Introduction
Managing your certificates is an important activity. Because of that we have this specific section in our handbook with all the certificate details. We aim to have the following information always up to date and accessible:
- Contract (please attach the contract to this page or place it in the Documents folder)
- Scope of the certificate
- Due date of the certificate
- Next date of the audit
- Calculation of the total audit days
- Name of the auditor (please check with QAssurance if you can accept this auditor, take into account that you need at least a month of notice time, otherwise you might want to cancel the audit and still have to pay
- Auditors qualifications to be allowed to audit the scope
Certification management: an overview
As a food company, you have to take food quality standards into account. Both business-to-business customers and retailers often require a supplier to be certified to a standard recognized by the Global Food Safety Initiative (GFSI): BRC Food, IFS Food, FSSC22000 or SQF. It is therefore important to make managing this certification part of the business: certification management (CM). When we apply the Deming circle to certification management, the following steps apply:
Deming circle: Plan
Ensure that the certification process is agreed upon according to audit protocol: The scheme owners impose an audit protocol on the certification bodies, which they must adhere to. In the certification process with the customer, the resulting agreements are recorded in the contract and the planning of the audit.
Normally you will receive an audit plan two weeks before the audit, if not please contact the certification body. Make sure a month before end of the due date of your certification audit date the certification body confirms that an unnanouced audit has been scheduled.
Deming circle: Do
Ensure that the certification process is carried out according to audit protocol: The auditor must be qualified to perform the audit, and thus needs the qualifications for your products and processes. By this requesting qualifications prevents situations such as” “Hey, you are also heating the product, I am not allowed to check that”.
The audit planning also states how long an auditor must be on site and in production. When the auditor deviates (in practice) from this protocol, the certification is jeopardized, but also establish the certifying body's right to audit a scheme and eventually even the worldwide accreditation of such a certification body. Make sure that the non-conformities found from the audit are resolved and reported on time. In the case of freelance auditors always communicate with a contact person of the certification body in the cc.
Deming circle: Check
Check whether the certification process has been reported according to audit protocol, so that you can be sure that there are no surprises. Read the audit report yourself and check the report for consistency with the implementation. Are the number of days on location correct and were all people mentioned in the report actually present? Are all HACCP and raw material hazards listed that customers want to see coming back?
Also check the audit process again with the concluded contract, do you see the agreements reflected in the report and the invoice? Incongruities in visit registration, reporting and invoicing are still a year later observable and therefore potential time bombs for certification.
Deming circle: Act
Reports issues in the certification process that have not been carried out in accordance with the audit protocol. And make sure all of this is put in writing. In the end, you are responsible for purchasing the certification service from the correct certification body. It is just like with your company's financial reporting, the accountant might make a mistake, but it is your report and in this case: your certificate.
FSSC Audits
Somehow, auditors sometines seem to default to viewing failure to comply with a legal requirement as a critical. If the Dutch Food Safety Authority audited in this way, we would have had a recall after every Dutch Food Safety Authority visit. The law distinguishes between primary conditions and principles based on HACCP. Only when food safety is at risk does a critical normally apply, after a risk-based assessment.
Refrigeration, in this case, not only when the refrigeration system does not register correctly when products are cooled under the legal norm or when the periodic cleaning van is improved. Moreover, when raw poultry products are transported, between 4 and 5 degrees or the temperature of organ meet is approximately 3,5 degrees during storage and the products will be supplied to the consumer. These are cases where the legal standard was exceeded. However, these cases are not food safety issues, and therefore a legal incompliance does not equal a critical.
| Minor legal incompliance | Major legal incompliance | |
|---|---|---|
| Subject GFSI | Prerequisite program Basic | HACCP study |
| Topic | Basic Food Hygiene Warning | Food Safety Fine |
| Food Safety Authority | fine after Minor | Recall after Risk assessment Major |
| Audit | Major when re-occurence | Critical after Risk Assessment |
GFSI recognized standards and non-conformities
In order to have clarity about non-conformities and their weighing during an audit, this article summarizes how BRC, IFS and FSSC22000 deal with non-conformities. As the GFSI guidance guides these standards, the weighing of a non-conformance will normally be the same. In the Netherlands there is currently a trend for auditors to issue a critical non-conformity for FSSC22000 when a legal requirement is not met. This method of assessment is not in line with BRC and IFS and also not in line with the Dutch Food Safety Authority. As stated in the FSSC standard:
”A critical nonconformity is issued when a direct food safety impact without appropriate action by the organization is observed during the audit or when legality and/or certification integrity are at stake.”
Legality -the quality or state of being in accordance with the law
At stake means at risk;
“people's lives could be at stake”
“If something that is valuable is at stake, it is in a situation where it might be lost”
“Thousands of lives will be at stake if emergency aid does not arrive in the city soon”
Some auditors really think that a legal incompliance is directly a critical.
To be at stake is not the same as an incompliance.
BRC9: Non Conformities (2.3.1 Non-conformities)
There are three levels of non-conformity:
Critical Where there is a critical failure to comply with a food safety or legal issue.
