Following the launch of our new Risk Assessment Modelling feature (RAM), which now allows you to build any number or type of risk assessments in the Safefood 360° platform, we are delighted to explain a little more about how it can assist you in risk assessing non-HACCP type processes, such as management and PRP’s.
In any food safety management system, there are three main pillars:
- Pre-requisite Programs – the basic requirements for safe food production, e.g., cleaning, training, etc.
- Management Systems – the high-level management processes, which in themselves do not impact directly on food safety, but they are important in ensuring that the business and operational environment is sufficient to produce safe food, e.g., customer complaints management, internal auditing, management review, etc.
- Risk Management Systems – such as HACCP, Preventive Control Plans, VA’s, etc.
All three are required for effective food safety management, and all contribute in some way to the level of risk associated with producing safe food.
The Evolution of Risk Assessment
Traditionally, risk assessment as a tool was confined to the risk management aspect of the total food safety system.
In recent years, however, the requirement to conduct risk assessment has expanded beyond this to other areas.
For example, many of the GFSI standards now require risk assessment to be conducted on calibration programs.
What has risk got to do with a calibration program you may ask? Surprisingly, a lot!
Let’s take for example a CCP such as cooking.
We have a thermal kill step which is designed to eliminate a pathogenic hazard such as Salmonella.
As part of HACCP, we are required to define critical limits for time and temperature, in this case, and monitoring each cooking batch or continuous process (usually the core product temperature).
For this, we use a thermograph, which plots time versus temperature, to allow us to determine if the critical limits are being met.
If not, we can then take corrective action. We will all be familiar with this approach. It is logical, practical, and achieves the desired result of a safe food product.
Risk assessment, in this case, was used effectively to identify the hazard at a specific process step, the CCP and all the related limits and actions.
However, underlying all of this is an important omission!
We are using a measuring device to achieve all this (thermograph).
We are, at all times, working on an assumption that when this device says we achieved 72°C for 2 minutes that we have in fact achieved this.
The whole critical control framework is dependent on an assumption – that the device is calibrated. No matter how well we risk assess and plan around the CCP, if the device is providing inaccurate data then we are not in a good place.
This brings us to calibration then.
We recognize that the supporting calibration program is essential in the control of the CCP.
The CCP is only as strong as the calibration program behind it.
We may say without any further analysis that the calibration program is by definition high risk.
But this is not sufficient.
We must now, as part of modern food safety management, subject this and all calibration programs to a smart risk assessment, document it, and explain our logic.
This is a shift for many food businesses.
However, as we will soon discover, our traditional understanding and approach to risk assessment used for HACCP in the past appears to break down when we try to apply its systems, such as calibration and auditing.
The question is why?
Let’s focus a little on Internal Auditing.
This is a core management process and essential for good food safety management.
Nothing new in this.
However, not all auditing activities are equal.
Not all are as critical or high risk in terms of food safety.
Like calibration and our thermograph, not all auditing activities play the same role in food safety, and we must apply risk assessment to figure out which are more important.
Under GFSI and other standards, you are required to develop an internal audit program based on risk or risk assessment.
If we take that your audit program includes an audit of your HACCP plan (a full check that the HACCP system was developed against the requirements and is being effectively implemented), you may also have another separate audit program which checks that the office supplies procedure is being followed.
Clearly, these are two very different audits and both carry very different risks.
But what exactly are we risk assessing?
Unlike HACCP we do not have a clear ‘hazard’ to assess.
We can say for an auditing activity that a specific hazard, such as Salmonella, is the issue. We start to see the traditional approach breaking down.
Failure Mode Effect Analysis (FMEA)
When it comes to programs and systems like auditing and calibration, we need to change our focus as we are not looking at the risk posed by a specific food safety hazard.
Instead, we are looking at the risk posed by a failure of the activity, e.g., the likelihood that the audit may not be carried out, or carried out poorly, and what would the adverse outcome of this be, e.g., a recall, food safety issue, or so on.
