FSSC Integrity Program Audit Data Summary & Auditor Database

Virtual Integrated Advanced management SYstems Solutions & Tools FSSC Integrity Program Audit Data Summary & Auditor Database CB instructions for use Introduction In the framework of the implementation of the FSSC 22000 integrity program, the FSSC Foundation partnered with ViaSyst to implement the FSSC 22000 audit data summary (or full report) & auditor database on the ViaSyst audit management platform. The ViaSyst platform is a fully dematerialized, web-based tool allowing CBs to manage audit reports, action plans & auditor experience & qualification by ensuring both consistency and time & costs saving. The ViaSyst platform supports audit reports for the major management systems standards: ISO 9001, ISO 14001, ISO (or FSSC) 22000, OHSAS 18001, ISO 27000. The new databases are directly linked, on the same server and accesses, with the existing certificate database launched in May 2012. All existing data will be kept. FSSC database implementation steps: 1. Certificate database: since 01.05.2012 a) Certificate database 2. Integrity program, KPIs & indicators: from 01.10.2014: b) Audit data summary c) Auditor database 3. Full audit report: open (available from 01.10.2014, but not required by FSSC) d) Full audit report database For the step 2, CBs will not be required to submit full audit report data on the database, but only an audit data summary. CBs will be free to submit the full audit report to their clients on the format they want. Nevertheless, CBs wishing to benefit the simplifications, advantages and savings brought by the full report will have the opportunity to use the ViaSyst platform to edit their full reports and share them with their clients. Interested CBs are invited to contact ViaSyst (info@viasyst.com) for more information and a free demonstration. Summary 1. Login... 2 2. Browse your CB Administrator homepage... 2 3. Personalise your application... 3 4. Add an auditor or a CB user... 4 5. Enter an FSSC Audit Data Summary (ADS)... 11 6. Edit / update a certificate... 24 7. Enter an FSSC full report... 27 1/27

NOTE: for further guidance and FAQs, please consult the online Instructions for use knowledge base: https://viasyst.net/node/18671 1. Login Use a compatible browser, i. e. Internet Explorer 7 or 8, Firefox 2 or 3, Chrome, Safari. Browse www.viasyst.net The following access page will appear: Enter the access codes you received and login. 2. Browse your CB Administrator homepage Study briefly the various options available behind the various menus of your CB administrator (or auditor) homepage. Come back to the homepage for the next step. 2/27

3. Personalise your application As a CB, you can personalise your environment by uploading your logo. Click on Admin on the menu bar on the top: Click on Edit on the right: Browse and upload your logo. NOTE: Maximum file size: 24 MB. Allowed extensions: png gif jpg jpeg Save and : YES! 3/27

4. Add an auditor or a CB user The CB Admin can create as much additional auditors (and/or CB users) as necessary, according to its organisation, responsibilities and authorities for entering and updating the FSSC database. Proceed according to the following steps. 4.1 Add Auditor Click on Auditors on the menu bar on the top of your Home page. Click on Add auditor on the right: Enter First name, Last name, and CB Auditor Number (allocated according the CB s own numbering system). NB: Choose the numbering system for the auditors that is convenient for you or just take over the one you already use. 4/27

Save 4.2 Edit & update the auditor qualification folder Select the auditor to update (by clicking on his/her CB auditor number on the link Auditor ) and click on FSSC qualification on the top right. Click on Edit on the top right to enter the general information related to the auditor. NOTE: the database checks automatically all obligatory fields and warns you about the missing information requested to save your data. 5/27

Enter all requested information and Save. Click on FSSC qualification on the top right to enter the granted specification: Click on «Edit»: Enter the granted 22003 scopes + the various dates (all required by FSSC) & Save 6/27

The FSSC 22000 requirements regarding auditor competence and training can be found in FSSC scheme document Part II, Appendix II A1, section 1 and 2, ISO 17021:2011 and ISO 22003:2007. First qualification of the auditor The first qualification of the auditor is a documented sign-off by the approved supervisor of the CB. This is the date on which all documents concerning the qualification of the auditor are reviewed and approved. In the first box date in the auditor database the following dates are entered: 1. Date of first approval of the auditor CV; 2. Date of first auditor qualification; 3. Date of successful completion of the qualifying training program; 4. Date of approval the audit log necessary for first qualification; 5. Date of the witness audit, necessary for first qualification. The first (qualification) date is the reference date and remains unchanged. The second box is called renewal date. This concerns the continuous monitoring of auditor qualification and competence by the CB Every time an aspect of the auditor competence or qualification is reviewed and approved the date of the approval is entered in the second box called renewal date. By tapping on the add another date button a new renewal date box is added to enter the new renewal date. Renewal date CV. ISO 17021:2011, clause 7.4, states that the certification body shall maintain up-to-date personnel records, including relevant qualifications, training, experience, affiliations, professional status, competence and any relevant consultancy services that may have been provided. The approved supervisor of the CB is responsible for assuring that the CV is kept up to date. The auditor CV has to be assessed and reviewed once every three years. The date on which this is done and approved is entered in the second box called renewal date. Renewal auditor qualification. FSSC 22000, Part II, appendix II A1, section 1, states that the competence of the auditor has to be re-established every three years. The approved supervisor of the CB is responsible to re-establish the auditor competence. The date on which this is done and approved (once every three years) is entered in the second box called renewal date. 7/27

