Part II Appendices3.7.2Where a non-conformity places the safety, authenticity or legality of a product at risk, or
3.11 Management of incidents, product withdrawal and product recall
The company shall have a plan and system in place to manage incidents effectively and enable the withdrawal and recall of products should this be required.
Interpretation
Incidents are events that may result in the production of unsafe, illegal, non-conforming product or products that are not authentic, and risks to consumer safety. An emergency situation may also occur as a result of a sudden, unforeseen crisis that requires immediate action. An effective emergency plan must be in place so that if at any stage an incident occurs that impacts food safety, authenticity, legality or quality, it will be managed effectively.
The incident may be directly related to the product, the disruption of key services such as power and water, or environmental influences such as fire or flood.
The plan must be understood by relevant staff and must be routinely tested so that it can readily be put into practice, as incidents occur when least expected. The importance of a tried and tested procedure, ensuring that personnel know who does what and when, cannot be underestimated.
Clause Requirements
3.11.1 The company shall have procedures designed to report and effectively manage incidents and potential emergency situations that impact food safety, authenticity, legality or quality. This shall include consideration of contingency plans to maintain product safety, authenticity, legality and quality. Incidents may include:
• disruption to key services such as water, energy, transport, refrigeration processes, staff availability and communications
• events such as fire, flood or natural disaster
• malicious contamination or sabotage
• product contamination indicating a product may be unsafe or illegal
• failure of, or attacks against, digital cyber-security.
Where products which have been released from the site may be affected by an incident, consideration shall be given to the need to withdraw or recall products.
Interpretation Documented incident and emergency procedures
In the event of an incident or emergency situation, the company must be ready to instigate actions as promptly and efficiently as possible. Therefore the site must have a documented incident management plan. The objective of the plan must be to minimise risk to consumers and potential disruption to business. Systems must be in place and used to ensure that
Part II Appendic es
Interpretation
continued information is collated and quickly assessed by staff who understand its significance and who can develop an appropriate action plan. The site might establish a crisis management plan that could address the points listed here, and any additional risks which are outside the scope of the Standard.
A documented incident management procedure is required. Although it may not be possible to detail exactly what action will be taken, as this will depend on individual circumstances, the company should consider:
• standard responses to a range of potential disasters, such as fire, flood or the loss of essential services
• the provision of alternative resources for energy, water, transport and any potential options for subcontracting production
• how to handle acts of potential malicious contamination or extortion
• management of unsafe or illegal products; for example, due to contamination or authenticity concerns
• details of staff responsibilities, including which staff are authorised and responsible for making decisions relating to non-conforming products. The number of incident management team members should be appropriate for the size of the business
• a plan to handle the logistics of product traceability and the recovery or disposal of affected product and stock reconciliation (i.e. comparing the amount of implicated product with the amounts known to have been destroyed, returned or retained in storage)
• methods to communicate with key contacts, both internal and external, such as telephone and email contact details (including office hours and out-of-hours details)
• the communication process, and the way in which enquiries from customers and the media are handled (this can be critical to the effective management of the situation and ultimate business recovery)
• corrective action that needs to be taken before production can recommence
• root cause analysis and preventive actions. Sites should reference their root cause procedure (clause 3.7.1), so that relevant preventive actions can be completed
• procedures to withdraw or recall affected products.
These details must be kept up to date by periodic verification. Customers and suppliers may need to be involved in the development of documented procedures as they may have their own requirements for crisis planning.
With more data being stored digitally and in cloud services, the site needs to be aware that such data is valuable to those who might extort or blackmail companies. Even though cloud services can be relatively secure, digital attacks and failures of systems pose a significant risk and the site needs to ensure that digital data is secure by using, for example, password protection, anti-virus software, firewalls and/or data backup systems.
Some organisations have published advice on cyber-security; for example, the National Cyber Security Centre’s 10 Steps to Cyber Security.
Good practice following an actual recall is to assess the effectiveness of the plan to identify and implement any appropriate learning or improvements. This process can form part of the evidence of compliance with clause 3.11.3.
3.11.2 The company shall have a documented product withdrawal and recall procedure. This shall include, at a minimum:
• identification of key personnel constituting the recall management team, with clearly identified responsibilities
• guidelines for deciding whether a product needs to be recalled or withdrawn and the records to be maintained
• an up-to-date list of key contacts (including out-of-hours contact details) or reference to the location of such a list (e.g. recall management team, emergency services, suppliers, customers, certification body, regulatory authority)
• a communication plan including the provision of information to customers, consumers and regulatory authorities in a timely manner
• details of external agencies providing advice and support as necessary (e.g. specialist laboratories, regulatory authority and legal expertise)
• a plan to handle the logistics of product traceability, recovery or disposal of affected product, and stock reconciliation
• a plan to record timings of key activities
• a plan to conduct root cause analysis and to implement ongoing improvements, to avoid recurrence.
The procedure shall be capable of being operated at any time.
Interpretation Documented withdrawal and recall procedure
A product recall is defined as any activity that involves the return of an unfit product from customers and final consumers, whereas a withdrawal is the return of out-of-specification or unfit products from customers, but not from final consumers (see glossary for full definitions).
