GFSI Requirements for Root Cause Analysis

For food businesses working toward GFSI-recognized certification, root cause analysis (RCA) is a core requirement – and one of the most scrutinized elements of any audit.

Here, we examine how RCA is required and assessed across GFSI-benchmarked standards, what businesses must do to meet requirements, and where many fall short. We also look at how the right software can simplify RCA and CAPA processes in practice.

What is root cause analysis in the context of food safety?

Root cause analysis is a widely adopted methodology used to eliminate non-conformities in food safety and quality. Its core function is to identify the fundamental cause or causes of systemic failures.

By analyzing root causes, businesses can take corrective actions, strengthen food safety management systems, and prevent the recurrence of issues that lead to product dumps, costly recalls, and long-term reputational damage.

RCA is not simply a one-time, retroactive response to incidents. It is an ongoing process designed to drive continuous improvement of food safety and quality practices – structured, methodical, and effective.

Why GFSI schemes emphasize root cause analysis

Businesses that adopt RCA shift from a reactive to a proactive approach to food safety management. Instead of applying quick fixes issue by issue, RCA allows businesses to identify potential risks and vulnerabilities within their processes and act accordingly.

This shift is one of the key reasons why GFSI schemes attach significant importance to RCA as a compliance tool. RCA’s role in continuously improving the effectiveness of quality processes and safety systems is equally critical.

Businesses that conduct root cause analysis regularly are audit-ready, operationally efficient, and in compliance with schemes such as BRCGS, SQF, and FSSC 22000.

Root cause analysis requirements under GFSI

GFSI benchmarks food safety standards against a core set of requirements, one of which is the mandatory use of RCA in Corrective Action and Preventive Action (CAPA) systems. Below is an overview of the RCA requirements of each scheme.

BRCGS and root cause analysis

BRCGS certification programs require businesses to conduct a formal RCA to address non-conformities identified through customer complaints, process failures, internal or external audits, or product recalls.

The standard requires a five-step RCA process. Businesses must:

  1. Define the non-conformance by gathering data needed for an in-depth investigation.
  2. Identify the root cause using a technique such as the Five Whys, Ishikawa (fishbone) diagram, or Pareto chart.
  3. Take corrective actions to address the root cause.
  4. Develop and implement a preventive action plan.
  5. Verify and monitor the action plan to confirm effectiveness and prevent recurrence.

BRCGS also requires a formal RCA with documented evidence as part of the corrective action report, and bases the audit grade on the robustness of CAPA processes.

A detailed RCA guide is available directly from BRCGS.

SQF requirement for root cause analysis

The Safe Quality Food (SQF) code requires a documented RCA as part of the corrective action for every major non-conformance.

To maintain SQF certification, businesses must identify, document, and implement the underlying cause and resolution of any non-compliance with critical food safety limits or deviations from food safety requirements.

The required SQF CAPA process includes:

  • identifying the root cause of any non-conformance before implementing corrective actions
  • documenting and implementing corrective actions in a timely manner
  • taking preventive actions to stop recurrence and support long-term systemic change
  • maintaining records of all CAPAs and making them available for auditor review.

SQF has broadened CAPA requirements to cover food safety, quality, and food defense.

FSSC 22000 and root cause identification

Food Safety System Certification (FSSC) 22000 is based on ISO 22000. It requires a thorough RCA to detect the actual causes of non-conformities, support effective corrective actions, prevent recurrences, and promote the continuous improvement of processes.

FSSC 22000 also connects RCA to management review and continual improvement (see clauses 9.3 and 10.3, respectively).

Of the three standards, FSSC 22000 requirements are the most detailed and prescriptive.

According to clause 10.1 of ISO 22000:2018, when a nonconformity occurs, organizations must:

  • react and contain the problem, then evaluate the need for corrective action by investigating the root cause
  • determine the causes of the nonconformity – a mandatory, not discretionary, step
  • implement corrective actions appropriate to the effects of the nonconformity and the root cause identified
  • review the effectiveness of corrective actions taken
  • consider whether similar nonconformities exist or could occur elsewhere in the system
  • document the entire CAPA process as evidence for certification audits.

ISO 22000:2018 can be purchased from ISO or national standards bodies. FSSC 22000 scheme documents are available free at the FSSC website.

What food businesses must do to comply

To comply with GFSI-recognized frameworks, food businesses must:

  1. Establish a documented CAPA process with defined responsibilities and timeframes.
  2. Apply a structured RCA methodology consistently across all departments.
  3. Separate the immediate short-term fix from the root cause, and document both.
  4. Verify that corrective actions have worked within a defined timeframe, with evidence.
  5. Analyze CAPA data for trends to catch recurring or systemic issues before auditors do.
  6. Feed RCA findings into management review and continual improvement processes.

Common pitfalls to avoid to meet GFSI expectations

The most frequent failure is documenting the what without the why. Auditors are trained to ask “why” repeatedly until a systemic cause is reached.

Focusing on retraining is another common error. Retraining rarely addresses a root cause. When human error is involved, the deeper question is why it occurred: whether due to a flawed process, unclear procedures, inadequate equipment, or a gap in the system. Those underlying factors are where corrective action should be directed.

GFSI schemes require written records, but many organizations fail to maintain documented evidence. Verbal explanations of what was done are not acceptable. Timelines, responsibilities, evidence of implementation, and effectiveness verification must all be documented.

Closing a CAPA without checking whether the problem recurred is a common compliance gap. Effectiveness reviews must be scheduled, conducted, and recorded a prescribed number of days after implementation.

Organizations often complete a thorough RCA but for the wrong scope, addressing only the immediate incident rather than the system that allowed the failure. RCA is often robustly applied in production but weakens in areas such as warehousing, maintenance, or supplier management – and GFSI auditors look across the entire system.

Failure to conduct trend analysis is a red flag in any GFSI audit. All three schemes expect CAPA data to be reviewed periodically for trends; recurring non-conformances in the same area signal that root causes are not being properly addressed.

Organizations sometimes delay initiating the RCA process after a non-conformance is identified. While schemes such as BRCGS imply timelines and specify schedules for post-audit CAPAs, delays in investigation are indicative of a weak food safety culture.

Benefits of effective root cause identification

Beyond ensuring regulatory compliance, consistently and accurately identifying root causes can help:

  • prevent recurrence of safety and quality issues
  • support long-term corrective solutions
  • drive continuous improvement
  • strengthen risk management
  • enhance operational efficiency.

Simplifying root cause analysis with isoTracker’s CAPA software

isoTracker’s CAPA software makes RCA simple, streamlined, and effective. It features built-in tools to support precise root cause identification (Five Whys, 3×5 Whys and Fishbone/Ishikawa).

It also directly links RCA to non-conformances and CAPA workflows to ensure audit-ready documentation and version control.

Our CAPA module is user-friendly, cost-effective, and fully scalable for smaller to mid-sized food businesses seeking GFSI compliance.