manual or relevant components shall be readily available to relevant staff.
3.1.3 All procedures and work instructions shall be clearly legible, unambiguous, in appropriate languages and sufficiently detailed to enable their correct application by appropriate staff. This should include the use of photographs, diagrams or other pictorial instructions where written communication alone is not sufficient (e.g. there are issues of literacy or foreign language).

3.2 Document control

SOI The company shall operate an effective document control system to ensure that only the correct versions of documents, including recording forms, are available and in use.
The company shall have a procedure to manage documents which form part of the food safety and quality system. This shall include:
• a list of all controlled documents indicating the latest version number
• the method for the identification and authorisation of controlled documents
• a record of the reason for any changes or amendments to documents
• the system for the replacement of existing documents when these are updated.
Where documents are stored in electronic form these shall also be:
• stored securely (e.g. with authorised access, control of amendments, or password protection)
• backed up to prevent loss.

3.3 Record completion and maintenance

SOI The site shall maintain genuine records to demonstrate the effective control of product safety, legality and quality.

3.3.1 Record Maintenance

Records shall be legible, maintained in good condition and retrievable. Any alterations to records shall be authorised and justification for the alteration shall be recorded.
Where records are in electronic form these shall also be:
• stored securely (e.g. with authorised access, control of amendments, or password protection)
• suitably backed up to prevent loss.

3.3.2 Record Retention

Records shall be retained for a defined period with consideration given to:
• any legal or customer requirements
• the shelf life of the product.
This shall take into account, where it is specified on the label, the possibility that shelf life may be extended by the consumer (e.g. by freezing).
At a minimum, records shall be retained for the shelf life of the product plus 12 months.

3.4 Internal audits

Fundamental SOI The company shall be able to demonstrate that it verifies the effective application of the food safety plan, and the implementation of the requirements of the Global Standard Food Safety and the site’s food safety and quality management system.

3.4.1

There shall be a scheduled programme of internal audits.
At a minimum, the programme shall include at least four different audit dates spread throughout the year. The frequency at which each activity is audited shall be established in relation to the risks associated with the activity and previous audit performance. All activities that form a part of the site’s food safety and quality systems, including those relevant to food safety, authenticity, legality and quality, shall be covered at least once each year.
The scope of the internal audit programme shall include, although this is not an exhaustive list:
• HACCP or food safety plan, including the activities to implement it (e.g. supplier approval, corrective actions and verification)
• prerequisite programmes (e.g. hygiene, pest management)
• food defence and food fraud prevention plans
• procedures implemented to achieve the Standard.
Each internal audit within the programme shall have a defined scope and consider a specific activity or a section of the HACCP or food safety plan.

3.4.2 Auditors

Internal audits shall be carried out by appropriately trained, competent auditors. Auditors shall be independent (i.e. not audit their own work).

3.4.3 on-conformances from Internal Audits

The internal audit programme shall be fully implemented. Internal audit reports shall identify conformity as well as non-conformity and include objective evidence of the findings.
The results shall be reported to the personnel responsible for the activity audited.
Corrective and preventive actions, and timescales for their implementation, shall be agreed and their completion verified. All non-conformities shall be handled as detailed in section 3.7. A summary of the results shall be reviewed in the management review meetings (see clause 1.1.4).

3.4.4 Documented Inspections

In addition to the internal audit programme, there shall be a separate programme of documented inspections to ensure that the factory environment and processing equipment are maintained in a suitable condition for food production.
At a minimum, these inspections shall include:
• hygiene inspections to assess cleaning and housekeeping performance
• fabrication inspections (e.g. doors, walls, facilities and equipment) to identify risks to the product from the building or equipment.
The frequency of these inspections shall be based on risk and on any changes that may affect food safety, but shall be no less than once per month in open product areas.
The results shall be reported to the personnel responsible for the activity or area audited.
Corrective actions, and timescales for their implementation, shall be agreed and their completion verified.
A summary of the results shall be reviewed in the management review meetings (see clause 1.1.4).

3.5 Supplier and raw material approval and performance monitoring

3.5.1 Management of suppliers of raw materials and packaging

Fundamental SOI The company shall have an effective supplier approval and monitoring system to ensure that any potential risks from raw materials (including primary packaging) to the safety, authenticity, legality and quality of the final product are understood and managed.

