Tag Archives: software

A Case for Digital Cultivation Management in the Cannabis Industry

By Allison Kopf
No Comments

The steady destigmatization and legalization of medical and recreational cannabis at the state level continues to propel a large and fast-growing industry forward. In 2018, the legal cannabis industry grew to $10.4 billion in the U.S., employing more than 250,000 people according to New Frontier Data. 

The mass production of anything that humans consume is invariably accompanied by an increased concern for safety and accountability—especially in the case of cannabis, which the federal government still deems a Schedule I substance. Each U.S. state has its own mix of laws based on the will of its voters, spanning the spectrum from fully legal to fully illegal.  

While the mix of legality in states can be hard to keep up with, all states with any form of cannabis legalization have one thing in common: the need to regulate this new industry. Last year, the federal government issued a Marijuana Enforcement Memorandum that allows federal prosecutors to decide how to prioritize enforcement of federal marijuana laws, so states are at risk.

If you are a public official involved in state cannabis regulation, or anyone involved in the supply chain from cultivator to dispensary, chances are you are using some kind of seed-to-sale tracking technology to monitor things like plant inventory, sales volume, chain of custody—and to hedge against federal encroachment by having a legitimate form of accountability.

Mandatory Request For Proposals (RFPs) issued by states for compliance solutions have spawned an entire sub-industry of seed-to-sale tracking, and point-of-sale hardware and software vendors, with large multi-million dollar contracts being awarded. Metrc’s RFID (Radio Frequency Identification) plant and packaging tags are gaining wide usage, and 11 states plus DC have adopted the technology.

While states are taking the right steps to keep their legal cannabis industry legitimate and accountable, there is actually a major gap that existing systems don’t cover: cultivation management. Most of the existing RFPs and platforms focus on the post-harvest side of the business (processing, packaging, distribution) and may have some cultivation management capability, but are not geared for the cultivation operation, which is where a lot of the risk actually lies for both growers and state regulators. 

As a state official or a cultivator, what could be more damaging to business than a massive product recall—especially after the product has been distributed and consumed? This is the fastest way to get shut down or audited by the state as a grower or invite federal investigation if you’re a state. And these recalls cost growers millions of dollars and possibly their license. There is massive risk involved by not addressing the cultivation side.

PlantTag
A plant tagged with a barcode and date for tracking

With current tracking systems, it’s possible to see where the product came from in the event of such a recall, but nearly impossible to pinpoint and see what actually happened and when the recall happened. This makes it almost impossible to stop the same problem in the future and puts consumers at unnecessary risk.

The reason most seed-to-sale systems are difficult for growers to use is because they were designed for regulators to address the most obvious regulatory questions (are growers abiding by the law? Who is selling and buying what and how much? Is the correct tax amount being levied?). They were not designed for growers and in many cases, cultivation teams are using two systems—their own ERP and/or spreadsheets and seed-to-sale tracking mandated by regulators.

This means there is a huge missing link in data that should be captured during the cultivation process. In many cases, growers are tracking crop inventory during the growth stage with pen and paper, or at best, in Excel. Cultivators need a tool designed for them that helps both run better operations and identify hazards to their crop health before it’s too late, and regulators need complete traceability along the supply chain to reduce risk to consumers.

To fill this critical data gap, there is a strong case for states in their RFPs and ongoing regulatory capacity, to adopt and encourage cultivators to use Cultivation Management Platforms (CMPs) alongside any existing seed-to-sale and ERP solutions for complete traceability.

As more states move to legalize medical and recreational cannabis, mitigating risk as part of a larger regulatory framework will only become more important. Adopting and using a CMP empowers growers to focus on not just tracking data, but making that data accessible and functional for growers to drive efficiency and profits all while ensuring security and regulatory compliance in this rapidly evolving industry.

BioTrackTHC Selected For Maine’s Traceability Contract

By Aaron G. Biros
No Comments

On May 15, BioTrackTHC was announced the conditional winner for Maine’s seed-to-sale tracking system government contract. The award is still pending final approval from the State Procurement Review Committee and the successful negotiation of the contract.

BioTrackTHC, a Helix TCS subsidiary, announced in a press release their conditional award earlier this month. The contract means that BioTrackTHC would partner with the state to provide software for tracking both medical and recreational cannabis products from the immature plant to the point of retail sales.