Renewal auditor training log FSSC 22000-scheme document, Part II, Appendix II 1A, section 2, states that a training program for each auditor will incorporate: 1. A plan for continued training to keep the auditors up to date with the best practices and relevant regulatory and statutory developments in the sector(s) where they preform audits. 2. A written record of undertaken relevant training maintained by the auditor. The plan for continued training enables the auditor to maintain the knowledge necessary to stay qualified as a FSSC auditor. Continued training suggests a yearly training. This yearly training can be an official training course, but can also the auditor attending a case study meeting organized by the CB or attending a lecture or symposium. In practice the plan for continued training is an auditor-training log showing the training activities of the auditor during the year. The auditor has to maintain written record his/her training activities. The renewal date entered in the auditor database is the date on which the appointed supervisor has assessed and reviewed the training log (written record) of the auditor. This must be done every year. The date on which the appointed supervisor has reviewed and approved the training log of the auditor is entered in the second box called renewal date. Renewal auditor audit log FSSC 22000 scheme document, Part II, Appendix II 1A, section 2, states that in order to maintain category and scheme knowledge, auditors are required to carry out a minimum of 5 on-site GFSI recognized audits each year. The FSSC approved auditor has to maintain an audit log showing GFSI recognized he/she has conducted during the year. The approved supervisor of the CB is responsible to assess and review the auditor audit log. This is done once every year. The date on which this is reviewed and approved is entered in the second box called renewal date. Renewal witness audit ISO 17021:2011, clause 7.2.12, states that the performance of the auditor has to be assessed by periodically means of an onsite witness audit. The witness audit has to be done once every three years. The date on which this is done is entered in the second box called renewal date. NOTE: After completing the FSSC Auditor Register, you have to validate the auditor s qualifications by clicking on CB Validation on the top right of the page. This validation is necessary so that the auditor is listed in the list accessible to FSSC. 8/27

4.3 Complete the auditor qualification folder for desk review purposes (ONLY on FSSC specific request, not mandatory for all auditors) Continue entering the auditor folder by using the menus on the left (followed by Edit ): - Audit experience (see further on) - Competence assessment - Witnessing - Initial & continuous training NOTE 1: enter no more audit experience than required by FSSC, i.e. 5 audits per year against any GFSI recognized FSMS scheme (see drop list of accepted schemes by entering data). NOTE 2: there are 2 ways to enter audit experience: a) automatically incremented for any FSSC audit report (full or summary)entered in the database, b) entered manually by using Add experience for additional GFSI audits as necessary. NOTE 3: format of the competence assessment report to be uploaded is free, provided it is in English. Competence assessment shall be repeated every 3 years, and shall address all ISO 22003 food chain categories for which the auditor is qualified. 9/27

NOTE 4: format of the witnessing report to be uploaded is free, provided it is in English. Witnessing shall be repeated every 3 years, on any FSSC scheme. NOTE 5: initial training shall be entered only once, by creating the auditor folder. NOTE 6: continuous training shall be recorded according to FSSC requirement, i.e. 1 day per year FSSC training (program & attendance record to be uploaded). 4.4 Assign CB admin (or auditor) access rights To assign a CB user login and password: (NOTE: this is only necessary for CB admin people needing to enter or upload data on the database, or for auditors for CBs who choose to edit full audit reports on the database) Click on Access rights on the menu bar on the top of your Home page. Enter the fields, select language, and assign or not CB Admin level (necessary to have right to add organisations and to create, edit and assign auditors). 4.5 Assign organisations to an auditor (ONLY for editing full reports on the database not required by FSSC) For auditors (who normally do not have access to all organisations data within the CB, tick (Column Edit / Write) the organisations he/she is authorised to edit audit report data: 10/27

NOTE 1: to find an organisation in the list, use the Ctrl+F search function. NOTE 2: by changing the assigned auditor(s), the new one will access the entire organisation s folder, and the ancient one will loose access. 5. Enter an FSSC Audit Data Summary (ADS) The present section provides instructions for entering audit report data (full or summary) directly in the database, e.g. for CBs who decided to use the database to use the database functionalities to interactively provide the audit report and manage the action plan with their clients. NOTE 1: if the data are to be entered by another (or several other) person within your CB organisation, first move to section 4 of the present instructions and create the corresponding user. NOTE 2: the most efficient way to enter the audit report data is to ask the (lead) auditor to do it directly. NOTE 3: for certification of organizations with multiple sites, each certified site shall be entered separately within the database (see 6.2). 5.1 Add Organisation Click on Organisations on the menu-bar on the top of your Home page. You access the following page: Click on Add organisation on the right. NOTE: a CB Admin access is necessary to create an organisation and to assign it to the lead auditor. 11/27

