High Hygiene Category BRC Internal Audit (Section 3) - Version 6

3.1 Product safety and quality management system.<br>The site's processes and procedures to meet the requirements of this standard shall be documented to allow consistent application, facilitate training, and support due diligence in the production of a safe and legal product.

3.1.1 The site's documented policies, procedures, working methods and practices shall be collated in a navigable and readily accessible system, with consideration being given to translation into appropriate languages. <br> Where the site is part of a company governed by a head office, the interaction between the site's system and that of other sites and the head office should be documented. <br>All policies and procedures necessary for the operation of the site being assessed must be available at the site.

3.1.2 The system shall be fully implemented, reviewed at appropriate planned intervals, and improved where necessary

3.2 Documentation control<br>An effective document control system shall ensure that only the correct versions of documents, including recording forms, are available and in use.

3.2.1 The company shall have a documented procedure to manage documents which form part of the product safety and quality management system. <br>This shall include:<br>1) A list of controlled documents indicating the latest version number<br>2) The method for the identification and authorization of controlled documents<br>3) A record for the reason for any changes or amendments to documents<br>4) The system for the replacement of existing documents when these are updated

3.2.2 Where documents and records are in electronic form these shall be: <br> stored securely (e.g with authorized access, control of amendments, or <br> password-protected) <br> backed up to prevent loss or malicious intervention

3.3 Record Keeping<br>The site shall maintain genuine records to demonstrate the effective control of product safety, legality, and quality

3.3.1 Records shall be legible, appropriately authorized, retained in good condition, and retrievable.

3.3.2 Any alteration to records shall be authorized and justification for the alteration shall be recorded

3.3.3 The company's senior management shall ensure that documented procedures are established and implemented for the organization, review, maintenance, storage and retrieval of all records relating to product safety, legality, regulatory compliance, and quality.

3.3.4 The site shall document its period of retention for records shall relate to the usable life of the packaging and products it is designed to contain and shall respect any customer requirements.

3.4 Specifications<br>Appropriate specifications shall exist for raw materials, intermediate and finished products, and for any product or service which could affect the safety, quality or legality of the finished product and customer requirements.

3.4.1 Specifications shall be suitably detailed, accurate and compliant with relevant product safety and legislative requirements. They may be in the form of a printed or electronic document, or part of an online specification system.

3.4.2 The company shall seek formal agreement of specifications with relevant parties where required by the customer. Where specifications are not formally agreed than the company shall be able to demonstrate that they have taken steps to put an agreement in place.

3.4.3 Where packaging for food or other hygiene-sensitive products is produced, a statement of compliance shall be maintained which enables users of the packaging to ensure compatibility between the packaging and the product with which it may be in contact. <br>The statement of compliance shall be compiled and authorized by a suitably competent person. It shall contain as a minimum:: <br>1) The nature of the materials used in the manufacture of the packaging<br>2) Confirmation that the packaging materials meet relevant legal requirements<br>3) Details of any post-consumer recycled materials<br> The statement shall identify: 1)its date of issue and where appropriate its expiry date 2) any limitations of use of the product 3) the usable life of the packaging(where relevant) <br>The site shall review the statement of compliance at a risk-based frequency

3.4.4 The presence of manufacturer's trademarks or logo on packaging materials shall, where appropriate, be formally agreed between relevant parties.

3.4.5 A specification review process shall be operated where product characteristics change or at an appropriate predetermined interval. Reviews and changes shall be documented and communicated to the customer, where required. Any changes to existing agreements or contracts shall be agreed, documented and communicated to appropriate departments.

3.5 Internal audits<br>The company shall be able to demonstrate it verifies the effective application of the requirements of the Standard and any applicable module through internal audits.

3.5.1 There shall be a scheduled program of internal audits. The frequency at which activity is audited shall be established in relation to the risks associated with the activity and previous performance. All processes shall be audited at least annually<br>The internal audit program shall be fully implemented and effective.

