IFS Food HACCP Manufacturing Food Processing Audit CAPA Case study

IFS Food v8 audit readiness for manufacturers — a case study from food processing

A Quality Manager in a food-processing plant has 8 weeks before an IFS Food v8 certification audit. HACCP records, CCP monitoring, traceability per batch, food defense plan — scattered across folders and spreadsheets. This case study walks through the import → extraction → Quality Manager review → Gap Analysis → CAPA workflow that turned crisis mode into continuous readiness.

Pulsar GRC Team
IFS Food v8 audit readiness for manufacturers — a case study from food processing

The starting point: 8 weeks, a full IFS Food v8 standard, and a plant that runs 24/7

A mid-size food-processing plant (220 FTE, three production lines, dairy and ready-to-eat products) is preparing for an IFS Food v8 certification audit. The plant holds a current IFS certificate and wants to move from version 7 to version 8 without a downgrade. The Quality Manager has eight weeks.

The plant isn’t starting from zero — HACCP is in place, CCP monitoring runs every shift, the food defense plan was reviewed 11 months ago. The problem isn’t what’s missing. The problem is that the evidence lives in the wrong places: some CCP logs in paper binders on the shop floor, some HACCP verification records in a shared drive, supplier approval files in departmental folders, and the latest version of the product-testing schedule in an Excel file that only the Food Safety Team Leader can find.

For Quality Managers and HACCP Leads in food processing, this is the familiar reality of audit preparation. The task for the next 8 weeks is not to write more procedures. It is to make what exists discoverable, verifiable, and auditable.

Week 1: uploading the standard and building the requirement baseline

The first workstream is the simplest one structurally and the most valuable one strategically: upload the licensed IFS Food v8 copy to the compliance platform. The platform runs the standard through an extraction pipeline with a human in the loop:

  1. Requirement extraction — for each section of IFS Food v8 the AI extracts discrete requirements with a citation (e.g. “IFS Food v8 section 4.4.1 — supplier approval and performance monitoring”). Nothing enters the baseline without the user’s explicit acceptance.
  2. Quality Manager review — the Quality Manager and the Food Safety Team Leader walk through the extracted list together: accept, reject, correct citations, add clarifying context for plant-specific language. The review is a deliberate act, not rubber-stamping.
  3. Commit to baseline — only approved requirements form the baseline. Each carries a source pointer, the standard version, and a review date.

By the end of week one the baseline has the full IFS Food v8 requirement set, mapped to the plant’s HACCP plan structure.

Week 2: mapping requirements to HACCP, CCPs, and production processes

Every requirement needs to connect to a real control: a CCP monitoring record, a prerequisite programme, a supplier approval record, a traceability check. The mapping happens in working sessions with the Quality Manager, the Food Safety Team Leader, and the production supervisors.

Each requirement gets:

  • Control owner (the person accountable)
  • Required evidence (CCP log, calibration certificate, supplier audit report, environmental monitoring result, traceability record per batch)
  • Monitoring frequency (every shift, every batch, monthly, per supplier change)
  • Applicability flags (all lines vs. dairy line only vs. RTE line only)

The coverage dashboard now shows — at a glance — which requirements are green (control + evidence), which are yellow (control without evidence), and which are red (no control). The team knows where to focus during the remaining 6 weeks.

Week 3–4: HACCP verification, CCP integrity, and closing non-conformities

Red and yellow requirements become the non-conformity backlog. Each gets a CAPA with owner, deadline, and effectiveness verification — closure is technically blocked until the effectiveness of the corrective action is verified.

Sample CAPAs from this project:

  • CAPA-314 — IFS Food v8 section 4.9.3: CCP monitoring frequency not matching the HACCP plan in one production line (hot-fill temperature probe checked every 2 hours, HACCP plan requires hourly). Owner: Production Supervisor Line B. Deadline: +2 weeks. Effectiveness verification: 4 weeks of hourly logs + supervisor training record.
  • CAPA-328 — IFS Food v8 section 4.4.2: supplier approval documentation for new sweetener vendor missing allergen risk assessment. Owner: Quality Assurance Engineer. Deadline: +3 weeks. Effectiveness: completed allergen assessment + vendor audit report + updated approval register.
  • CAPA-341 — IFS Food v8 section 5.11: food defense vulnerability assessment older than 12 months. Owner: Quality Manager. Deadline: +4 weeks. Effectiveness: renewed assessment + updated mitigation plan + tabletop exercise documentation.

The CAPA Kanban (Open → In Progress → Root Cause Analysis → Action Planned → Pending Verification → Closed) is reviewed in the daily Quality stand-up. No CAPA closes without effectiveness evidence attached. No CAPA gets silently reopened — every status transition is audit-logged.