You access the following page: Enter all fields marked with a *, which are the obligatory fields requested by FSSC for the audit data summary. NOTE: the same *code will be repeated on all pages where data shall be entered for the audit data summary. All the other fields do not have to be filled in they are to be entered for editing a full audit report (for CBs using the database for sharing full reports and managing actions plans with their clients, or for integrity program desk reviews). Click on Save in the bottom of the page. Check whether organisation creation succeeded (green display bar below), unless (red display bar with error message) remediate by using Edit on the right. 5.2 Provide access to your client organization NOTE: this step is not required by FSSC for entering the audit data summary. RATIONALE: the ViaSyst database allows CBs to interact with their certified organizations for a) sharing audit report (full or summary) data, b) online interactive editing & completing action plans linked to non-conformities. Interested CBs may (but are not obliged to) use this functionality instead of any other form or database to save time by managing the action plans (see 5.8). Click on Contact in the left hand side margin (see print screen above). 12/27

Click on Add user on the top right. Enter the client s organization contact details and Save NOTE 1: you may create as much client s users as required. NOTE 2: the tick box Quality manager shall be activated if you want that your client can complete the action plans directly on the database. 5.3 Add Audit The present section provides instructions for entering audit report data using 2 methods, 1- Enter audit report data directly on the database (5.3.1) 2- Add an audit data summary by using the transfer form to upload the audit report (5.3.2) CBs can choose one of the methods described below. 5.3.1 Enter an audit data summary (ADS) directly on the database Go back to the Home page. Click on the organisation name you just created on the left hand side margin. TIP: To browse a longer organisations list - type Ctrl + F, and enter company name, or - click on Organisations on the menu bar on the top of your screen and use the filters by typing the company name 13/27

The following screen appears: Click on Audits in the left hand side menu (see above). Click on Add audit on the right (see image below). Choose New audit in the drop list. Click on Create on the right (see image below). 14/27

TIP: if there is already an audit report (or summary) for the organisation on the database, you will preferably choose the last audit in the drop list. This brings advantage that all available and potentially stable data will be taken over from the last report so that you spare a lot of time for entering the new report, by just checking existing data and updating as necessary. Assign the applicable standards (see below), whereby systematically 3 standards shall be assigned, i.e.: 1. ISO 22000 2. Applicable PRP scheme, with corresponding 22003 version 3. FSSC additional requirements, with corresponding 22003 version Save Browse the italic menus on the left hand side (see below) and enter the corresponding data by editing/saving each page (all fields marked with * are requested for the FSSC audit data summary) NOTE: FSSC editorial guidance is associated to the fields as necessary 15/27

Validate the audit report summary (see 5.7) 5.3.2 Transfer form to upload the audit report NB: The FSSC audit data summary transfer tags document will help you set up an audit report form allowing to identify (or tag ) the data to be uploaded. Use the tags in this document to construct your audit report. Refer to the instructions for use in the introduction of the applicable FSSC audit data summary transfer tags document. Go back to the Home page. Click on the organisation name you just created on the left hand side margin. TIP: To browse a longer organisations list - type Ctrl + F, and enter company name, or - click on Organisations on the menu bar on the top of your screen and use the filters by typing the company name The following screen appears: 16/27

Click on Upload Audit Data summary in the left hand side menu (see above). Click on Attach new file. Browse the tagged report to upload from your documents Save Check whether upload succeeded (green display bar below), unless (red display bar with error message) remediate by correcting the tagged transfer document. 17/27

Once the entire audit s information is entered, click on CB Validation to validate the audit. Note: The validation of the audit is necessary to increment the audit experience for the auditor and be visible on his profile. 5.4 Audit Folder You accessed the directory page of the audit folder you just created. This is the hub from where you can manage the audit report (full or summary) edition & validation. In contrary to the organization s page, this page and all related items (see menu on the left hand side) is editable by the assigned auditors. For editing the audit title (e.g. specifying whether it is a certification or surveillance audit, or entering the real audit date), click on Edit on the top right. NOTE 1: the tick box Visible by customer may be activated if you want to share the audit report data with your client organization (see 5.2), e.g. for completing the action plan. 18/27

