Tag Archives: assess

The Path Forward to a Safer Cannabis Industry

By Roshan Sebastian
1 Comment

Two decades ago, California became the first state to legalize the medical use of cannabis. In 2021, medical use of cannabis is legal is 36 US states, and 17 states allow adult (‘recreational’) use. This trend of rapid legalization of the cannabis industry, while encouraging for industry growth, attracts more attention from federal regulatory bodies such as the Occupational Safety and Health Administration (OSHA). Following a number of incidents and near misses, cannabis facilities have been increasingly frequented by OSHA visits, leading to a spike in citations and fines. A review of past OSHA citations reveals that the most common citations in the cannabis industry pertains to the employer’s lack of awareness about the hazardous nature of some operations and materials handled in the facility. This leads to an absence of a formal fire prevention plan, lack of proper hazardous chemical training, deficiency in proper documentation related to workplace injury and limited evaluation of required personal protective equipment (PPE).1

Cannabis industry data suggests that as of today, an incident is often followed by an OSHA inspection.  This naturally leads to the facility asking, ‘How do we prepare for an OSHA inspection and prevent future citations?’ The answer is a combination of identifying and mitigating risks in advance to avoid incidents and developing management systems that support the identification and risk mitigation efforts. Recent collaboration between cannabis business owners and organizations that write codes and standards have provided a framework in which to address the industry’s unique safety challenges to help reduce inherent risk to a facility. These codes and standards typically impact building construction/safety features and operation of the facility, however, additional risk mitigation can be drawn from the best practices already in place in process industries with similar hazards. These process industries have embraced process safety management (PSM) programs, which are built around principles flexible enough to be successfully implemented in the cannabis industry. Adopting such programs will serve the dual purpose of improving the overall safety record of the cannabis industry while enhancing company sustainability2 and help avoid events that lead to OSHA citations.

Figure 1. Risk Based Process Safety Management System

The risk-based process safety (RBPS) approach developed by the Center for Chemical Process Safety (CCPS)3 may prove to be the most effective framework to implement PSM programs in the cannabis industry. Unlike the prescriptive regulatory approach provided by OSHA 29 CFR 1910.119, the RBPS methodology recognizes that not all hazards and risks are equal. By assessing risk, an organization can develop an effective management system that will prioritize allocation of limited resources to address the highest risks. Figure 1 shows the four foundational blocks (pillars) of RBPS and the various elements that make up each pillar.

If a cannabis business owner were to develop programs on each of the pillars presented in Figure 1, a comprehensive safety program would be in place that delivers sustainable risk reduction and mitigation.  However, as with any industry, the elements can be prioritized and tackled over time, starting with the elements having the most influence on the overall safety of a given facility. For example, a given facility may have great procedures and practices, but may not consistently train or instill employee knowledge or competency. Conversely, a facility may have personnel with great knowledge of hazards and risks, but are less developed with regard to documenting procedures, safe practices or training for new hires. Focusing available resources on the less developed elements will lead to an overall improvement in facility risk, leading to a lower likelihood of an incident and OSHA inspection.

Figure 2. Still image from surveillance video of an explosion at New MexiCann Natural Medicine in July 2015.

As with any industry, positive and negative public perception is driven by the media, which tends to focus on attention-grabbing headlines. The majority of past incidents reported in the news for the cannabis industry were explosions that occurred during the extraction process. One such extraction explosion, shown in Figure 2, occurred in July 2015 at the New MexiCann Natural Medicine facility in Santa Fe, New Mexico. With a focus on the ‘hazard identification and risk analysis’ pillar of RBPS, future such events may be mitigated.

Of the twenty RBPS elements, hazard identification and risk analysis (HIRA) stands out as having the highest potential for immediate impact on the cannabis industry’s safety profile.

