GFSI Certified. FSMA Compliant.

With the rules of the Food Safety Modernization Act (FSMA) still in the proposal stage, the call across the industry is to get certified to one of the several Global Food Safety Initiative (GFSI) scheme options, so you are ready when FSMA’s final rules are published. While there is no question that GFSI certification will help to drive food safety initiatives and processes toward FSMA compliance, it is important to understand that there are differences between GFSI and FSMA. Being GFSI certified does not mean that you can sit back and assume you have fulfilled all the rules of FSMA.

No two GFSI schemes or their requirements are exactly alike, however because they all are based on GFSI standards, some general comparisons can be made. Our assessments of several of the major GFSI schemes certainly indicate that the GFSI standards are very close to FSMA Preventive Control Rules. But there are differences for other rules and, in some cases, the GFSI schemes will be more prescriptive than the FSMA rules. However, in this article, we will be dealing with the areas in which FSMA is more specific, or just different, to help you understand areas where you may need to refocus initiatives or processes for regulatory compliance.
 

General Variation.

The key difference between GFSI standards and FSMA rules is FSMA’s focus on Hazard Analysis of Risk-based Preventive Controls (HARPC) vs. GFSI-focused HACCP. This is particularly applicable in the proposed Preventive Controls rule, which forms the basis of much of FSMA. Preventive Controls includes more than just CCPs as controls, but it only requires validation for CCPs.

To be certified to GFSI standards and meet FSMA requirements, you will need to:

• Double check timeframe requirements. For example, for monitoring, FSMA’s preventive control requirement mandates that you have enough monitoring to ensure that the preventive control rules are being met, with a reanalysis of your food safety plan conducted every three years. GFSI requires that the food safety plan be reviewed annually.
   
• Ensure you understand variation in terminology. For example, both FDA and GFSI include requirements for a “qualified individual.” Although the FDA definition is still pending and is rule-dependent, the terms are used for different requirements, so the requirements of “qualified” will vary as well. Other such concepts that can have varying definitions include hazards that are significant versus “reasonably likely to occur” (RLTO) and even the phrase “preventive controls.”
   
• Develop applicable supplier controls. These are not currently included in FSMA’s proposed Preventive Controls rule for humans, but we expect to see them this summer when some key provisions of the Preventive Controls rule will be released. GFSI does include prescriptive supplier control standards.
• Focus on two distinct areas of food defense. In GFSI, food defense takes on the traditional stance. In FSMA, the approach to food defense in the Focused Mitigation Strategies to Protect against Intentional Adulteration (aka Food Defense) proposed rule mimics the risk-based approach proposed for the Preventive Controls rule, even referring to it as a “HACCP-type system of controls.” Based on vulnerability assessments, identification of actionable process steps, and implementing focused mitigation strategies against intentional adulteration, the rule is geared toward large manufacturers (over $10m). This is because the goal of a terrorist is to “maximize public health harm,” and what better way to do this than through a large company and a well-known brand? Additionally, GFSI is currently working on a food fraud standard to focus on economic adulteration; FSMA’s proposed Food Defense rule is limited to acts intended to cause public harm; economic adulteration may wind up as part of Preventive Controls.
   

GFSI Scheme Variation.

In addition, there are scheme-specific differences. While scheme requirements sometimes exceed those of FSMA, you will want to ensure you haven’t unknowingly skipped over a FSMA requirement by simply following the GFSI scheme. A few examples of this are:

• Both SQF and FSMA require validation of process controls and a documented process for corrective action, but in both cases, the FDA requirements are greater. The proposed rule specifically requires an evaluation of the food in question and assurance that potentially contaminated food has not entered commerce. Additionally, the Preventive Controls rule is more specific on the frequency of verification activities and defines verification as including records review, calibration, and validation.
   
• BRC implies that some hazards are controlled through prerequisite programs. FDA follows the thinking that if a practice is necessary to control a specific hazard that is RTLO, that practice should be elevated to the status of a preventive control; FSSC 22000 refers to these as “operational PRPs.” However, FDA does not require that all preventive controls be validated.
   
• IFS requires that an approval and monitoring process be developed for all suppliers, foreign or domestic. FSMA’s proposed Foreign Supplier Verification Program rule focuses only on verification of foreign suppliers, however it is expected that in the final Preventive Controls rule, these will apply to domestic suppliers as well. Additionally, this FSMA process is more prescriptive than the IFS approach.
   

We could use this entire column to provide examples of areas in which GFSI and FSMA differ—with GFSI holding more robust standards in some areas and FSMA rules being more stringent in others. And we could take up another column (or perhaps an entire issue) to delineate areas in which the two are in sync. However, the purpose of this is not as much to be specific as it is to point out that GFSI and FSMA both have intensive food safety standards, but compliance with one does not ensure complete compliance with the other. Over time, we anticipate that the GFSI standards and schemes will be updated to at least require all the elements of FSMA that are relevant, and they may even go beyond that in certain areas, as they do now.

In short—If you are GFSI certified then you are in a good place with regard to FSMA, assuming you are following through on a daily basis. But, don’t rely on a GFSI certification to ensure FSMA compliance. Rather, understand the FSMA rules that apply to your business and your facilities, know where these diverge from the GFSI scheme to which you are certified, and make preparations now to implement those additional FSMA requirements, so you are ready when the final rules are issued.