NOTE 2: this page is visible neither by the client organization nor by the scheme owner (FSSC). Click on Save 5.5 Enter Audit Report Data (full or summary) NOTE 1: only fields marked with a * are requested by FSSC for the audit data summary. NOTE 2: all the other fields do not have to be filled in they are to be entered for editing a full audit report (for CBs using the database for sharing full reports and managing actions plans with their clients, or for integrity program desk reviews). NOTE 3: for CBs using the database for editing & sharing their full audit reports, it is advantageous that the auditors edit their report directly on the database. Browse the italic menu on the left hand side and enter either a) fields marked with a *, as a minimum required by the FSSC audit data summary, or b) all fields for a FSSC compliant full report audit. NOTE 4: there are no required fields (*) on the page General impression for the FSSC audit data summary. 5.6 Add audit findings All the audit findings can be added directly from the tagged transfer template that you will upload, but you can also add findings manually, as described below: To add an audit finding, click on Add finding on the top right. 19/27

You access following page: First, assign your finding to the corresponding clause of the standard and grade it by clicking on add beside the standard number (see above). Use the tick lists to select corresponding interpretation (grading) and clause, Save. TIP: to reorder audit findings according to your editing preferences or rules (e.g. progressive clause numbering), you can click on the cross on the left of the finding and drag it at the correct place + Save. See below: before 20/27

and after 5.7 Validate the audit report Once all audit data have been entered and checked, the CB shall validate the audit data summary by clicking on CB Validation on the top right of the audit folder. If any required field for the FSSC audit data summary is missing, a red bar will appear, with links to complete the corresponding fields (see print screen below). The validation is necessary in order to a) check and confirm the submitted data are correct, b) increment automatically the auditor s audit experience within the auditor database, c) launch calculation and control of indicator & KPIs by the database, d) clear up the tasks list on the access homepage. 21/27

NOTE: - a CB validator must be assigned in the audit folder (see 5.7.1) in order to validate the audit data summary - the CB validator function (and person) is not obligatorily the same as the person designated within the CB s organisation for meeting certification decision - in order to be available for assignment, the validator shall have access right in edition to the organization (or overall - see 4.5) 5.7.1 Assign a validator To assign a validator to the audit, go back to the audit folder and proceed as follows: - Click on Edit on the top right You access the following page: 22/27

- Assign a validation person on the bottom of the page - Save 5.7.2 CB Validation: To validate the audit, click on CB validation on the top right. NOTE: If you need to re-edit you report, click on Unlock on the top right, edit the audit and click again on CB validation. 5.8 Complete & validate the action plan Complete (CB, lead auditor or client) the action plan by editing the fields Cause analysis and Planned corrective action. Click on Non-conformity manager on the lhs. You ll see the summary of all findings, with their completion progress & status: Click on See finding to edit any of them. To validate the action plan, go on the bottom of the page and Validate finding per finding: 23/27

NOTE 1: the lead auditor may validate progressively as soon as he receives an automatic e-mail alert when the client completes the action plan. NOTE 2: the status will appear ticked as validated once the non-conformity completion will have been verified and validated at next audit (which is another level of validation as validation of the action plan): 6. Edit / update a certificate 6.1 Add or update a certificate Click on Certificates linked to the audit at the bottom of the left hand side menu (see print screen). Click on Add certificate on the right. 24/27

Select the corresponding standard: For Food Manufacturing: FSSC Manufacturing - ISO 22002-1:2009 (22003:2007) FSSC Manufacturing - ISO 22002-1:2009 (22003:2013) For Packaging: FSSC Packaging - ISO 22002-4:2013 (22003:2007) FSSC Packaging - ISO 22002-4:2013 (22003:2013) FSSC Packaging - PAS 223:2011 (22003:2007) FSSC Packaging - PAS 223:2011 (22003:2013) For Feed: FSSC Feed - PAS 222:2011 (22003:2007) FSSC Feed - PAS 222:2011 (22003:2013) NOTE: DON T use the ISO 22000 option, as it doesn t allow to differentiate which scheme is applicable In addition to the data already available through the audit data summary (or full report), enter the following fields as required by the FSSC certificate database: - Accredited: enter whether the certificate is issued yes or no under your current CB accreditation scope - Issue ( From date: ) and expiry date ( To date; ) - Initial certification date (may be the same as initial for first certification) - Issuer is a facultative field, where you can enter the persons in charge of the certification decision. 25/27

Enter the issue, expiry and initial dates on the bottom of the page. Click on Save 6.2 Organizations with more than one location In case of organizations with more than one location, FSSC requires a separate certificate and report for each location or site. Repeat steps 5.1 to 5.9 for each certified site. IMPORTANT: FSSC does not allow multi-site certification. See FSSC guidance document Guidance notes on certification with more than one location. 26/27

6.3 Renewal of certificate in case of recertification In case of recertification (certificate renewal), you can either a) Create a new certificate with specific dates, or b) Edit the existing certificate and change issue and expiry dates Enter an FSSC full report To be completed Dublin, September 17, 2014 27/27