HIRA is a collection of activities carried out through the life cycle of a facility to ensure that the risks to employees and the public are constantly monitored to be within an organization’s risk tolerance. The four major areas to analyze are:

  • Hazards – What are the possible deviations from the design intent?
  • Consequences – What are the worst possible consequences (or severity) if any deviation occurs?
  • Safeguards – Are there safeguards in the system to reduce the likelihood of this event?
  • Risk – Is the risk within the tolerable level? If not, what steps are needed to reduce the risk? (Severity X Likelihood = Risk)
Figure 3. A simplified HIRA flow chart for an Extraction Process

Let us consider an example case where the extraction process utilizes propane or butane as the extracting solvent. Figure 3 shows a simplified HIRA flow chart for the extraction process.

This systematic approach helps to understand the hazards and evaluate the associated risk. In addition, this approach highlights operator training as a crucial safeguard that can be credited to lower the overall risk of the extraction facility. Remember, lack of proper safety training (another element!) is one of the most cited OSHA violations in the cannabis industry. Another advantage to the HIRA methodology is that other safeguards that may be present can be identified, their effectiveness evaluated and additional risk reduction measures may be recognized. This will help business owners allocate their limited resources on the critical safeguards that provide the greatest risk reduction. Identifying, analyzing and solving for potential hazards is a key step in safe operation of a facility and avoiding OSHA citations.

While this article discusses only a single RBPS element, this example demonstrates how best practices from process industries can become a powerful tool for use in the cannabis industry. The “hazard identification and risk analysis” element of the RBPS approach is pertinent not only for the extraction process as discussed above, but also directly applicable to other aspects of the industry (e.g., dust explosions in harvesting and processing facilities, toxic impacts from fertilizers, hazards from the CO2 enrichment process in growing facilities, etc.).

References

  1. Top 5 OSHA Infractions for Cannabis Businesses
  2. The Business Case for Process Safety; 4th Edition; Center for Chemical Process Safety; 2018
  3. Guidelines for Risk Based Process Safety; Center for Chemical Process Safety: An AICHE Technology Alliance; published March 2007
  4. Video: Explosion rips through medical marijuana facility

How Effective is Your Internal Auditing Program?

By David Vaillencourt
No Comments

The word “audit” evokes various emotions depending on your role in an organization and the context of the audit. While most are familiar with and loathe the IRS’s potential for a tax audit, the audits we are going to discuss today are (or should be) welcomed – proactive internal quality audits. A softer term that is also acceptable is “self-assessment.” These are independent assessments conducted to determine how effective an organization’s risk management, processes and general governance is. 

“How do you know where you’re going if you don’t know where you’ve been” – Maya Angelou

Internal quality audits are critical to ensuring the safety of products, workers, consumers and the environment. When planned and performed periodically, these audits provide credible, consistent and objective evidence to inform the organization of its risks, weaknesses and opportunities for improvement. Ask yourself the question: do your clients/vendors rely on you to produce reliable, consistent and safe products? Assuming the answer is yes, what confidence do you have, and where is the documented evidence to support it?

Compliance units within cannabis businesses are typically responsible for ensuring a business stays legally compliant with state and federal regulations. This level of minimum compliance is critical to prevent fines and ensure licenses are not revoked. However, compliance audits rarely include fundamental components that leave cannabis operators exposed to many unnecessary risks.

Internal quality audits are critical to ensuring the safety of products, workers, consumers and the environment.

As a producer of medical and adult-use products that are ingested, inhaled or consumed in other forms by our friends, family and neighbors, how can you be sure that these products are produced safely and consistently? Are you confident that the legal requirements mandated by your state cannabis control board are sufficient? Judging by the number of recalls and frustrations voiced by the industry regarding the myriad of regulations, I would bet the answer is no.

What questions do internal audits address? Some examples include:

  • Are you operating as management intends?
  • How effective is your system in meeting specified objectives? These objectives could include quality metrics of your products, on-time delivery rates and other client/customer satisfaction metrics.
  • Are there opportunities to improve?
  • Are you doing what you say you do (in your SOPs), and do you have the recorded evidence (records) to prove it?
  • Are you meeting the requirements of all applicable government regulations?