3.5.1.1

The company shall undertake a documented risk assessment of each raw material or group of raw materials, including primary packaging, to identify potential risks to product safety, authenticity, legality and quality.
This shall take into account the potential for:
• allergens (allergen content and potential contamination)
• foreign-body risks
• microbiological contamination
• chemical contamination
• variety or species cross-contamination
• substitution or fraud (see clause 5.4.2)
• any risks associated with raw materials which are subject to legislative control or customer requirements.
Consideration shall also be given to the significance of a raw material to the quality of the final product.
The risk assessment shall form the basis for the raw material acceptance and testing procedure and for the processes adopted for supplier approval and monitoring.
The risk assessment for a raw material shall be updated:
• when there is a change in a raw material, the processing of a raw material, or the supplier of a raw material
• if a new risk emerges
• following a product recall or withdrawal, where a specific raw material has been implicated
• at least every 3 years.

3.5.1.2 Documented SUpplier approval

The company shall have a documented supplier approval procedure to ensure that all suppliers of raw materials, including primary packaging, effectively manage risks to raw material quality and safety and are operating effective traceability processes.
The approval procedure shall be based on risk and include either one or a combination of:
• a valid certification to the applicable BRCGS Standard or GFSI-benchmarked standard. The scope of the certification shall include the raw materials purchased
or
• supplier audits, with a scope to include product safety, traceability, HACCP review, the product security and food defence plan, the product authenticity plan and good manufacturing practices. The audit shall ensure that these plans form part of the supplier’s product safety management system and that any resultant actions are implemented. The supplier audit shall be undertaken by an experienced and demonstrably competent product safety auditor. Where the supplier audit is completed by a second or third party, the company shall be able to:
• demonstrate the competency of the auditor
• confirm that the scope of the audit includes product safety, product security and food defence plan, product authenticity, traceability, HACCP review and good manufacturing practices
• obtain and review a copy of the full audit report
or
where a valid risk-based justification is provided and the supplier is assessed as low risk only, a completed supplier questionnaire may be used for initial approval. At a minimum, the questionnaire shall have a scope that includes product safety, product security and food defence, product authenticity, traceability, HACCP review and good manufacturing practices. The questionnaire shall have been reviewed and verified by a demonstrably competent person.

3.5.1.3

There shall be a documented process for ongoing supplier performance review, based on risk and defined performance criteria. The process shall be fully implemented.
Where approval is based on questionnaires, these shall be reissued at least every 3 years and suppliers shall be required to notify the site of any significant changes in the interim, including any change in certification status.
Records of the review shall be kept.

3.5.1.4

The site shall have an up-to-date list or database of approved suppliers. This may be on paper (hard copy) or it may be controlled on an electronic system.
The list or relevant components of the database shall be readily available to the relevant staff (e.g. at goods receipt).

3.5.1.5

Where raw materials (including primary packaging) are purchased from companies that are not the manufacturer, packer or consolidator (e.g. purchased from an agent, broker or wholesaler), the site shall know the identity of the last manufacturer or packer, or for bulk commodity products the consolidation place of the raw material.
Information to enable the approval of the manufacturer, packer or consolidator, as in clauses 3.5.1.1 and 3.5.1.2, shall be obtained from the agent/broker or directly from the supplier, unless the agent/broker is themselves certificated to a BRCGS Standard (e.g. Global Standard Agents and Brokers) or a standard benchmarked by GFSI.

3.5.1.6

The company shall ensure that its suppliers of raw materials (including primary packaging) have an effective traceability system. Where a supplier has been approved based on a questionnaire instead of certification or audit, verification of the supplier’s traceability system shall be carried out on first approval and then at least every 3 years. This may be achieved by a traceability test.
Where the supplier is not the manufacturer, packer or consolidator of the raw material (e.g. purchased from an agent, broker or wholesaler) and approval is based on a questionnaire instead of certification or audit, the verification of the traceability system shall be carried out on the last manufacturer, packer or consolidator of the raw material.
Where a raw material is received directly from a farm or fish farm, further verification of the farm’s traceability system is not mandatory.