The site must have a documented recall and withdrawal procedure. At a minimum, it must include:
• details of the recall management team members, including their roles, responsibilities and contact details. In larger businesses the recall team will involve head office personnel and it may be run from the head office. In this case the links between the production-site management and the recall team need to be clear
• guidelines for deciding whether a product needs to be recalled or withdrawn and the records to be maintained. Although causes for recall are often unpredictable, defined responses to known risks (e.g. identification of pathogens in routine product sampling) could be documented
• an up-to-date list of key contacts (e.g. recall management team, suppliers, customers, the certification body and regulatory authorities). A recall may occur at any time; therefore office hours and out-of-hours contact details must be provided
• a communication plan including the provision of information to customers, consumers and regulatory authorities in a timely manner. The communication process and the way in which enquiries from customers and the media are handled can be critical to the effective management of the situation and ultimate business recovery. The use of professional resources to assist in communication management may sometimes be advisable
• details of external agencies providing advice and support as necessary (e.g. specialist laboratories, regulatory authorities and legal expertise)
• a plan to handle the logistics of product traceability, recovery or disposal of affected product and stock reconciliation
Part II Appendic es
Interpretation
continued • a log of activities created as the event unfolds and real-time observations, which could, for example, be used in discussions with customers or regulatory authorities. This may be valuable during a post-incident review to consider improvements to incident management processes
• reference to the root cause analysis procedure, so that relevant preventive actions can be introduced.
In the event of a product recall, it is obviously important that actions are completed in a timely fashion. Therefore, the aim of noting key times in the plan is to ensure that this will happen during both tests of the system and during any actual incident. There are various times that should be recorded, including:
• when the incident or test started
• times of internal communications and key decisions
• when traceability and mass balance exercises were started and completed
• communication to customers or regulatory authorities.
3.11.3 The incident management procedures (including those for product recall and withdrawal) shall be tested, at least annually, in a way that ensures their effective operation. Results of the test shall be retained and shall include timings of key activities. The results of the test and of any actual recall shall be used to review the procedure and implement improvements as necessary.
Interpretation Tests of the withdrawal and recall procedures
The incident management procedure must be tested at least annually. This test must include a test of the product withdrawal and recall processes which form part of the incident
management procedure.
It should be emphasised that traceability is only part of this procedure and therefore a repeat test of the traceability will not, on its own, be sufficient to demonstrate that the site is meeting this requirement. The aims of testing the full procedure are to:
• demonstrate that the system works
• highlight any gaps and where the system requires improvement
• demonstrate how quickly the required information can be collated, and thereby corrective action taken, such as materials being isolated and quarantined
• act as a training exercise for personnel to ensure that clear roles and responsibilities are undertaken in the event of a real withdrawal situation.
The test of the recall and withdrawal procedure must include verification of the decision- making process, traceability of raw materials through to finished product, verification of contacts, and timings of key activities.
Records must be kept of tests of the recall and withdrawal procedure and must include a review of the result of the test and any action taken for improvement.
If the site has had an actual withdrawal or recall which fully tested its recall procedures, then this would be a substitute for a recall test as long as records are maintained, an analysis of the effectiveness of the recall procedure is carried out, and any areas for improvement are identified and acted upon.
In larger businesses the recall team may involve head office personnel and the test may be run from the head office. In this case the links between the production site management and the head office recall team need to be clear.
3.11.4 In the event of a significant food safety, authenticity or legality incident, including a product recall, regulatory food safety non-conformity (e.g. a regulatory enforcement notice) or food safety-related withdrawal, the certification body issuing the current certificate for the site against this Standard shall be notified within 3 working days.
The company shall then provide sufficient information to enable the certification body to assess any effects of the incident on the ongoing validity of the current certificate within 21 calendar days. As a minimum, this shall include corrective action, root cause analysis and a preventive action plan.
Interpretation Notification of recalls to the certification body
Where there is a significant incident related to product safety, authenticity or legality the site manufacturing or processing the implicated product is required to notify their certification body of the situation. The types of situation that should be notified include:
• all product recalls
• any situation where the regulatory authority insists on action (e.g. an enforcement notice) due to product safety or legality concerns
• legal proceedings with respect to product safety or legality
• adverse media attention relating to product safety
• any food safety incident with the potential to harm a consumer
• any food safety-related product withdrawal (it is worth noting that only product safety- related withdrawals need to be notified to the certification body; other types of product withdrawal, such as those related to product quality, do not need to be notified).
The aim of this notification is to ensure that the integrity of the certificate is maintained by allowing the certification body to assess whether the incident affects the certification status of the site.
It is important that action is taken in a timely manner; therefore this initial notification, that a notifiable incident has occurred, must be completed within 3 working days of the recall or other action taking place.
The company must also provide sufficient information to enable the certification body to assess any effects of the incident on the ongoing validity of the current certificate.
Therefore, as a minimum, the company must forward copies of its corrective action, root cause analysis and preventive action plan. Note that this additional information may take some time to collate and evaluate prior to communication to the certification body, especially in the case of a complex incident. Therefore, it is not expected that this will be available at the time of the initial notification, but may be submitted to the certification body at a later date. It must, however, be submitted within 21 days of the incident.
Where appropriate, the certification body can request further information or conduct a full or partial re-audit of the site to confirm certification.