There are potential drawbacks to internal audits. For one, as impartiality is essential in internal audits, it may be challenging to identify an impartial internal auditor in a small operation. If your team always feels like it is in firefighting mode, it may feel like a luxury to take the time to pull members out of their day-to-day duties and disrupt ongoing operations for an audit. Some fear that as internal assessments are meant to be more thorough than external assessments, a laundry list of to-do items may be uncovered due to the audit. But, these self-assessments often uncover issues that have resulted in operational efficiencies in the first place. This resulting “laundry list” then affords a proactive tool to implement corrective actions in an organized manner that can prevent the recurrence of major issues, as well as prevent new issues. The benefits of internal audits outweigh the drawbacks; not to mention, conducting internal audits is required by nearly every globally-recognized program, both voluntary (e.g. ISO 9001 or ASTM Internationals’s Cannabis Certification Program) and government required programs such as 21 CFR 211 for Pharmaceuticals.

Internal Auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. Additional benefits of internal audits include giving your organization the means to:

  • Ensure compliance to the requirements of internal, international and industry standards as well as regulations and customer requirements
  • Determine the effectiveness of the implemented system in meeting specified objectives (quality, environmental, financial)
  • Explore opportunities for improvement
  • Meet statutory and regulatory requirements
  • Provide feedback to Top Management
  • Lower the cost of poor quality

Findings from all audits must be addressed. This is typically done in accordance with a CAPA (Corrective Action Preventive Action) program. To many unfamiliar with Quality Management Systems, this may be a new term. As of Jan 1, 2021, this is now a requirement for all cannabis licensed operators in Colorado. Many other states require a CAPA program or similar. Continuing education units (CEUs) are available through ASTM International’s CAPA training program, which was developed specifically for the cannabis industry.

Examples of common audit findings that require CAPAs include:

  • Calibration – Production and test equipment must be calibrated to ensure they provide accurate and repeatable results.
  • Document and record control – Documents and records need to be readily accessible but protected from unintended use.
  • Supplier management – Most standards have various requirements for supplier management that may include auditing suppliers, monitoring supplier performance, only using suppliers certified to specific standards, etc.
  • Internal audits – Believe it or not, since internal audits are required by many programs, it’s not uncommon to have a finding related to internal audits! Findings from an internal audit can include not conducting audits on schedule, not addressing audit findings or not having a properly qualified internal auditor. Are you looking for more guidance? Last year, members of ASTM International’s D37 Committee on Cannabis approved a Standard Guide for Cannabis and Hemp Operation Compliance Audits, ASTM D8308-21.

If you are still on the fence about the value of an internal audit, given the option of an inspector uncovering a non-conformance or your own team discovering and then correcting it, which would you prefer? With fines easily exceeding $100,000 by many cannabis enforcement units, the answer should be clear. Internal audits are a valuable tool that should not be feared.

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

PJLA

Perry Johnson Laboratory Accreditation (PJLA) Pivots to Virtual Assessments

By Cannabis Industry Journal Staff
No Comments
PJLA

In a letter sent out to clients last week, Perry Johnson Laboratory Accreditation (PJLA) notified their partner labs that they will be conducting virtual assessments.

PJLA typically conducts assessments on-site. . However, given the current situation, with CDC recommendations for social distancing and mandatory stay-at-home orders in some states, the laboratory accreditation company is pivoting to virtual assessments to help their clients maintain accreditation.

Tracy Szerszen
Tracy Szerszen, president/operations manager, PJLA

Virtual assessments are not the norm, but they are allowed to offer them during crises where on-site assessments are not possible. PJLA is sending their clients virtual assessment surveys to check the viability of a remote assessment. That includes making sure there’s a video camera in the lab, capability to use remote meeting software, and capability for remote screen sharing during a quality review. Take a look at the letter PJLA sent their clients last week:

Dear PJLA Clients,

Considering the COVID-19 pandemic, business and the conduct of audits has changed dramatically.  We at PJLA are doing all we can to maintain accreditation while keeping the health and safety of our auditors, our clients, and their families a priority.