3.5.1.7 The procedures shall define the actions required in either of the following circumstances:

• an exception to the supplier approval processes in clause 3.5.1.2 occurs (e.g. where raw material suppliers are prescribed by a customer)
• information for effective supplier approval is not available (e.g. bulk agricultural commodity products).
In both the above situations, product testing is used to verify product quality and safety.
When a site produces customer-branded product, the customer shall be made aware of the relevant exceptions.

3.5.2 Raw material and packaging acceptance, monitoring and management procedures

SOI Controls on the acceptance of raw materials (including primary packaging) shall ensure that these do not compromise the safety, legality or quality of products and, where appropriate, any claims of authenticity.

3.5.2.1

The company shall have a procedure for the acceptance of raw materials and primary packaging on receipt based upon the risk assessment (clause 3.5.1.1). Acceptance of raw materials (including primary packaging) and their release for use shall be based on either one or a combination of:
• product sampling and testing
• visual inspection on receipt
• certificates of analysis (specific to the consignment)
• certificates of conformance.
A list of raw materials (including primary packaging) and the requirements to be met for acceptance shall be available. The parameters for acceptance and frequency of testing shall be clearly defined, implemented and reviewed.

3.5.2.2

Procedures shall be in place to ensure that approved changes to raw materials (including primary packaging) are communicated to goods receipt personnel and that only the correct version of the raw material is accepted. For example, when labels or printed packaging have been amended, only the correct version should be accepted and released into production.

3.5.3 Management of suppliers of services

SOI The company shall be able to demonstrate that where services are outsourced, the service is appropriate and any risks presented to food safety, authenticity, legality and quality have been evaluated to ensure effective controls are in place.

3.5.3.1 There shall be a procedure for the approval and monitoring of suppliers of services. Such services shall include, as appropriate:

• pest control
• laundry services
• contracted cleaning
• contracted servicing and maintenance of equipment
• transport and distribution
• off-site storage of ingredients or packaging (other than at the supplier’s facilities) prior to delivery to the site
• off-site packing of products
• laboratory testing
• catering services
• waste management
• providers of product safety training
• product safety consultants.
This approval and monitoring process shall be risk-based and take into consideration:
• risk to the safety and quality of products
• compliance with any specific legal requirements
• potential risks to the security of the product (i.e. risks identified in the vulnerability and food defence assessments).

3.5.3.2

Contracts or formal agreements shall exist with the suppliers of services that clearly define service expectations and ensure that the potential food safety risks associated with the service have been addressed.

3.5.3.3

There shall be a documented process for ongoing performance review of suppliers of services, based on risk and defined performance criteria. The process shall be fully implemented.
Records of the review shall be kept.

3.5.4 Management of outsourced processing

Explaining outsourced processing Outsourced processing (also referred to as ‘subcontracted processing’) is defined as where intermediate production, processing, storage or any intermediate step in the manufacture of a product is completed at another company or another site.
It should be noted that outsourced processing refers to an intermediate step – therefore during outsourced processing the product or partly processed product leaves the site being audited for the completion of the outsourced processing, before returning to the site. The audited site may or may not complete additional packing or processing steps on the product.
Where there is additional storage or processing of raw materials prior to their initial arrival on site, this is not considered outsourced processing, but should be managed by the site using supplier approval, raw material risk assessments and raw material specifications.
Where a product leaves the site and does not return to it, this is not outsourced processing, and the activities completed off site are outside the scope of the audit.
SOI Where any intermediate process step (including production, processing or storage) in the manufacture of a product is outsourced to a third party or undertaken at another site, and subsequently returned to the site, this shall be managed to ensure it does not compromise the product safety, authenticity, legality or quality.

3.5.4.1

The company shall be able to demonstrate that, where part of the production process (i.e. any intermediate process step) is outsourced or undertaken off site, and subsequently returned to the site, this has been declared to the customer and, where required, approval granted.

