Certifications recognized by the Global Food Safety Initiative (GFSI) are virtually a requirement for doing business in the food industry today. Almost every aspect of the food chain now has a specific set of standards that apply. Whether your organization is beginning the certification journey or considering a different certification, these eight steps can help you prepare for becoming GFSI-certified.
What Is GFSI Certification?
GFSI is an international collaboration of food industry experts that recognizes several benchmarked food safety standards worldwide. GFSI-recognized standards are a measuring stick for Food Safety Management Systems.
Standards like BRC, FSSC 22000, SQF, IFS, Primus GFS, Global Aquaculture Alliance, Global GAP, Canada GAP, and GRMS each hold equal weight under GFSI. Your customers are required to accept any GFSI-recognized standard because they all fall under the GFSI umbrella.
Once you are certified to any of these standards, everyone will know that you have the systems in place to produce a safe, legal and high-quality product.
Step 1: Choose a Standard
Because there are many accepted GFSI standards, you should choose the standard that works best for you, based on the products handled and the processes conducted at your facility (agriculture, food manufacturing, packaging manufacturing, or storage and distribution, etc.).
The website myGFSI.com is an excellent resource to help you understand which standards are available based on your product and process. (Note about terminology: What we in the US call a “standard” is referred to on the GFSI website as a “scheme.” Don’t be confused: Standard and scheme are synonyms.)
The GFSI website walks you through the standards and how to choose the right one for you. If you have key customers with a strong preference for one standard, you should still examine the different standards to identify which will work for you. In the end, which standard to apply is a business decision, with a number of factors to consider.
Although the various GFSI standards have differences, they have similar basic requirements:
- Management commitment: Because there are financial and human resources costs to support certification, management commitment is critical.
- Prerequisite programs as the framework to providing a safe and legal product: Although you may already have food safety programs in place, GFSI standards require you to verify and in some cases validate that each program is working effectively.
- CODEX-based HACCP plan, HARP-C, Hazard and Risk Analysis, or Food Safety Plan: All standards have a section on risk identification and management. Because GFSI-approved standards are globally accepted, the foundation for risk management is the science-based CODEX HACCP (Hazard Analysis and Critical Control Points) system, focusing on prevention rather than on end-product testing.
- Standards for food safety and legality: Most also cover quality.
- Systems-based audits: GFSI-based audits look at the entire system, including:
- Process steps
- Inputs (like specifications and customer requirements)
- Outputs (finished products)
- People with competency
- Materials/equipment that are defined and maintained
- Methods (procedures)
- Measurements, such as monitoring, verification and validation
The full-system aspect of GFSI-certification audits is one of the biggest differences from typical customer audits or GMP inspections, which tend to look at a few specific areas. Another difference is that the certification auditors are experts in the industry. They have to qualify to the categories that they audit. Therefore, expect an auditor who knows a bit about the business and who knows the standard.
Step 2: Study the Standard
Once you decide on a standard, purchase a copy via the standard owner’s website and study it carefully.
The keys to knowing your standard are interpretation and intent. If the chosen standard offers a separate interpretational guideline, obtain that too, as it can be helpful to understanding the intent of the standard.
Some standards are prescriptive, explaining exactly what is needed in detail. Some are less specific. Either way, reading the standard can be scary because, chances are, you will see a lot of work to be done and changes to implement before you meet all requirements.
Step 3: Get Help
Getting a facility up to standard for certification requires significant time. There are two choices: Make time or hire time.
If you decide to make time, get training and use available tools. Courses are available for each standard to help you understand the requirements. All standards provide self-gap assessment tools to help you focus your efforts.
If you decide to hire time, interview consultants thoroughly to find one that knows your business, process, product, and your chosen standard. Consultants can work with your team, answer questions and do a gap assessment.
The gap assessment is critical to success because it is the road map to guide you toward certification. Whether conducted by an expert or done in-house, a gap assessment tells you what is working in your current system and what is missing to meet the standard. Having ISO 9001 certification or meeting another similar standard does not mean you can take shortcuts and immediately schedule a certification audit. The requirements and focus are very specific for GFSI certification.
Even if you have hired an expert, don’t expect to just walk away. Plan to be very involved; you will still be responsible for your systems and implementing the needed updates. Experts can provide you with guidance on where to focus and what needs to be done, but they cannot not do it all for you.
Step 4: Manage the Project
Getting all the processes, procedures and measurements in place to qualify for certification is no simple task.
Study the gap assessment to identify in detail what needs to happen next. Once you know where the gaps are, make a timeline and assign resources, as you would for any other large project.
The project will need a leader — a manager or outside consultant, depending on what resources you have. Regardless of which, this person must be able to hold people accountable and manage a timeline.
This is not the time to assign a “Quality Hero” to “make it all happen.” Every part of the organization is affected, so the project requires work assignments for everyone on the management team. It takes time and concentrated effort from a fully-engaged team to fill in the gaps.
Once you implement the required programs, you need a minimum of three months of auditable records for the certification audit. Collect records for a month on new programs, review what is working and adjust if needed.
Step 5: Choose a Certification Body
When you are ready for an audit, it is time to choose a certification body — an accredited company that has met the standard owner’s requirements and maintains a “stable” of qualified auditors.
The standard-owner’s website lists qualified certification bodies, grades them and provides contact information. Compare services, prices, availability for your location(s) and auditor availability, because they do vary.
Step 6: Schedule the Audit … Maybe
At this point, you have two choices: You can schedule a pre-assessment — an audit with just a list of non-conformances but no score — or you can schedule the actual certification audit.
A pre-assessment provides one last chance to check for readiness and tie up any loose ends. It’s important to do well on a certification audit because corrective action on audit findings is a requirement for certification. The last thing you want is a lot of findings requiring corrective action by a deadline. If you aren’t sure how well-prepared you are, the pre-assessment is a worthwhile option.
Step 7: Address All Findings
No one is perfect. Findings are normal and addressing them is customary. However, critical food safety or legality issues will result in not being certified. This does not happen often, and, when it does, it usually happens to facilities that don’t take the time to understand the standard and fully prepare for the audit. For those who prepare well, most findings are relatively minor.
Regardless of seriousness, any non-compliance findings must be addressed within a specified time limit. Although time allowed varies slightly from standard to standard, corrective action is required and non-negotiable. Depending on your chosen standard, you will have about 30 days to complete a root cause analysis (RCA) and take corrective action for each finding. No action = no certificate.
The auditor will review the submitted corrective action(s) to ensure you comply with the standard. Depending on your audit findings, the auditor may have to schedule a return visit to audit the corrective action taken to ensure compliance.
From that point, it will take some time for the Certification Body to go through their protocol before the certification process is complete.
Step 8: Maintain the program
Getting your certification is not a “one and done” situation. You are audited at least once every year to renew certification, which means maintaining your program to continue meeting the standard.
Keep two words in mind as you develop your systems: simple and practical. Keeping it simple means your systems meet the intent of the standard. Keeping it practical means putting systems in place that you can maintain day in and day out.
Maintaining your certification requires that you plan for continual improvement. The standards don’t stay the same, and your business changes too, so a practical program also includes ways to improve or change the system when needed.
Certification is a Never-Ending Journey
Preparing for GFSI certification is an on-going journey that takes planning, time and energy. GFSI certification is intended to benchmark the best in every industry, and as such it can benefit every organization that obtains a certification.