Figured I'd give everyone some feedback for auditing of version 8.0 based on our audit last week. We were audited under FSC 16: Ice, Drink, and Beverage Processing. We produce bottled water, water beverages, and cold brew coffee on site. We also produce many of our PET bottles, but do not sell them separately so we have not traditionally included Module 13 in our scope of certification (the blow molding is included in our process flow for bottled water). The CB was NSF International.
The auditor explained that they would visit sections of the quality code separately during the audit, and the quality code is graded on pass/fail, where if you fix any non-conformances you turn into a pass. We had 4 NC's, all related to on-the-floor findings (e.g. an exterior door was found unlocked), no NC's were issued due to documentation or policy issues.
Auditor impressions: Auditor with a long history of industry experience (as opposed to auditing) and did an excellent job of digging in when something didn't seem right, and keeping us moving when everything was pretty and ready. Focused really hard on programs and did a lot of plant interviews during time on the floor.
Food Safety Code for manufacturing Modules 2 and 11 Notes:
Though we have updated our food safety plan using FSMA terminology, it was CRITICAL to note which of our "preventive controls" were considered CCP's under the codex definition. We identify them separately as CCP's in both the plan and production paperwork in addition to using FDA's terminology, and this made our audit go smoothly. The auditor noted that it might have been an issue had we not identified them using Codex definitions in addition to "preventive controls".
Auditor focused hard on complaint management, incident reporting, finished good specifications, incoming material/vehicle inspection, and the food safety plan. There were no surprises here. After finding some loose bolts near a production line, our auditor went heavy into maintenance SOP's and policies, and inspected our maintenance shop, boneyard, and associated storage areas for signs of "doing what we say". No further problems were noted, however it would have helped us a lot if we had a better written "hand-off" between a maintenance activity and the necessary sanitation that follows.
Crisis management and Recall plan tests. Auditor liked that we had an actual “scenario” and went through our entire procedure. (we had an email chain of “investigation” and everything).
Validation was huge. We went into our scientific supporting documentation for all sanitation activities, preventive controls, CCP's, and equipment capability (e.g. an ultraviolet light needed to be rated for the water flowing through it). We passed with flying colors, and key to this was using an industry publication (I used Technology of Bottled Water for many validations of inspection activities type, time, and intervals and would highly recommend finding an industry text for anyone doing sensory to validate the methods against). The auditor noted that in 8.0 they're encouraged to really make sure all of our controls are backed scientifically, and if anyone says "manufacturers recommendations", you better have those recommendations in writing.
Food defense and food fraud: Our old plan was great and using FDA's vulnerability assessment tool did a great job assessing and "testing" the system. I incorporated food fraud as a hazard category in my food safety plan, and also conduced a separate vulnerability assessment for food fraud which laid out SQF's required categories and assessed our vulnerability to them across all product lines. No problems here.
No mock trace activity was required, and while NSF’s schedule indicated there would be one, our auditor noted that that was not an 8.0 requirement.
We had compressed air testing scheduled, but had verified using environmental sampling in the affected areas (e.g. bottles and caps blown/moved with air).
We had a Salmonella and Listeria environmental program in place and it was looked for.
Food Quality Code Notes:
I did a thorough food quality plan based on the same formatting as my food safety plan and "validated" the CQP's with the last two years of complaint history as well as recommendations from the text cited above. We reviewed monitoring in the same way that we reviewed CCP's.
The biggest part of the food quality code was an intensive review of management commitment and management review. He wanted to see that all of our verification activities for CQP's resulted in data and trends that were communicated and acted on by management regularly, and records of those actions. We do that by having:
1. A QA report of all of our verification activities for food safety and quality is distributed company-wide (from floor to CEO) monthly indicating trends in quality, complaints, sensory data, and product flaws.
2. That same report indicated actions that were taken in response to complaints or negative quality trends.
3. That same report communicated recent changes in equipment or processes.
4. We documented that management reviewed "quality benchmarks" (KPI's identified int he food quality plan) weekly via management review meetings. These didn’t have minutes but were scheduled on the calendar and included an updated data spreadsheet. Actions from these meetings were included in the monthly review.
Change management was huge, and we documented this by having a “change management” form which justified major changes in equipment, processes, or new products. This had signatures from QA, operations, and maintenance and included justifications, needed updates to PRP’s and plans, and evaluated the change’s potential impact on both food safety and quality (adherence to specification).
Whether we used Statistical Process Control (SPC) came up, and this was a quality code requirement I was worried about since we did not have any checkweighers or other automated data collection in order to do this. I demonstrated the trending and standard deviation analysis we had previously done on coffee extraction and ozone measurements in order to drive improvements and this was satisfactory. Make sure you do some kind of statistical analysis of your quality metrics.
These were my major takeaways, if you have any questions about how a particular part of the code was audited, ask and I’ll do my best to answer!