SQFSafe Quality Food

SQF (Safe Quality Food) is a food-safety and quality certification scheme owned by SQFI, a division of FMI (Food Industry Association, formerly the Food Marketing Institute). It is GFSI-benchmarked, which means certification is accepted by major retailers and brand owners that require GFSI compliance from their suppliers. SQF is particularly common across the US food, beverage and ingredient supply chain, partly because of its retailer roots and partly because the code aligns naturally with FSMA preventive controls under 21 CFR 117.

The SQF Code covers multiple sectors — primary production, food manufacturing, storage and distribution, food packaging, animal feed, foodservice, retail — with sector-specific modules under a common management-system framework. Certification is issued by SQFI-licensed Certification Bodies (CBs) and is recognised in over 40 countries.

SQF Code Edition 9 (released 2020, fully in force from 2021) is structured around a core management framework (System Elements) and sector-specific modules (Good Practices). Each certificate is built from Module 2 plus one or more applicable sector modules.

• Module 2 — System Elements (applies to all): management commitment, document control, specifications, supplier approval, training, complaint management, internal audit, food-safety plan, food-defence plan, food-fraud mitigation, allergen management, recall.
• Module 7 — Food Manufacturing GMPs.
• Module 8 — Food Packaging Manufacturing GMPs.
• Module 10 — Animal Feed Manufacturing.
• Module 11 — Storage and Distribution.
• Module 12 — Food Brokerage.
• Module 13 — Retail.
• Module 14 — Foodservice and catering.
• Module 16 — Manufacture of dietary supplements.
• Module 17 — Manufacture of pet food.

Module 2 is the universal backbone. Most non-conformances during audit cluster around Module 2 clauses — particularly document control, training effectiveness and internal audit. Sector modules add the operational GMP detail (e.g., zoning, temperature control, foreign-body management).

SQF certifies at three levels in the food sector:

• SQF Fundamentals (introductory) — GMP-focused, not GFSI-recognised; a stepping stone for emerging suppliers building basic systems.
• SQF Food Safety Certification — System Elements + HACCP-based food-safety plan + relevant sector module. GFSI-recognised and the level virtually all retailers accept.
• SQF Quality Certification — adds quality-management requirements on top of food safety. Not GFSI-required but increasingly demanded by some brand owners and private-label customers.

Most certified sites hold SQF Food Safety Certification at the higher of two ratings: Good (85–95) or Excellent (96–100). The Quality add-on is a smaller subset, typically chosen when private-label customers want a single audit covering both safety and quality.

The certification audit is a full on-site visit by an SQFI-registered auditor working for a licensed CB. The auditor combines document review, floor observation, traceability exercises and staff interviews. Expect them to:

1. Confirm senior management commitment — documented policy, resource allocation, management review minutes.
2. Test document control — current, approved, accessible at point of use, obsolete versions removed.
3. Walk the HACCP food-safety plan end-to-end — hazards identified, CCPs validated, monitoring evidence on file.
4. Probe the food-defence plan — vulnerability assessment, mitigation, training.
5. Probe the food-fraud mitigation plan — vulnerability assessment using a recognised methodology (e.g., VACCP) and controls.
6. Inspect allergen control — segregation, changeover validation, label-control reconciliation.
7. Review supplier approval — risk-based selection, monitoring evidence, scheduled re-assessment.
8. Pull training records — current, competency-based (not just attendance).
9. Verify the internal audit programme covers every clause annually.
10. Run or witness a mock recall — at least annually, with results and timing.
11. Walk complaint management — every complaint logged, investigated, trended.
12. Trace CAPAs — closed-loop with effectiveness verification.
13. Run an unannounced traceability exercise — typically one-up/one-down within 4 hours, FSMA 204 KDE evidence on file for covered foods.