Week 5: mock recall exercise as a TTX in Crewshift

IFS Food v8 requires a periodic mock recall exercise. Instead of running it as a one-off paper exercise, the team runs it as a structured tabletop exercise (TTX) in Crewshift, using the same Brillnet compliance engine as Pulsar GRC, with:

  • A scripted scenario (contaminated raw material discovered in batch 2026-03-12 after 72 hours of production runs)
  • Defined roles (Incident Commander, Food Safety Lead, Communications Lead, Production Lead, QC Lead)
  • Injected events (regulatory notification deadline, customer inquiry, internal containment decision)
  • Evidence requirements (traceability report per batch, communication log, containment decision log, postmortem document)
  • A timeline — every action timestamped, every decision linked to the person who made it

The Crewshift TTX runs in 4 hours. It surfaces two real gaps: the traceability query from the ERP takes 22 minutes (IFS Food target: under 4 hours end-to-end, but the team’s internal target is under 15 minutes for the database query itself) and the template for customer notification is missing required regulatory information. Both become CAPAs, closed before the audit with documented effectiveness.

Week 6: supplier approval, food defense, and food fraud

Three weeks before the audit, attention shifts to suppliers and food-defense topics. The supplier register shows 47 active suppliers, of which 9 are critical (raw-material suppliers for the dairy line). Supplier approval cycle (Draft → Under Review → Active Review → Approved → Suspended) shows exactly which suppliers have complete audit documentation and which are in re-approval.

Each IFS Food v8 requirement tagged with supplier applicability gets an evidence requirement per supplier. A supplier without complete evidence does not reach active-review status — the platform technically blocks certification until missing documents are provided.

Food fraud and food-defense vulnerability assessments are refreshed — including a structured review of the plant perimeter, access control, and critical-area restrictions. Each identified vulnerability becomes either an existing control with documented evidence or a new CAPA.

Week 7: evidence pack per IFS section

The workflow now pays off. For each IFS Food v8 section, the platform generates a complete evidence pack:

  • List of requirements in the section
  • Linked controls with owners and frequency
  • Evidence (with cryptographic provenance and versioning)
  • Approvals and attestations
  • Change timeline with reason codes

The evidence package is cryptographically verifiable — the auditor receives an archive, verifies the manifest, and sees exactly what the quality team sees. No system access required.

Week 8: dry-run audit and final readiness

The last week is a dry-run audit with an internal audit team using the Auditor Portal (token-based scoped access, TTL, granular READ/COMMENT/DOWNLOAD permissions per resource). The internal team acts as an external auditor — only sees what will be shown, navigates through evidence packs, asks the questions a real IFS auditor would ask.

Findings from the dry-run become final CAPAs, closed in the last 3 days before the real audit.

Audit day: the outcome

The IFS auditor walks in and receives, on day one:

  • Evidence package per IFS Food v8 section with cryptographic verification
  • CAPA register with effectiveness verification for every closed non-conformity
  • Supplier register with complete documentation per supplier
  • HACCP verification log (12 months) with signed-off verification records
  • Mock recall exercise documentation from Crewshift (TTX timeline + lessons learned)
  • Management review records (last 4 quarters) with decisions and follow-up

Audit outcome: zero major non-conformities, 3 minor non-conformities (all closed within the standard 28-day window with full effectiveness evidence), certification maintained at the same rating.

What the team learned

Looking back at the 8 weeks, the Quality Manager summarized a few lessons:

  1. Uploading the standard and reviewing extracted requirements changes the operating model. Requirements aren’t hidden in a PDF — they’re real objects in a database with owners, deadlines, and review cycles.
  2. Effectiveness verifications transform CAPA culture. Instead of “we did it, moving on,” the team verifies that the problem doesn’t come back. Repeat non-conformities dropped by about 40% in the next cycle.
  3. Running mock recall as a TTX in Crewshift generates better evidence than running it as a paper exercise. Real-time role execution and timestamped events make the outcome auditable, and the lessons-learned pack writes itself.
  4. Cryptographically verifiable evidence packages shift the audit conversation. The auditor doesn’t need system access — just the archive and a laptop. Trust forms faster, and the audit moves in half the time.
  5. A coverage dashboard 6–8 weeks before an audit means no weekends. The team saw gaps when there was time to close them — not in the final week.

What didn’t work in the past

Before the systemic approach, the same plant had spent the last three audit cycles in “audit mode”: four to six weeks of overtime, shadow spreadsheets, hand-reconstructed CAPA statuses, and a general atmosphere of “please hold your procedure questions until after the audit.” The real cost wasn’t just the overtime:

  • Expert time pulled out of operations (several hundred hours across 6 weeks, repeated each cycle)
  • One repeat audit in the last five cycles (around €12,000 direct cost plus reputation impact with the customer)
  • Two close calls with certification downgrade that would have triggered customer-contract renegotiation

A systemic approach isn’t “adding another tool.” It’s a transition from crisis mode to continuous operational readiness.

Want to see how it works on your own data? Try Pulsar GRC for free — 14 days, full feature set, no credit card.