To keep your accreditation valid, we have been able to implement Virtual auditing technology to do entire audits – or at least parts of audits – remotely, using virtual audit techniques.  These types of audit are offered for crisis situations where we cannot perform routine on-site assessments (natural disasters, emergencies, travel restrictions).

Clients will be receiving a virtual assessment survey

  • Allowing for virtual (i.e. cameras in the lab)
  • Capability to use virtual systems
  • Having equipment with cameras/remote screen sharing for quality review and laboratory operations

Upon review of the survey, organizations and assessors will be provided with the decision that the assessment can be conducted fully or partially remote. Following approval, assessors and clients will have a discussion to determine the planning of the virtual assessment.

We have a team dedicated to providing support, but we still ask for your patience during this time.  It may take some time for everyone to become comfortable with the software. We will be reaching out to each client to hear about their experience to continually improve this process.

We thank you for participating in this new and exciting assessment option.

Respectfully,

Tracy Szerszen

President/Operations Manager

Perry Johnson Laboratory Accreditation, Inc.

755 West Big Beaver Road Suite 1325

Troy, MI 48084

Phone: (248) 519-2603

www. pjlabs.com

Soapbox

Third-Party Cannabis Safety Audits & How to Prepare in 7 Steps

By Tyler Williams
2 Comments

Unlike the food industry, the cannabis industry is still in its infancy. Which means there is not a push from retailers demanding cannabis farmers, extractors or manufacturers to get third-party audits. In fact, most grow operations supply into their own dispensaries. So why should a cannabis farmer, extractor or manufacturer get a third-party audit? Third-party audits are crucial to maintaining product safety and quality by providing a third set of eyes to verify what is working and what is not. Besides regulatory requirements and customers requiring your facility to get a third-party audit, there are numerous other benefits to receiving an audit. Some of these benefits include:

  • Improvement to product safety
  • Improvement to product quality and consistency
  • Meeting regulatory compliance
  • Eliminating potential risks and possible recalls
  • Marketing advantages over competitors who are not audited by a third-party
  • Improvement to consumer confidence and an increase to brand loyalty

How to Prepare for a Third-Party Audit

Working for a certification body, I am in the unique position to see numerous sites go through the certification process. In this position I have seen both extremes: Sites that spend 6-8 months and a lot of resources preparing for an audit, as well as sites that wait until the day before to even look at the audit standard. Unfortunately, the latter is almost always going to fail the audit. Here are seven steps for preparing for your next third-party audit.“By failing to prepare, you are preparing to fail.”– Benjamin Franklin

  1. Start Preparing Early

Think of your third-party audit as a college exam one month away. You could start studying for the exam now and get a real understanding of the material or you could wait until the day before to start your no-sleep, energy drink-fueled, 24-hour cram session. We all know which preparation method will get a better score on the exam. Now let’s apply that same strategy to your third-party audit. Once you have decided what audit is best for your site and have those specific standards in your hand, the clock starts ticking and you should already be preparing for the audit, whether it is one month or six months away.

  1. Get Management Commitment

It is essential to the entire cannabis safety and quality system to have commitment from top down. Without this, the site will not get the resources (people, equipment, money, time, etc.) they need to pass a third-party audit. Management commitment is so important that it is often seen as its own section in most modern audit standards. It is very easy for third-party auditors to identify when there is a lack of management commitment in a site. Therefore, if you don’t get management commitment, then you are already starting off the audit on a bad note.

  1. Create a To-Do-ListGMP

Think of the entire audit checklist or standard as your long to-do list. Some things, like attaining a certificate of analysis (COA) from a supplier, may only need to be done annually. While other things, such as ensuring employees are following Good Manufacturing Practices (GMPs), will need to be done continuously throughout day to day operations. Go through the audit checklist and separate what needs to be done annually, semiannually, quarterly, monthly and continuously throughout day to day operations. This will give you a list with all of the frequencies of each different requirement.

  1. Teamwork“Teamwork makes the dream work, but a vision becomes a nightmare when the leader has a big dream and a bad team.” – John C. Maxwell

The preparation of an audit should never rest on the shoulders of one person. Yet this is something I tend to see too often in both food and cannabis facilities alike. Your site should establish a cannabis safety and quality team of multidiscipline personnel that have an impact on product safety and quality. Once the team is established, various tasks from the to-do-list can be disbursed among all the members of the team. Collaboration is key to successfully preparing for a third-party audit, especially when the timelines are very stringent.

  1. Training

Training is essential to preparing for your third-party audit. This is what closes the gaps between what the safety and quality department have developed and what your front-line employees are applying. All employees should know what part of the audit standard applies to them. Additionally, employees should be trained on interview questions that the auditor might ask them during the audit. Helping them prepare for these types of questions will help ease their nerves and allow them to answer the questions with self-assurance when it comes time to the actual audit.

  1. Conduct Internal Audits

Conducting internal audits is not only a great way to prepare for your third-party audit, it’s a requirement. You should always use the audit checklist to observe your documents and facility to see where there are gaps. If possible, the person or team conducting the internal audit should never review their own work. Additionally, all issues or non-conformances should be noted, evaluated, corrected and closed out.

  1. Third-Party Pre-Assessment or Mock Audit (Optional)

A third-party pre-assessment or mock audit is the closest thing you can get to an actual audit. This is where a company would come in and evaluate your site to the specific standards and give a formal report over any deficiencies found during the assessment and how to fix them. This is a great way to test your preparedness before the actual audit.

Digipath Labs Now ISO 17025:2017 Accredited

By Aaron G. Biros
No Comments

According to a press release published in December, Digipath Labs, based in Las Vegas, Nevada, was recently accredited to the updated ISO standard, ISO 17025:2017. The laboratory received their accreditation from Perry Johnson Laboratory Accreditation (PJLA).

ISO 17025:2005 has long been the standard that labs seek accreditation to, but their newest 2017 edition was recently rolled out and introduced to the market. The new 2017 standard includes some broad changes to terminology, process approach, scope, and it importantly introduces the concept of risk-based thinking.

That concept of risk-based thinking is particularly relevant to the cannabis testing market, where many have argued for more transparency and uniformity in different state regulations and markets. Introducing risk-based thinking in the standard means that assessors also look at the risk of bias, impartiality and assessing measurement uncertainty, which certainly adds a layer of subjectivity to the accreditation.

PJLATracy Szerszen, president/operations manager of PJLA, says the newer standard also includes a provision for a quality management system review among other changes. “We are making sure they are following the standard from a technical standpoint, meaning they have the right equipment, the appropriate personnel and also have a quality management system,” says Szerszen. “November 29, 2020 is the deadline for moving to the new 2017 standard.”

According to Todd Denkin, CEO and founder of Digipath, obtaining the new ISO accreditation poises them for future growth and expansion. “Digipath Labs has now brought its standard of excellence in cannabis testing under the updated ISO-17025:2017 umbrella as we seek to expand our dominance in cannabis testing markets,” says Denkin. “This is a major step in positioning Digipath as a global leader in testing services.”

Designing Your Continuing Cannabis Education Program

By RJ Starr
No Comments

As many states’ medical cannabis programs are already in full swing and several are launching or nearing their one-year or biennial maturation periods, medical cannabis dispensaries and cannabis cultivation and processing facilities should be fine-tuning their Continuing Cannabis Education Program, or CCEP, and be ready for inspection by state agencies.