3.5.2 As a minimum, the scope of the internal audit program shall include the: <br>1) HARA or product safety and quality plan, including the activities to implement it(e.g. supplier approval, corrective actions and verification) <br>2) prerequisite programs(e.g. hygiene, pest control) 3) product defense and product fraud prevention plans 4) procedures implemented to achieve the standards and modules. Each internal audit within the program shall have a defined scope and consider a specific activity or section of the HARA or product safety plan.

3.5.3 Internal audits shall be carried out by appropriately trained, competent auditors. Auditors shall be sufficiently independent from the process being audited to ensure impartiality ( i.e. they must not audit they own work)

3.5.4 Internal audit reports shall identify conformity as well as non-conformity.<br>Results hall be notified to the personnel responsible for the process/activity audited. Root cause analysis shall be used to determine appropriate corrective actions and a designated manager shall be responsible for the implementation.

3.5.5 For sites manufacturing materials intended to be in contact with food or other hygiene sensitive products, in addition to the internal audit program, there shall be a separate program of documented inspections to ensure that the factory environment and processing equipment are maintained in a suitable condition. At a minimum, these inspections shall include: 1) Hygiene inspections to assess cleaning and housekeeping performance. 2)Inspections to identify any risks to the product from the building or equipment. The frequency of these inspections shall be based on risk.

3.6 Corrective and preventive action The site shall be able to demonstrate that it uses the information from failures in its systems and processes to take any necessary corrective and preventive actions.

3.6.1 The site shall have a documented supplier approval procedure and continual assessment program in place, based upon risk analysis. These shall apply to suppliers of:<br>1) Materials<br>2) Subcontracted processes.<br>To the site and ensure that materials and services procured conform to defined requirements, where there is a potential impact to product safety, quality, legality.

3.6.2 The site shall evaluate the effectiveness of root cause analyses, and of any corrective and preventive actions

3.7 SUPPLIER APPROVAL AND PERFORMANCE MONITORING The company shall operate effective procedures for the approval and monitoring of its suppliers.

3.7.1 The site shall have a documented supplier approval procedure and continual assessment program in place, based upon risk analysis and defined performance criteria. These shall apply to the suppliers of: 1) materials <br>2)outsourced (subcontracted) production. <br> The procedure shall ensure that the materials and services procured conform to defined requirements where there is a potential impact to product safety, quality or legality

3.7.2 The approval procedure shall be based on risk and include either one or a combination of: 1) a valid certification to the applicable Globe Standard or GFSI-benchmarked standard. The scope of the certification shall include the raw materials purchased, and the site shall validate any BRCGS certificates using the BRCGS Directory, 2) supplier audits, with a scope to include product safety, traceability, HARA review and good manufacturing practices, undertaken by an experienced and demonstrably competent product safety auditor. Where the supplier audit is completed by a second or third party, the company shall be able to: 1) demonstrate the competency of the auditor 2) confirm that the scope of the audit includes product safety, traceability, HARA review and good manufacturing practices. 3) obtain and review a copy of the full audit report. OR 1) Where a valid risk-based justification is provided, a satisfactorily completed supplier questionnaire may be sued for initial approval. The questionnaire shall have a scope that includes product safety, tracebility, HARA review and good manufacturing practices, and it shall have been reviewed and verified by a demonstrably competent person.

3.7.3 There shall be a documented process for ongoing supplier performance review, based on risk and defined performance criteria. The process shall be fully implemented.<br> <br>Where approval is based on questionnaires, these shall be reissued at agreed intervals based on risk, and suppliers shall be required to notify the site of any significant changes in the interim, including any change in certification status. <br> Records of ongoing supplier assessment and any necessary actions shall be maintained and reviewed.<br>

3.7.4 The site shall have an up-to-date list or database of approved suppliers. This may be on paper (hard copy) or it may be controlled on an electronic system.<br> The list or relevant components of the database shall be readily available to the relevant staff.<br>

3.7.5 The company shall ensure that its suppliers of raw materials have an effective traceability system. Where a supplier has been approved based on a questionnaire instead of certification or audit, verification of the supplier’s traceability system shall be carried out on first approval and then at least every 3 years. This may be achieved by a traceability test.

