Steve P -
Most FDA-regulated food companies have the flexibility to follow Codex; however there are a few (infant formula, juices) that must follow FDA regulations. All USDA FSIS-regulated food companies must have a HACCP plan meeting USDA FSIS regulations, which do not always seem to mesh cleanly with Codex. There are often regulatory requirements that might not be justified under a purely scientific Hazard Analysis. It is the Hazard Analysis that tends to present the most difficulty.
My FSIS-regulated plants have resolved this by setting up a matrix for each step in the HA. Each step is assigned values for Severity & Likelihood which are multiplied to determine Risk within each hazard class (phys, chem, bio). We then set value ranges that required no control (low), at least a prerequisite program for control (medium), and those with higher values that required a CCP. You can do anything along this line that makes sense and is defensible.
Since this analysis is not required by FSIS, we include it as supporting documentation, but do NOT include it in our HACCP plan's official Hazard Analysis. Also, BRC requires a signed & dated flow chart - again not a regulatory requirement. We keep duplicate FCs, the one in the official HACCP plan is not signed. We have made the decision that we will do the activities as required within the BRC clauses, but will not integrate them into our regulatory HACCP plan. The last thing I need is to be arguing with an FSIS official about something that was not required by them in the first place...All it does is increase the risk of regulatory noncompliance.