Major Where there is a substantial failure to meet the requirements of a ‘statement of intent' or any clause of the Standard, or a situation is identified which would, on the basis of available objective evidence, raise significant doubt as to the conformity of the product being supplied.
Minor Where a clause has not been fully met but, on the basis of objective evidence, the conformity of the product is not in doubt.
Failure to comply with the statement of intent of a fundamental requirement (i.e. a major non-conformity) leads to non-certification at an initial audit or withdrawal of certification at subsequent audits. This will require a further full audit to establish demonstrable evidence of compliance.
The objective of the audit is to provide a true reflection of the standard of the operation and level of conformity against the Standard. Consideration should therefore be given to awarding a single major non-conformity where minor non-conformities are repeatedly raised against a particular clause of the Standard. Clustering of a significant number of minor non-conformities against a clause and recording this as a single minor non-conformity is not permitted. The certification body shall justify a high number (more than 20) of minor non-conformities where one or no major non-conformities are given. This shall be detailed on the audit report. IFS7.1: Non Conformities
IFS Scoring System
In order to determine whether compliance with an IFS Food requirement has been met, the auditor has to evaluate all requirements of the checklist (Part 2), which are classified either as regular or as KO requirements. The IFS scoring system covers a scoring range based on the level of compliance of the requirement, from full compliance to a deviation and / or non-conformity. In the IFS Food Standard, there are six (6) scoring possibilities. Points are awarded for each requirement according to the following chart (chart 1):
| Chart 1: IFS Scoring System | ||
|---|---|---|
| Result | Explanation | Points |
| A | Full compliance. | 20 points |
| B (point of attentOn) | Point of attention deviation. | 15 points |
| C (deviation) | Part of the requirernent is not implernented. | 5 points |
| D (deviation) | The requirement is not implernented. | —20 points |
| Major (non-conformity) | A Major non-conformity requirement (which is not defined as a KO requirernent). Reasons for Major rating | Major non-conformity will subtract 15% Of the possible total arnount,• the certificate cannot be issued. |
| There is a substantial failure to meet the requirements Of the standard. which includes but is not limited to food safety and/or the legal requirements of production and/or destination countries | ||
| A process is out of control which might have an impact on food safety. | ||
| KO requirement scored with scored with D (non-conformity) | The requirernent is not implemented. | KO non-conforrnity will subtract 50% of the possible total amount; the certificate cannot be issued. |
KO requirements
There are specific requirements in the IFS Food Standard which are named KO requirements. These requirements are essential and address key topics to be ensured by the production site to reach compliance. If the auditor identifies that the company does not fulfil at least one of these requirements during the Assessment, this results in a non-certification. In the IFS Food Standard, the following ten (10) requirements are defined as KO requirements:
1.2.1 Governance and commitment
2.2.3.8.1 Monitoring system of each CCP
3.2.2 Personal hygiene
4.2.1.3 Raw materials specification
4.2.2.1 Product and recipe compliance
4.12.2 Foreign material risk mitigation
4.18.1 Traceability
5.1.1 Internal audits
5.9.2 Procedures of withdrawals and recalls
5.11.2 Corrective actions
Scoring of KO requirements is explained in the following chart (chart 2)
| Chart 2: Scoring of a KO requirement | ||
|---|---|---|
| Result | Explanation | Points |
| A | Full compliance. | 20 points |
| B (point Of attention) | Point Of attention as it may lead to a future deviation. | NO “B” scoring is possible |
| C (deviation) | Part of the requirement is not implemented. | 5 points |
| D (=KO non-conformity) | The requirement is not implemented. | KO non-conformity will subtract 50 % Of the possible total amount, the certificate cannot be issued. |
Important note:
A “B” scoring is not possible for KO requirements: only A, C or D (= KO non-conformity) scorings are possible. If a KO non-conformity is rated during an IFS Food Assessment, the Assessment is failed and the next one can only be performed announced. For more information, see ANNEX 6.
Note: If an initial IFS Food Assessment is failed due to a D evaluation of a KO requirement and / or more than one Major non-conformity, the IFS Food Assessment report shall be uploaded in the IFS Database and this Assessment cannot be considered as a pre-Assessment
2.3.3 Follow-up Assessment
A follow-up Assessment is required in a specific situation where the results of the Assessment (initial or recertification) did not allow a certificate to be issued due to one Major non-conformity and a total scoring ≥ 75 %. During the follow-up Assessment, the auditor shall focus on the implementation of actions taken
to correct the Major non-conformity determined in the previous Assessment.
The closure of the Major non-conformity shall always be verified by an on-site evaluation by the auditor.
The follow-up Assessment shall generally be performed by the same auditor who performed the Assessment where the Major non-conformity was identified. The follow-up Assessment shall be performed no earlier than six (6) weeks, and no later than six (6) months, after the previous Assessment.
If a follow-up Assessment is not performed within six (6) months of the date of the previous Assessment, a full new initial Assessment shall be performed.