This, essentially, is the Failure Mode Effect Analysis (FMEA) approach, which is widely used in emerging companies to identify specific failures in machine and process that may lead to down time, rejects, poor efficiency and quality.
HACCP was initially based on this model but shifted away from this core nature of FMEA.
Now, it has come full circle and we are returning to these principles.
We can now ask what is the possibility that a certain audit program could ‘fail’ (probability), and if it was to fail, what would the adverse outcome (severity) be.
We are looking more at the nature of an activity rather than a specific hazard.
SF360° and RAM
One of the core strengths of SF360° is now you can risk assess any program or activity in your food safety system – not just HACCP – under the new RAM feature when you are now building your programs for auditing, calibration, pest control, maintenance, cleaning – everything.
This is important since all Food Safety Management Systems should be Risk-based.
All Food Safety Management Systems should be Risk-based
For this to happen we need to conduct risk assessment.
If your entire food safety system is risk-based, it can open up for you a whole new level of control and oversight.
It can allow you to focus your system on where it matters, and in Safefood 360 we do this perfectly.
I am going to provide you with an example of how the new RAM works for internal auditing programs.
Let me set the scene for you.
- You are food business certified under a GFSI standard.
- You are required to have an internal audit program covering the requirement of the standard, which is based on an assessment of risk.
- The risk should determine how often or frequently you audit specific audit tasks.
Safefood 360° allows you to develop a specific risk assessment model for Auditing in this case.
We will use a simple 3×3 matrix for this one – probability x severity. But how does this look? Below is an example of how the model can be defined for auditing.
Here, we have a 3×3 matrix based on probability and severity.
In order to effectively use this matrix, the assessor must predefine what each rating value represents.
Below is a typical example.
In this model, probability is looking at the likelihood that the activity being audited, e.g., HACCP, will fail.
When we say fail we mean that the elements of the HACCP system do not operate or are unfulfilled in some way.
We can see, for example, that value 3 for probability states: “Failure of the activity being audited is likely to happen often or frequently. This approach makes the job of the assessor much more focused and objective.
|Failure of the activity being audited is likely to happen, often, frequent||Failure of the activity being audited is likely to lead to an immediate / grave health impact, recall or regulatory issue|
|Failure of the activity being audited can happen, but not frequent||Failure of the activity being audited is unlikely to pose an immediate / grave risk to the consumer but repeated failure over time may|
|Failure of the activity being audited is unlikely to happen, rare, remote||Failure of the activity being audited is unlikely pose an immediate / grave risk to the consumer|
The key element of the risk model is that the decision outcomes or control are applied.
In this case, if we obtain a high-risk rating, then we must audit the activity at a frequent level, e.g., every 3 months.
Lower risk activities are audited less frequently. This is consistent with the requirements of GFSI standards, e.g., the BRC.
|Audit the activity at a frequent level – minimum every 3 months|
|Audit the activity at a reduced level – minimum every 6 months|
|Audit the activity at a minimum level – minimum every 12 months|
In Safefood 360°’s new RAM model, the above RA model can be built quickly and easily.
In the model building section of the Risk module, you can define this as follows:
Both the Probability and Severity ratings are defined in a grid with the associated values. Following this, the risk ranges or categories can be defined in the software.
The user can define any number of risk ranges or categories, e.g., Cat 1 Risk, Cat 2 Risk, etc., instead of the traditional High, Medium, or Low.
You can also color code the risk and define the required control or decision to be made once the risk has been obtained.
The user can also define if the risk is significant or non-significant.
Once the model is defined, it can be applied to the standard workflow for setting up an audit program or activity.
For example, if you are creating an audit program for HACCP or PCP, you can then conduct a risk assessment of the program based on the model.
Above, we can see that this auditing activity, looking at HACCP, has been assessed as Medium Risk, and therefore, the audit frequency has been set at 6-monthly intervals.
The new RAM feature in SF360° allows you to risk assess every activity in your Food Safety and Quality Management System and, therefore, to build a truly risk-based system.
It’s simple and easy and we are here to assist you getting it set up.