Certificates run for three years with annual surveillance. The exact mechanics:

• Year 1 — full announced certification audit covering all applicable clauses.
• Year 2 — surveillance audit, may be announced or unannounced depending on rating.
• Year 3 — recertification audit, full scope.
• One audit in every three-year cycle must be unannounced (per GFSI v2024 benchmark) unless the site is in a sector where unannounced is impossible (e.g., seasonal pack-houses).

Critical non-conformances issued during any audit suspend the certificate until verified CAPA closure. Major non-conformances must be closed within 30 days. Minor non-conformances within 90. The CB then issues the report to SQFI and to the site, and the score is published to the SQF Assessment Database which retailers can query.

A common surprise for first-time sites: the auditor is allowed to request evidence from any time period within the certificate cycle, not just the audit week. Trend data, internal audit reports and CAPA tracking from earlier in the year are all fair game — which is why the system has to be live, not built up the week before audit.

Three plans are required and are tested more aggressively in Edition 9 than in earlier versions:

1. Recall plan — written, tested at least annually with a mock recall. SQF's expectation is 4-hour completion for the trace-and-quantify phase. Records must show 100% reconciliation of suspect lot.
2. Food defence plan — vulnerability assessment using a recognised method (e.g., CARVER+Shock, ORM model), mitigations, training. Aligns naturally with FSMA Intentional Adulteration rule (21 CFR 121).
3. Food fraud mitigation plan — vulnerability assessment (typically VACCP / SSAFE Food Fraud Tool) covering economically motivated adulteration. Reviewed annually and at any change in supply chain.

Sites often pass the document review for these plans and fail the field test — mock recalls are recorded but slow, food-defence training is generic, food-fraud assessments are dated. Edition 9 auditors are specifically trained to probe operational reality, not just documentation.

• Stronger food-safety culture requirements — measurable indicators, employee surveys, leadership behaviours, observable KPIs.
• Expanded food-fraud and food-defence requirements aligned with GFSI v2024.
• Environmental monitoring programme with risk-based zoning — particularly emphasised for ready-to-eat sectors.
• Heightened expectations on training effectiveness — beyond attendance; competency must be demonstrated.
• Closer alignment with FSMA preventive controls in the US (21 CFR 117) and FSMA 204 (Food Traceability) for covered foods.
• Sanitation programme made more prescriptive — pre-op verification, post-clean ATP/protein testing trending.
• Allergen management strengthened — validated changeover, label control, supplier allergen declarations.
• Continuous improvement explicit — sites must show year-on-year improvement in objective KPIs, not just maintain a baseline.

All three are GFSI-benchmarked and broadly interchangeable for retailer acceptance. The differences are in tone, structure and audit style.

Sites that already hold ISO 22000 often move to FSSC; sites with strong retailer ties in North America often pick SQF; UK-rooted operations and multi-site European retailers often prefer BRCGS. None of the three is harder to pass than the others in absolute terms — but cross-walking from one to another typically takes 6–9 months.

• Food-safety culture stated as a policy but no measurable indicators.
• Food-fraud vulnerability assessment cursory or never reviewed.
• Environmental monitoring data collected but not trended or acted on.
• Mock recall completed but not within the 4-hour expectation.
• Document register inconsistent with documents in use on the floor.
• Allergen changeover validated once and never re-validated after process change.
• Supplier approval based on questionnaire only, without periodic risk review.
• Internal audit programme on paper but not actually completed for every clause.
• CAPA effectiveness review missing or copy-pasted from prior CAPAs.
• Training records show attendance but no competency check.
• Glass and brittle plastic register out of date — items on the floor not on the register.
• Calibration records missing for in-line metal detectors or CCP scales.
• Sanitation pre-op verification signed off before the line is actually ready.
• FSMA 204 KDEs missing for covered foods (US sites).

V5 isn't a 'food safety system' bolted onto manufacturing — the food-safety controls live inside the same execution system that runs the floor. That matters because the SQF auditor's hardest questions are about the link between policy and operational reality, and V5 closes that loop by design.