3.7.6 <br>Where raw materials are purchased from companies that are not the manufacturer or packer (e.g. purchased from an agent, broker or wholesaler), the site shall know the identity of the last manufacturer or packer.<br> <br>Information to enable the approval of the manufacturer or packer shall be obtained from the agent/broker or directly from the supplier, unless the agent/broker is certificated to the relevant Global Standard (e.g. Global Standard for Agents and Brokers) or a relevant standard benchmarked by GFSI.<br>

3.8 <br> Product authenticity, claims and chain of custody<br><br>Systems shall be in place to minimize the risk of purchasing fraudulent raw materials for packaging and to ensure that all product descriptions and claims are legal, accurate and verified.<br>

3.8.1 The company shall have processes in place to access information on historical and developing threats to the supply chain which may present a risk of substitution of raw materials (i.e. fraudulent raw materials). Such information may, for example, come from:<br>• trade associations<br>• government sources<br>• private resource centers.<br>

3.8.2 <br>A documented vulnerability assessment shall be carried out on all raw materials or groups of raw materials to assess the potential risk of substitution. This shall take into account:<br>• historical evidence of substitution<br>• economic factors which may make substitution more attractive<br>• ease of access to raw materials through the supply chain<br>• sophistication of routine and upstream testing to identify substitution<br>• nature of the raw material.<br>The output from this assessment shall be a documented vulnerability assessment plan.<br>This plan shall be kept under review to reflect changing economic circumstances and market intelligence which may alter the potential risks. It shall be formally reviewed annually.<br>

3.9 Management of subcontracted activities and outsourced processes <br> <br>Where any process steps in the manufacture of the packaging material are outsourced to a third party, or the process is wholly subcontracted to another site, this shall be managed to ensure it does not compromise the quality, safety or legality of the product.<br>

3.9.1 The company shall be able to demonstrate that, where any part of the production is outsourced and undertaken off-site, this has been declared to the customer or brand owner and, where required, approval has been granted

3.9.2 <br>Where any processes are subcontracted or outsourced, including artwork or pre-press activity, the risks to the quality and safety of the product shall form part of the hazard and risk analysis and the company’s evaluation of the system shall be held on record.

3.9.3 <br>Clear specifications shall be agreed for all work outsourced or subcontracted

3.9.4 <br>Where any process steps in the manufacture of the packaging materials are subcontracted or outsourced, final release of the product shall remain the responsibility of the site.<br> <br>Controls shall be in place for checks on finished work to ensure product safety and quality meets specification prior to dispatch to the final customer.<br>

3.9.5 <br>The company shall ensure that any subcontracted or outsourced processors have an effective traceability system. Where a supplier has been approved based on a questionnaire instead of certification or audit, verification of the supplier’s traceability system shall be carried out on first approval and then at least once every 3 years. This may be achieved by a traceability test.

3.10 Management of suppliers of services <br> <br>The company shall be able to demonstrate that, where services are outsourced, any risks presented to product safety, quality or legality have been evaluated to ensure effective controls are in place.

3.10.1 <br>There shall be a documented procedure for the approval and monitoring of suppliers of services. Such services shall include, but are not limited to:<br>• pest control<br>• laundry services<br>• transport and distribution<br>• storage and dispatch<br>• sorting or rework<br>• laboratory services<br>• calibration services<br>• waste management<br>• product safety and quality consultants to the site.<br> <br>Providers of utilities such as water, electricity or gas may be excluded on the basis of risk. This approval and monitoring process shall be risk-based and take into consideration:<br>• risk to the safety and quality of products<br>• compliance with any specific legal requirements<br>• potential risks to the security of the product (i.e. risks identified in the <br> vulnerability and product defense assessments).<br> <br>

3.10.2 <br>Contracts or formal agreements shall exist with the suppliers of services which clearly define service expectations and ensure potential risks associated with the service have been addressed.