3.5.4.2

The company shall ensure that outsourced processors are approved and monitored, to ensure that they effectively manage risks to product safety and quality and are operating effective traceability processes.
The approval and monitoring procedure shall be based on risk and include either one or a combination of:
• a valid certification to the applicable BRCGS Standard or GFSI-benchmarked standard. The scope of the certification shall include the activities completed for the site
or
• supplier audits, with a scope to include product safety, traceability, HACCP review, product security and food defence plan, product authenticity plan and good manufacturing practices. The audit shall ensure that these plans form part of the supplier’s product safety management system and that any resultant actions are implemented. The supplier audit shall be undertaken by an experienced and demonstrably competent product safety auditor. Where this supplier audit is completed by a second or third party, the company shall be able to:
• demonstrate the competency of the auditor
• confirm that the scope of the audit includes product safety, traceability, HACCP review, product security and food defence plan, product authenticity plan and good manufacturing practices
• obtain and review a copy of the full audit report.
There shall be a documented process for ongoing supplier performance review, based on risk and defined performance criteria. The process shall be fully implemented. Records of the review shall be kept.

3.5.4.3

Where any processes are outsourced, including production, manufacture, processing or storage, the risks to the product safety, authenticity and legality shall form part of the site’s food safety plan (HACCP plan).

3.5.4.4

Requirements for outsourced processing shall be agreed and documented in a service specification (similar to a finished product specification). This shall include any specific handling requirements for the products.

3.5.4.5

Any outsourced processing operations shall:
• be undertaken in accordance with established contracts which clearly define any processing requirements
• maintain product traceability.

3.5.4.6

The company shall establish inspection and test procedures for products where part of the processing has been outsourced, including visual, chemical and/or microbiological testing.
The frequency and methods of inspection or testing shall depend on risk assessment.

3.6 Specifications

SOI Specifications shall exist for raw materials (including primary packaging), finished products and any product or service which could affect the integrity of the finished product.

3.6.1

Specifications for raw materials and primary packaging shall be adequate and accurate and ensure compliance with relevant safety and legislative requirements. The specifications shall include defined limits for relevant attributes of the material which may affect the quality or safety of the final products (e.g. chemical, microbiological, physical or allergen standards).

3.6.2

Accurate, up-to-date specifications shall be available for all finished products. These may be in the form of a printed or electronic document, or part of an online specification system.
They shall include key data to meet customer and legal requirements and assist the user in the safe usage of the product.

3.6.3

Where the company is manufacturing customer-branded products, it shall seek formal agreement of the finished product specifications. Where specifications are not formally agreed, the company shall be able to demonstrate that it has taken steps to ensure formal agreement is in place.

3.6.4

Specification review shall be sufficiently frequent to ensure that data is current or at a minimum every 3 years, taking into account product changes, suppliers, regulations and other risks.
Reviews and changes shall be documented.

3.7 Corrective and preventive actions

Fundamental SOI The site shall be able to demonstrate that it uses the information from identified issues in the food safety and quality management system (e.g. non-conforming products, internal audits, complaints, product recalls, product testing, second- and third-party audits and online reviews) to complete necessary corrective actions and prevent recurrence.

3.7.1

The site shall have a procedure for handling and correcting issues identified in the food safety and quality management system.
The site procedures shall include the completion of root cause analysis and implementation of preventive action.

3.7.2

Where a non-conformity places the safety, authenticity or legality of a product at risk, or where there is an adverse trend in quality, this shall be investigated and recorded including:
• clear documentation of the non-conformity
• assessment of consequences by a suitably competent and authorised person
• the corrective action to address the immediate issue
• completion of root cause analysis to identify the fundamental cause (root cause) of the non-conformity
• appropriate timescales for corrective and preventive actions
• the person(s) responsible for corrective and preventive actions
• verification that the corrective and preventive actions have been implemented and are effective.
Root cause analysis shall also be used to prevent recurrence of non-conformities, and to implement ongoing improvements when analysis of non-conformities for trends shows there has been a significant increase in a type of non-conformity.

3.8 Control of non-conforming product

SOI The site shall ensure that any out-of-specification product is effectively managed to prevent unauthorised release.

3.8.1 There shall be procedures for managing non-conforming products. These procedures shall include:

• the requirement for staff to identify and report a potentially non-conforming product
• clear identification of a non-conforming product (e.g. direct labelling or the use of IT systems)
• secure storage to prevent accidental release (e.g. physical or computer-based isolation)
• management of any product returned to the site
• referral to the brand owner where required
• defined responsibilities for decision-making on the use or disposal of products appropriate to the issue (e.g. destruction, reworking, downgrading to an alternative label or acceptance by concession)
• records of the decision on the use or disposal of the product
• records of destruction where a product is destroyed for food safety reasons.