• Document control with two-person e-signature for SQF Module 2 SOPs and HACCP plans.
• HACCP food-safety plan executed at the kiosk — CCP monitoring, limits, corrective actions captured per batch with operator e-sig.
• Allergen changeover with electronic checklists, ATP / protein result capture, line release blocked until clean.
• Environmental monitoring schedule, sample log, result trending by zone, action-level alerts.
• FSMA 204 KDE capture for covered foods, with one-click traceability export.
• Mock recall via the traceability viewer — one-up/one-down trace under four hours, evidence stored automatically.
• Internal audit schedule, findings register, CAPA workflow, effectiveness verification.
• Supplier portal for CoA, allergen declarations, audit certificates, expiry alerts before audit week.
• Training records with competency capture, expiry tracking, kiosk hard-block on overdue mandatory training.
• Food-safety culture KPIs surfaced on a dashboard — measurable indicators the auditor can see live.

GFSI v2024 requires at least one unannounced audit in every three-year certificate cycle for sites holding a Food Safety certificate. SQFI implements this with a 30-day window: the certification body notifies the site that they are inside the window, and the auditor arrives on any working day with no further warning. Sites that treat the announced audit as their preparation date and let standards drift in the intervening 24–36 months get caught when the unannounced visit lands in the middle of a difficult shift.

Audit-ready posture is a continuous operating state, not a project. The five disciplines that hold it:

1. Daily GMP walks by the food-safety team, finding logged the same shift, closed within agreed SLAs (typically 24 hours for high-risk, 7 days for low-risk).
2. Weekly internal verification — a rolling slice of CCPs, prerequisite programmes and records is reviewed every week so the full system is touched every quarter.
3. Monthly mock audit covering one Module 2 element in depth — the auditor follows the audit trail end-to-end and writes findings as if external.
4. Quarterly food-safety culture pulse — operator survey + behavioural observation + KPI scoreboard reviewed at the management review.
5. Annual full internal audit — covers 100% of clauses, conducted by trained internal auditors independent of the area audited.

The artefact that gives an unannounced auditor confidence in the first 30 minutes is not the binder of policies — it's the live evidence stream. A working CCP dashboard showing the last 24 hours of monitoring, a kiosk training board showing 100% compliance for the current shift, a supplier portal showing no expired CoAs on goods received this week. When that evidence is visible without anyone having to open a folder, the rest of the audit usually goes well.

SQF Edition 9 made culture explicit: the site must define, measure and demonstrate continuous improvement in food-safety culture. The auditor will ask three things — what is your culture programme, how do you measure it, and what changed because of what you measured. A documented programme without measurement, or measurement without action, both fail.

The strongest evidence of an effective culture programme is a near-miss / suggestion rate that's rising over time. Sites where the rate is high and rising have operators who believe reporting will lead to action; sites where it's low and flat have operators who believe it won't. Auditors increasingly read this number as the single best leading indicator of culture, ahead of any survey result.

Module 2 §2.4.4 requires a documented supplier approval programme proportionate to the food-safety risk each material presents. A one-page list of approved suppliers is no longer sufficient — the auditor expects to see risk segmentation, evidence requirements per tier, and on-going monitoring with consequences.

1. Risk-rank every raw material and packaging item — high / medium / low — using a defined rubric (likelihood × severity × supplier maturity × allergen / pathogen / contaminant profile).
2. Define evidence per tier — high-risk: GFSI certificate + annual audit (your audit or 3rd-party) + every-shipment CoA + annual sampling plan; medium: GFSI cert + CoA per lot; low: questionnaire + CoA on request.
3. Capture all evidence in one supplier portal — auditor wants to see a single source of truth, not a binder per supplier.
4. Monitor performance — on-time delivery, CoA quality, complaint rate, audit findings, NCR aging. Re-rank annually based on actual performance, not assumed risk.
5. Document de-approval triggers — repeated CoA mismatch, audit downgrade, regulatory action, complaint clusters. The auditor will ask 'when did you last de-approve a supplier?' and a 'never' answer is a finding.