If the company decides not to perform a follow-up Assessment but to start again with a full new Assessment, the new Assessment shall be scheduled no earlier than six (6) weeks after the Assessment where the Major non-conformity was issued (for further information, see chapter 4.2.1.1, Part 1).
If the follow-up Assessment is failed, a full new Assessment will be necessary and shall be scheduled no earlier than six (6) weeks after the follow-up Assessment. The report of the failed follow-up Assessment shall be uploaded to the IFS Database. If the follow-up Assessment is successful, certification shall be issued at foundation level only. The different steps are explained in ANNEX 5.
In the event of a Major non-conformity, a D evaluation of a KO requirement or a total scoring the current certificate shall be suspended.
FSSC22000: Non Conformities (5.3.4 NONCONFORMITY MANAGEMENT)
Nonconformities raised at multi-site organizations (refer section 5.3) shall follow the requirements of the Scheme as well as those in IAF MD1, section 7.7 with the following specific requirements in addition:
a) Where a critical nonconformity is identified, the certificate of the multi-site organization shall be suspended within 3 working days of issuing the critical nonconformity, regardless of whether or not all the site audits have been completed.
b) Where a major nonconformity is identified and the audit takes more than 30 calendar days to complete (central function and site audits), the organization shall provide a corrective action plan including any temporary measures or controls necessary to mitigate the risk until the nonconformity can be closed.
c) The timeline for closure of nonconformities start at the end of the audit – after completion of the central function audit and all the site audits.
6.2 NONCONFORMITIES
In accordance with the definitions in the Scheme and as defined below, the Certifying Body (CB )is required to apply these criteria as a reference against which to determine the level of nonconformities for findings.
There are three nonconformity grading levels:
a) Minor nonconformity;
b) Major nonconformity;
c) Critical nonconformity.
Nonconformities shall always be written to the most relevant Scheme requirement linked to the specific audit criteria in ISO 22000:2018; the specified PRP standard or the FSSC Additional Requirement. The Scheme does not allow “Opportunities for Improvement”.
6.2.1 MINOR NONCONFORMITY
A minor nonconformity shall be issued when the finding does not affect the capability of the management system to achieve the intended results:
1) The organization shall provide the CB with objective evidence of the correction, evidence of an investigation into causative factors, exposed risks, and the proposed corrective action plan (CAP);
2) The CB shall review the corrective action plan and the evidence of correction and approve it when acceptable. The CB approval shall be completed within 28 calendar days after the last day of the audit. Exceeding this timeframe shall result in a suspension of the certificate;
3) Corrective action(s) (CA) shall be implemented by the organization within the timeframe agreed with the CB;
4) Effectiveness of implementation of the corrective action plan shall be reviewed, at the latest, at the next scheduled audit. Failure to address a minor nonconformity from the previous audit could lead to a major nonconformity being raised at the next scheduled audit.
6.2.2 MAJOR NONCONFORMITY
A major nonconformity shall be issued when the finding affects the capability of the management system to achieve the intended results:
1) The organization shall provide the CB with objective evidence of an investigation into causative factors, exposed risks, and evidence of effective implementation;
2) The CB shall review the corrective action plan and conduct an on-site follow-up audit to verify the implementation of the CA to close the major nonconformity. In cases where documentary evidence is sufficient to close out the major nonconformity, the CB may decide to perform a desk review. This follow-up shall be done within 28 calendar days from the last day of the audit;
3) The major nonconformity shall be closed by the CB within 28 calendar days from the last day of the audit. When the major cannot be closed in this timeframe, the certificate shall be suspended;
4) Where completion of corrective actions might take more time, the CAP shall include any temporary measures or controls necessary to mitigate the risk until the permanent corrective action is implemented.
6.2.3 CRITICAL NONCONFORMITY
A critical nonconformity is issued when a direct food safety impact without appropriate action by the organization is observed during the audit or when legality and/or certification integrity are at stake:
1) When a critical nonconformity is raised at a certified organization the certificate shall be suspended within 3 working days of being issued, for a maximum period of six (6) months;
2) When a critical nonconformity is issued during an audit, the organization shall provide the CB with objective evidence of an investigation into causative factors, exposed risks, and the proposed CAP. This shall be provided to the CB within 14 calendar days after the audit;
3) A separate audit shall be conducted by the CB between six (6) weeks to six (6) months after the regular audit to verify the effective implementation of the corrective actions. This audit shall be a full on-site audit (with a minimum on-site duration of one day). After a successful follow-up audit, the certificate and the current audit cycle will be restored, and the next audit shall take place as originally planned (the follow-up audit is additional and does not replace an annual audit). This audit shall be documented, and the report uploaded;
4) The certificate shall be withdrawn when the critical nonconformity is not effectively resolved within the six (6) month timeframe;
5) In case of a certification audit (initial), the full certification audit shall be repeated.
Related articles to How to manage your certification body
Many customers and visitors to this page 'How to manage your certification body' also viewed the articles and manuals listed below: