Tag Archives: inspector

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?

HACCP

Hazard Analysis and Critical Control Points (HACCP) for the Cannabis Industry: Part 4

By Kathy Knutson, Ph.D.
No Comments
HACCP

In Part 3 of this series on HACCP, Critical Control Points (CCPs), validation of CCPs and monitoring of CCPs were defined. When a HACCP plan identifies the correct CCP, validates the CCP as controlling the hazard and monitors the CCP, a potential hazard is controlled in the manufacturing and packaging of cannabis-infused edibles. The food industry is big on documentation. If it’s not documented, it did not happen. The written hazard analysis, validation study and monitoring of CCPs create necessary records. It is these records that will prove to a customer, auditor or inspector that the edible is safe. Here in Part 4, more recordkeeping is added on for deviation from a CCP, verification and a recall plan. 

Take Corrective Action When There Is a Deviation from a Critical Control Point

Your food safety team conducts a hazard analysis, identifies CCPs and decides on monitoring devices, frequency and who is responsible for monitoring. You create an electronic or paper record of the monitoring for every batch of edible to document critical limits were met. Despite all your good efforts, something goes wrong. Maybe you lose power. Maybe the equipment jams. Nothing is perfect when dealing with ingredients, equipment and personnel. Poop happens. Because you are prepared before the deviation, your employees know what to do. With proper training, the line worker knows what to do with the equipment, the in-process product and who to inform. In most cases the product is put on hold for evaluation, and the equipment is fixed to keep running. The choices for the product include release, rework or destroy. Every action taken needs to be recorded on a corrective action form and documents attached to demonstrate the fate of the product on hold. All the product from the batch must be accounted for through documentation. If the batch size is 100 lb, then the fate of 100 lb must be documented.

Verify Critical Control Points Are Monitored and Effective

First, verification and validation are frequently confused by the best of food safety managers. Validation was discussed as part of determining CCPs in Part 3. Validation proves that following a CCP is the right method for safety. I call validation, “one and done.” Validation is done once for a CCP; while verification is ongoing at a CCP. For example, the time and temperature for effective milk pasteurization is very well known and dairies refer to the FDA Pasteurized Milk Ordinance. Dairies do not have to prove over and over that a combination of time and temperature is effective (validation), because that has been proven.

I encourage you to do as much as you can to prepare for a recall.A CCP is monitored to prove the safety parameters are met. Pasteurization is an example of the most commonly monitored parameters of time and temperature. At a kill step like pasteurization, the employee at that station is responsible for accurate monitoring of time and temperature. The company managers and owners should feel confident that CCPs have been identified and data are being recorded to prove safety. Verification is not done by the employee at the station but by a supervisor or manager. The employee at the station is probably not a member of the food safety team that wrote the HACCP plan, but the supervisor or manager that performs verification may be. Verification is proving that what was decided by the food safety team is actually implemented and consistently done.

Verification is abundant and can be very simple. First, every record associated with a CCP is reviewed by a supervisor or manager, i.e. someone who did not create the record. This can be a simple initial and date at the bottom of the record. Every corrective action form with its associated evaluation is verified in the same way. When HACCP plans are reviewed, that is verification. Verification activities include 1) testing the concentration of a sanitizer, 2) reviewing Certificates of Analysis from suppliers, 3) a review of the packaging label and 4) all chemical and microbiological testing of ingredients and product. The HACCP plan identifies CCPs. Verification confirms that implementation is running according to the plan.

Verification is like a parent who tells their child to clean their room. The child walks to their room and later emerges to state that the room is clean. The parent can believe the word of the child, if the child has been properly trained and has a history of successfully cleaning their room. At some frequency determined by the parent, the room will get a parental visual check. This is verification. In the food industry, CCP monitoring records and corrective action must be reviewed within seven days after the record is created and preferably before the food leaves the facility. Other verification activities are done in a timely manner as determined by the company.

Food processing and sanitation
Product recalls due to manufacturing errors in sanitation cause mistrust among consumers.

Write a Recall Plan

In the food industry, auditors and FDA inspectors require a written recall plan. Mock recalls are recommended and always provide learning and improvement to systems. Imagine your edible product contains sugar, and your sugar supplier notifies you that the sugar is recalled due to glass pieces. Since you are starting with the supplier, that is one step back. Your documentation of ingredients includes lot numbers, dates and quantity of sugar.You keep good records and they show you exactly how much of the recalled lot was received. Next you gather your batch records. Batches with the recalled sugar are identified, and the total amount of recalled sugar is reconciled. You label every batch of your edible with a lot code, and you identify the amount of each affected lot and the customer. You have a press release template in which you add the specific information about the recall and affected lots. You notify every customer where the affected edible was shipped with a plan to return or destroy the edible. When you notify your customers, you go one step forward.

How would your company do in this situation? I have witnessed the difficulties a company faces in a recall when I was brought in to investigate the source of a pathogen. Food safety people in my workshops who have worked through a recall tell me that it was the worst time of their life. I encourage you to do as much as you can to prepare for a recall. Here are two good resources:

Please comment on this blog post below. I love feedback!

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.