3.9 Traceability

Fundamental SOI The site shall be able to trace all raw material product lots (including primary packaging) from its suppliers through all stages of processing and dispatch to its customers and vice versa.

3.9.1

The site shall have a documented traceability procedure designed to maintain traceability throughout the site’s processes. At a minimum this shall include:
• how the traceability system works
• the labelling and records required.
Where applicable, the traceability system shall meet the legal requirements in the country of sale or intended use.

3.9.2

Identification of raw materials (including primary packaging), intermediate/semi-processed products, part-used materials, finished products and materials pending investigation shall be adequate to ensure traceability.

3.9.3

The site shall test the traceability system across the range of product groups to ensure traceability can be determined from the supplier of raw material (including primary packaging) to the finished product and vice versa. For food raw materials and finished products (i.e. including printed packaging and labels with food safety and legal information), the test of the traceability system shall include a quantity check/mass balance.
The traceability test shall include a summary of the documents that should be referenced during the test, and clearly show the links between them. The test shall occur at a predetermined frequency, at a minimum annually, and results shall be retained for inspection. Traceability should be achievable within 4 hours.

3.9.4

Where rework or any reworking operation is performed, traceability shall be maintained.

3.10 Complaint-handling

SOI Customer complaints shall be handled effectively and information used to reduce recurring complaint levels.

3.10.1

All complaints shall be recorded and investigated, and the results of the investigation of the issue recorded where sufficient information is provided. Actions appropriate to the seriousness and frequency of the problems identified shall be carried out promptly and effectively by appropriately trained staff.

3.10.2

Complaint data shall be analysed for significant trends. Where there has been a significant increase in a complaint, or a serious complaint, root cause analysis shall be used to implement ongoing improvements to product safety, legality and quality, and to avoid recurrence. This analysis shall be made available to relevant staff.

3.11 Management of incidents, product withdrawal and product recall

SOI The company shall have a plan and system in place to manage incidents effectively and enable the withdrawal and recall of products should this be required.

3.11.1

The company shall have procedures designed to report and effectively manage incidents and potential emergency situations that impact food safety, authenticity, legality or quality. This shall include consideration of contingency plans to maintain product safety, authenticity, legality and quality. Incidents may include:
• disruption to key services such as water, energy, transport, refrigeration processes, staff availability and communications
• events such as fire, flood or natural disaster
• malicious contamination or sabotage
• product contamination indicating a product may be unsafe or illegal
• failure of, or attacks against, digital cyber-security.
Where products which have been released from the site may be affected by an incident, consideration shall be given to the need to withdraw or recall products.

3.11.2

The company shall have a documented product withdrawal and recall procedure. This shall include, at a minimum:
• identification of key personnel constituting the recall management team, with clearly identified responsibilities
• guidelines for deciding whether a product needs to be recalled or withdrawn and the records to be maintained
• an up-to-date list of key contacts (including out-of-hours contact details) or reference to the location of such a list (e.g. recall management team, emergency services, suppliers, customers, certification body, regulatory authority)
• a communication plan including the provision of information to customers, consumers and regulatory authorities in a timely manner
• details of external agencies providing advice and support as necessary (e.g. specialist laboratories, regulatory authority and legal expertise)
• a plan to handle the logistics of product traceability, recovery or disposal of affected product, and stock reconciliation
• a plan to record timings of key activities
• a plan to conduct root cause analysis and to implement ongoing improvements, to avoid recurrence.
The procedure shall be capable of being operated at any time.

3.11.3

The incident management procedures (including those for product recall and withdrawal) shall be tested, at least annually, in a way that ensures their effective operation. Results of the test shall be retained and shall include timings of key activities. The results of the test and of any actual recall shall be used to review the procedure and implement improvements as necessary.

3.11.4

In the event of a significant food safety, authenticity or legality incident, including a product recall, regulatory food safety non-conformity (e.g. a regulatory enforcement notice) or food safety-related withdrawal, the certification body issuing the current certificate for the site against this Standard shall be notified within 3 working days.
The company shall then provide sufficient information to enable the certification body to assess any effects of the incident on the ongoing validity of the current certificate within 21 calendar days. As a minimum, this shall include corrective action, root cause analysis and a preventive action plan.

Sign Off

Name of auditor