While states with medical cannabis programs administer them through various agencies such as Department of Medicine/Health, Department of Pharmacy, Department of Commerce, Alcoholic Beverage Control, each has their own minimum requirements for continuing education in the medical cannabis space, and each structures their program in the direction within which that particular regulatory agency leans. Each state’s personality also brings an influential component as well; for example, a state with a highly visible opioid crisis may place greater emphasis on substance abuse training.

Suffice it to say that while there is certainly insight to be gained from knowing your particular state, there are certain elements of an ongoing professional development program that should be considered in each CCEP. This article will explore a few of the elements integral to any successful human capital and professional development plan from a vantage of compliance, and will offer some insight into the exceptional training methodology designed by Midwest Compassion Center and Bloom Medicinals.

There are a number of key considerations in developing a Continuing Cannabis Education Program, and a thoughtful CCEP should be developed specifically to meet the needs of both the organization and its employees. This can be done by a needs assessment consisting of three levels: organizational, occupational, and individual assessments.

  1. Needs assessment and learning objectives. This part of the framework development asks you to consider what kind of training is needed in your organization. Once you have determined the training needed, you can set learning objectives to measure at the end of the training.
    1. Organizational assessment. In this type of needs assessment, we can determine the skills, knowledge and abilities our cannabis dispensaries need in order to meet their strategic objectives. This type of assessment considers things such as changing laws, demographics and technology trends. Overall, this type of assessment looks at how the organization as a whole can handle its weaknesses while promoting strengths.
    2. Occupational (task) assessment. This type of assessment looks at the specific tasks, skills, knowledge and abilities required of our employees to do the jobs necessary within our dispensaries.
    3. Individual assessment. An individual assessment looks at the performance of an individual employee and determines what training should be accomplished for that individual.
  2. Consideration of learning styles. Making sure to teach to a variety of learning styles is important to development of training programs.
  3. Delivery mode. What is the best way to get your message across? Is classroom or web-based training more appropriate, or should one-on-one mentoring be used? Successful training programs should incorporate a variety of delivery methods.
  4. How much money do you have to spend on this training? This does not only include the cost of materials, but the cost of time. Consideration should also be given to the costs associated with not investing in training: CFO asks CEO, “What happens if we invest in developing our people and then they leave us?” CEO: “What happens if we don’t, and they stay?”
  5. Delivery style. Will the training be self-paced or instructor led? What kinds of discussions and interactions can be developed in conjunction with this training? The delivery style must take into account people’s individual learning styles. A balance of lectures, discussions, role-playing, and activities that solidify concepts are considered part of delivery style.
  6. Audience. Who will be part of this training? Do you have a mix of roles, such as accounting people and marketing people? What are the job responsibilities of these individuals, and how can you make the training relevant to their individual jobs? The audience for the training is an important aspect when developing your CCEP. This can allow the training to be better developed to meet the needs and the skills of a particular group of people.
  7. Content. What needs to be taught? How will you sequence the information? The content obviously is an important consideration. Learning objectives and goals for the training should be established and articulated before content is developed.
  8. Timelines. How long will it take to develop the training? Is there a deadline for training to be completed, and if so, what risk analysis can be used to determine the consequences of not meeting that deadline? After content is developed, understanding time constraints is an important aspect. Will the training take one hour or a day to deliver? What is the timeline consideration in terms of when people should take the training?
  9. Communication. How will employees know the training is available to them? Letting people know when and where the training will take place is part of communication.
  10. Measuring effectiveness. How will you know if your training worked? What ways will you use to measure this? The final aspect of developing a training framework is to consider how it will be measured. At the end, how will you know if the trainees learned what they needed to learn?

A thorough review of your state’s rules and regulations should take place quarterly, with one or more specific employees designated to stay abreast of changes. If your regulatory authority has implemented requirements that trainings must be approved in advance, know that as well, and keep your Continuous Cannabis Education Program up-to-date and ready for inspection.