3.11 Traceability <br>The site shall be able to trace and follow all raw materials through processing (including subcontracted processes) to the distribution of the finished product (packaging material) to the customer and vice versa.<br>

3.11.1 The site shall have a documented traceability procedure and system that can trace and follow all raw materials from the supplier through all stages of processing (including subcontracted processes) and distribution of the finished product, and vice versa.<br> <br>Where continuous processes are used, or raw materials are in bulk silos, traceability shall be achieved to the best practical level of accuracy.<br>

3.11.2 <br>Identification of raw materials, intermediate products, finished products, non-conforming products and quarantined goods shall be adequate to ensure traceability

3.11.3 <br>For traceability, an appropriate system shall be in place to ensure that the customer can identify a product or production lot number for the product.<br> <br>Where coding is applied, this shall be checked for legibility and accuracy against production records.<br>

3.11.4 The traceability procedure and system shall be tested at a predetermined frequency, at least annually, and the results shall be retained and easily retrieved for inspection.<br> Traceability of all materials shall be achievable in a timely manner.<br>

3.11.5 <br>Where rework or any reworking operation is performed or outsourced or subcontracted activities are carried out, traceability shall be maintained.

3.11.6 <br>Traceability of test data and samples to production lots shall be maintained.

3.12 Complaint-handling Customer complaints relating to product hygiene, safety or quality shall be handled effectively and the information used to reduce complaint levels.

3.12.1 All complaints shall be recorded and investigated (including root cause analysis) and the results of the investigation documented.<br> <br>Actions appropriate to the seriousness and frequency of the problems identified shall be carried out promptly and effectively by appropriately trained staff.<br>

3.12.2 <br>Complaint data shall be analysed to identify significant trends. Where there has been an increase or repetition of a complaint type, root cause analysis shall be used to implement ongoing improvements to product safety, legality and quality, and to avoid recurrence.<br>This analysis shall be made available to relevant staff.<br>

3.13 Management of product withdrawals, incidents and product recalls The site shall have a documented procedure and systems in place to effectively manage any product withdrawals, returns from customers, incidents or product recalls in order to ensure that all potential risks to the hygiene, quality, safety or legality of products and the final consumer are controlled.

3.13.1 A product withdrawal procedure shall be documented and include as a minimum:<br> • identification of the key personnel involved in assessing potential product <br> withdrawals or returns, with their responsibilities clearly defined<br>• a communications plan including methods of informing customers<br>• root cause analysis and corrective action to implement appropriate <br> improvements as required.<br>

3.13.2 The withdrawal procedure shall be capable of being operated at any time and will take into account notification to the supply chain, stock return, logistics for recovery, storage of recovered product, and disposal.

3.13.3 The company shall provide written guidance and training for relevant staff regarding the type of event that would constitute an incident.<br>Incidents may include:<br>• disruption to normal production processes<br>• disruption to key services such as water, energy, transport, refrigeration <br> processes, staff availability and communications<br>• events such as fire, flood or natural disaster<br>• malicious contamination or sabotage<br>• failure of, or attacks against, digital cyber-security.<br>Where products which have been released from the site could be affected by an incident, the need to withdraw products and, where appropriate, advise customers to withdraw and/or recall products shall be considered.<br>A documented incident reporting procedure shall be in place.<br>

3.13.4 The company shall determine and document the activity required to effectively manage an incident to prevent release of product where hygiene, safety or quality may have been affected.

3.13.5 A procedure to manage product recalls initiated by the brand owner or specifier shall be documented and include as a minimum: <br> <br>• identification of the key personnel involved in assessing potential recalls, <br> together with clearly defined responsibilities<br>• a communications plan that includes methods of informing customers and <br> (where necessary) regulatory bodies in a timely manner<br>

3.13.6 <br>Where a site’s products are involved in a product recall, the site shall assist with provision of information (such as traceability) as required.

3.13.7 <br>The product withdrawal procedure shall be tested, at least annually, in a way that ensures its effective operation. Results of the test shall be retained and shall include timings of key activities.<br> <br>The results of the test, and of any actual withdrawals, shall be used to review the procedure and implement improvements as necessary.<br>