The contract could go for as long as six years, through 2025. If this contract receives final approval from the state internally, then this will become the ninth government contract for BioTrackTHC. Patrick Vo, CEO of BioTrackTHC, expects a quick deployment of the software once the contract is finalized. “We are excited to be working with the State of Maine and are grateful for their vote of confidence in our team’s ability to execute upon state-level tracking contracts and rapidly deploy a sound and secure technology solution,” says Vo.

Zachary L. Venegas, Executive Chairman and CEO of Helix TCS, Inc, says BioTrackTHC’s technology is leading the industry in shaping regulatory oversight for legal cannabis. “As states and countries begin to rollout or expand legal cannabis programs, our technology continues to lead as demonstrated by this Intent to Award and our multiple recent contract extensions with our partners,” says Venegas. “We look forward to playing a vital role in shaping the global cannabis industry and ensuring that it is able to operate efficiently and transparently.”

HACCP

Implementing a HACCP Plan to Address Audit Concerns in the Infused Market

By Daniel Erickson
1 Comment
HACCP

The increasing appeal and public acceptance of medical and recreational cannabis has increased the focus on the possible food safety hazards of cannabis-infused products. Foodborne illnesses from edible consumption have become more commonplace, causing auditors to focus on the various stages of the supply chain to ensure that companies are identifying and mitigating risks throughout their operations. Hazard Analysis and Critical Control Points (HACCP) plans developed and monitored within a cannabis ERP software solution play an essential role in reducing common hazards in a market currently lacking federal regulation.

What are cannabis-infused products?

Cannabis infusions come in a variety of forms including edibles (food and beverages), tinctures (drops applied in the mouth), sprays (applied under the tongue), powders (dissolved into liquids) and inhalers. Manufacturing of these products resembles farm-to-fork manufacturing processes common in the food and beverage industry, in which best practices for compliance with food safety regulations have been established. Anticipated regulations in the seed-to-sale marketplace and consumer expectations are driving cannabis infused product manufacturers to adopt safety initiatives to address audit concerns.

What are auditors targeting in the cannabis space?

The cannabis auditing landscape encompasses several areas of focus to ensure companies have standard operating procedures (SOP’s) in place. These areas include:

  • Regulatory compliance – meeting state and local jurisdictional requirements
  • Storage and product release – identifying, storing and securing products properly
  • Seed-to-sale traceability –  lot numbers and plant identifiers
  • Product development – including risk analysis and release
  • Accurate labeling –  allergen statements and potency
  • Product sampling – pathogenic indicator and heavy metal testing
  • Water and air quality –  accounting for residual solvents, yeasts and mold
  • Pest control – pesticides and contamination

In addition, auditors commonly access the reliability of suppliers, quality of ingredients, sanitary handling of materials, cleanliness of facilities, product testing and cross-contamination concerns in the food and beverage industry, making these also important in cannabis manufacturers’ safety plans.

How a HACCP plan can help

HACCPWhether you are cultivating, harvesting, extracting or infusing cannabis into edible products, it is important to engage in proactive measures in hazard management, which include a HACCP plan developed by a company’s safety team. A HACCP plan provides effective procedures that protect consumers from hazards inherent in the production and distribution of cannabis-infused products – including biological, chemical and physical dangers. With the lack of federal regulation in the marketplace, it is recommended that companies adopt these best practices to reduce the severity and likelihood of compromised food safety.

Automating processes and documenting critical control points within an ERP solution prevents hazards before food safety is compromised. Parameters determined within the ERP system are utilized for identification of potential hazards before further contamination can occur. Applying best practices historically used by food and beverage manufacturers provides an enhanced level of food safety protocols to ensure quality, consistency and safety of consumables.

Hazards of cannabis products by life-cycle and production stage

Since the identification of hazards is the first step in HACCP plan development, it is important to identify potential issues at each stage. For cannabis-infused products, these include cultivation, harvesting, extraction and edibles production. Auditors expect detailed documentation of HACCP steps taken to mitigate hazards through the entire seed-to-sale process, taking into account transactions of cannabis co-products and finished goods at any stage.

