It goes without saying that if you operate a food business whether as a manufacturer, processor importer or exporter (together as regulated parties), you are legally responsible for making sure that the food you sell is safe to consume and meets Canadian requirements. Maintaining compliance with regulations helps to ensure safety and quality throughout the food system with inspections being integral to enforcing food safety practices. One type of inspection that food businesses need a thorough understanding of is the Preventive Control Plan Inspection.

To serve as background, Safe Food for Canadians Regulations (SFCR) came into force in 2019 requiring regulated parties to have and maintain Preventive Control Plans (PCP), with some exceptions for instance, with micro businesses that have less than $100K in sales.  A PCP demonstrates how hazards and risks to food are addressed. This is achieved by formally identifying, documenting, developing, and implementing steps for managing food safety risks during the manufacturing, preparing, storing, packaging, and labelling of a food commodity.

In tandem with SFCR coming into force, the CFIA also commenced Preventive Control Plan inspections and first focused their efforts on businesses handling high risk products. The level of risk was determined based on CFIA’s assessment which included among other factors, the category of the food in question, and volume of the food being handled.

When it comes to an inspection, the onus is on regulated parties to have a thorough understanding of its responsibilities as they relate to their specific operations and food commodities, and to know what is expected from inspectors at the time of CFIA PCP Inspection audits. It is also important for regulated parties to understand that Safe Food for Canadians Regulations are stated in broad terms with respects to the outcome that CFIA requires. It is up to the regulated party to develop the details in their PCP to meet those outcomes.

Preventive Control Inspections

When carrying out inspections, CFIA inspectors follow the “Standard Inspection Process (SIP) under CFIA Food Inspection Guidance for the Inspectors”, a guidance document developed by CFIA. SIP inspections are broken down into three types: Systems-based Preventive Control Inspection; Sample Collection; and Commodity Inspections.

A systems-based Preventive Control Inspection evaluates a regulated party’s preventive controls to assess whether it achieves compliance with regulatory requirements. During a Preventive Controls inspection, there are four factors that inspectors evaluate. They are Deviations, Non-compliance, Hazard, and Risk. Once again, in this article, we examine the difference between a Deviation and Non-compliance, and address Hazard versus Risk in a separate article.

Deviation Vs. Non-compliance

At first glance, the terms can appear to refer to the same unfavourable outcome, and as well often times are used interchangeably by regulated parties. However, they are very different, and it is important to know these differences when required for corrective actions.

CFIA defines “Deviation” as “A disparity between the regulated party’s established preventive control plan (PCP) and the implementation of that preventive control plan.”, and “Non-compliance” as “A legal contravention of the applicable Acts and/or Regulations.”

To illustrate this through a simple hand washing example, if a requirement in a Standard Operating Procedure (SOP) developed by the regulated party requires handwashing with soap and water, a Deviation would be washing hands without the use of soap. Non-compliance on the other hand would mean not having a cleaning and sanitation protocol in the PCP as per the SFCR requirements.

It is important for regulated parties to clearly understand the broad intent of the SCFR regulations, what they imply and accordingly what is required from them. For example, if we further unpack the above CFIA definition, we can infer the following:

CFIA expects regulated parties not only to establish a compliant PCP, but to implement it “accordingly”.

What this implies: Since sufficient information, instructions and time has already been provided to the public, it is the regulated parties’ full responsibility to understand and become knowledgeable (or hire knowledgeable regulatory experts) of the regulations as they apply to their operations. This includes the preparation of resources and infrastructure required for establishing and implementing a customized and efficient PCP, and reassessments annually or upon significant changes, and records maintenance for prescribed timeframes as compliance evidence supporting regulations.

Regulated parties are obliged to follow the procedures they establish for their own operations.

What this implies: CFIA Inspectors considers PCP procedures and documentation as internal standards developed by the regulated parties. As such the parties are expected to be able to explain the actions taken towards managing the compliance of operations on an ongoing basis. Gaps identified between a procedure and the related practice in action are considered as deviations from an internal standard in which case must be addressed though implementation of an effective Corrective Action and Preventive Action (CAPA) plan. The CAPA is a requirement to be provided to Inspectors within a prescribed timetable.

This point further emphasizes the importance of establishing a customized and efficient PCP to ensure that the procedures neither omit any critical operational considerations, nor create unnecessary obligations to the operations whereby an operator obligates themselves to follow when there may be no real need for it.

There is a reason for choosing the term “Disparity” as the sign for a gap to be identified as a deviation.

What this implies: Risk-based thinking is an inseparable part of compliance verification practices. Although all gaps must be considered, priority must first be given to gaps which can cause significant impacts on system integrity.  As such, prioritization is embedded in the term “Disparity” which means “great difference”; in other words, CFIA Inspectors take a risk-based approach to the gaps they identify during an inspection and assess whether a gap should be treated as a disparity.

It is equally important for the regulated parties to understand the importance of risk-based approach used by CFIA inspection. Taking into consideration that resources are limited for regulated parties and need to be allocated accordingly, risk assessment must become a routine skill across different parts of the operation and then to give priority to critical compliance gaps.

There are potential gaps in food operations which are considered as serious as violating a law.

What this implies: Regulated parties need to be aware that the CFIA categorizes and treats Non-compliance differently than Deviations. When there is objective evidence that a clause of the SFC has been violated by a regulated party, inspectors must officially identify the non-compliance type, determine the severity of consequences, determine the likelihood of occurrence, categorize the non-compliance, and ultimately determine a timeframe for regulated party to complete corrective actions.

Non-compliance triggers enforcement.

What this implies: As per “Standard Inspection Process” subsection, “Anything that is not in compliance with regulations may be subject to enforcement by CFIA. The enforcement response is initiated when non-compliance occurs.” This subsection refers the inspectors to a prescribed “Standard Regulatory Response Process” which outlines the steps taken in response to the non-compliance.