Cultivation– In this stage, pesticides, pest contamination and heavy metals are of concern and should be adequately addressed. Listeria, E. coli, Salmonella and other bacteria can also be introduced during the grow cycle requiring that pathogenic indicator testing be conducted to ensure a bacteria-free environment.

Harvesting– Yeast and mold (aflatoxins) are possible during the drying and curing processes. Due to the fact that a minimal amount of moisture is optimal for prevention, testing for water activity is essential during harvesting.

Extraction – Residual solvents such as butane and ethanol are hazards to be addressed during extraction, as they are byproducts of the process and can be harmful. Each state has different allowable limits and effective testing is a necessity to prevent consumer exposure to dangerous chemical residues.

Edibles– Hazards in cannabis-infused manufacturing are similar to other food and beverage products and should be treated as such. A risk assessment should be completed for every ingredient (i.e. flour, eggs, etc.), with inherent hazards or allergens identified and a plan for addressing approved supplier lists, obtaining quality ingredients, sanitary handling of materials and cross-contamination.

GMPFollowing and documenting the HACCP plan through all of the stages is essential, including a sampling testing plan that represents the beginning, middle and end of each cannabis infused product. As the last and most important step before products are introduced to the market, finished goods testing is conducted to ensure goods are safe for consumption. All information is recorded efficiently within a streamlined ERP solution that provides real-time data to stakeholders across the organization.

Besides hazards that are specific to each stage in the manufacturing of cannabis-infused products, there are recurring common procedures throughout the seed-to-sale process that can be addressed using current Good Manufacturing Practices (cGMP’s).  cGMPs provide preventative measures for clean work environments, training, establishing SOPs, detecting product deviations and maintaining reliable testing. Ensuring that employees are knowledgeable of potential hazards throughout the stages is essential.Lacking, inadequate or undocumented training in these areas are red flags for auditors who subscribe to the philosophy of “if it isn’t documented, it didn’t happen.” Training, re-training (if necessary) and documented information contained within cannabis ERP ensures that companies are audit-ready. 

Labeling

The importance of proper labeling in the cannabis space cannot be understated as it is a key issue related to product inconsistency in the marketplace. Similar to the food and beverage industry, accurate package labeling, including ingredient and allergen statements, should reflect the product’s contents. Adequate labeling to identify cannabis products and detailed dosing information is essential as unintentional ingestion is a reportable foodborne illness. Integrating an ERP solution with quality control checks and following best practices ensures product labeling remains compliant and transparent in the marketplace.

Due to the inherent hazards of cannabis-infused products, it’s necessary for savvy cannabis companies to employ the proper tools to keep their products and consumers safe. Utilizing an ERP solution that effectively manages HACCP plans meets auditing requirements and helps to keep cannabis operations one step ahead of the competition.

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

How a Cloud QMS Can Get Cannabis Startups ISO 9001-Certified

By Mike Hansen
1 Comment

When it comes to compliance for cannabis startups, the ISO 9000 family of standards reigns supreme. Providing the guidelines for the concepts that make up a quality management system (QMS), the ISO family is composed of five standards: ISO 9000, 9001, 9002, 9003 and 9004. Outside of ISO 9001, ISO 9000 is the most important because it creates the foundation that guides all of the other standards.

ISO 9000 is split into two sections: fundamentals and vocabulary. Fundamentals covers the basic principles of quality management and the vocabulary section is a dictionary of quality management terminology. ISO 9000 is crucial because it provides direction on proper QMS implementation that will lead to achieving an ISO 9001 certification.

While the entire ISO 9000 family is focused on quality management systems that aim to help organizations “ensure that their products and services consistently meet customer’s requirements and that quality is consistently improved,” ISO 9001 is the only standard that lists actual requirements and requires certification.Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001

Quality Management Systems (QMS)

When conceptualizing “quality management,” it is best to think of it as an organization’s definition of how it will meet the quality requirements of customers and other stakeholders who are affected by its work. Implementing this requires an extensive alignment of company processes and procedural governance.

It’s easiest to think of a QMS as the facilitator of outlined processes that are required to fulfill ISO 9001 requirements. For example, if an organization has defined a change request process, it could use a cloud-based QMS to put that process in place. However, the benefits of a cloud-based QMS don’t have to end at ISO 9001. It can also help organizations comply with other regulations like GxP.

ISO 9001 Requirements

ISO 9001 requirements can sound very generic because they’re meant to be applied to any organization, big or small, in any industry. The key to ISO 9001 is the concept of continuous improvement, which is why specific requirements for what “quality” is are not defined. Rather, companies must create objectives and work toward improving processes to meet those objectives. That said, a certified QMS still must do the following:

  • Meet the requirements of other stakeholders, for example, customer requirements and regulatory standards
  • Ensure that employees receive training outlining the quality requirements
  • Determine and document the processes, their interactions and their results
  • Be able to produce records to prove that system requirements have been met
  • Constantly monitor quality management software performance
  • Address any risks that could result from changes
  • Perform internal audits and correct any issues
  • Continuously improve the QMS

From creation to disposal, document protocols must be clear and properly followed.With that in mind, ISO 9001’s purpose is to evaluate whether or not a QMS does a good job of managing processes while also being able to help organizations identify areas that need improvement. In simple terms, ISO 9001 helps companies who were making an excellent product most of the time, make an excellent product every time.

How can cloud quality management software help you get your ISO 9001 certification? Once you create processes that adhere to ISO 9001 quality management standards, you have to put them into practice. Enter: quality management software. But, how exactly does it help?

Optimal Time to Value

First, cloud-based software is the most cost-efficient to implement. Secondly, since a QMS needs to be accessible to every employee regardless of whether they work at HQ or on-site, cloud QMS are built to be mobile-friendly and easily accessed from any location.

Automated Document Lifecycles & Version Control

From creation to disposal, document protocols must be clear and properly followed. As up-to-date documents are an important factor in maintaining high levels of quality, the most recent versions of approved documents should be readily available while previous editions should be hidden away.

With cloud quality management software, workflows can automate the review and approval processes by automatically sharing documents with the right reviewers. Then, after the document has been approved, the changes will automatically be applied to the master document while the obsolete version is archived, helping to remove any chance of it being accidentally used after the update.

Easy Document Location & Metadata

According to ISO 9001, searching through an organization’s documents should be as easy as searching with Google. It’s an added bonus when the quality management software enables users to add custom metadata to documents. Metadata is just extra information that helps to define a document (like file size, type, date modified). With certain cloud-based QMS’, you can add custom metadata fields to make documents easier to find. For example, you can add an “expiration date” field that allows you to look up policies based on when they are set to expire.With the growing number of data breaches happening every year, it’s important to address the security components of a QMS.

Document Traceability

In order to pass any ISO 9001 audit, there needs to be a complete audit trail for every document, including active documents and the earlier archived versions. While this might seem like a big ask, cloud quality management software helps make this simple. Every single change to a document, regardless of whether it’s the current or past version, is tracked. When combined with automated workflows, you’re able to produce a precise log of every change made by every user.

Advanced User Permissions & Central File Ownership

With the growing number of data breaches happening every year, it’s important to address the security components of a QMS. Many of these issues can be resolved with user permissions, which is generally related to managing users’ editing and sharing access. The proper view, edit, and approval rights go a long way to reducing the risk of human error.

Another feature that may seem like common sense is central file ownership. When the organization owns all of its documents, there’s no need to worry that important files will be lost or deleted. With one owner, the damage that can be inflicted by malicious third-parties is also limited.

Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001. With the cloud as a foundation, these systems will continue to be assets for the cannabis industry as it gains momentum and expands more.

Helix TCS Expands Internationally

By Aaron G. Biros
No Comments

According to a press release, Helix TCS and its subsidiary, BiotrackTHC, are expanding internationally at a rapid pace. The seed-to-sale traceability software solution now has customers in the United Kingdom, Canada, Colombia, Jamaica, Australia and New Zealand, in addition to the United States.

At home, they just successfully deployed North Dakota’s government cannabis traceability program. That program is one of nine government contracts the company has currently, where their seed-to-sale software is mandated for the state’s entire cannabis supply chain for compliance and regulatory oversight.

In addition to their international expansion and successful domestic government contracts, Helix TCS announced an exciting new addition to their leadership team. The company added former President of Mexico, Mr. Vicente Fox Quesada, to its Board of Directors, according to a press release. “A new industry is being borne, with high ethical standards, attracting massive investment in medical and health products, bringing economic growth and jobs to communities and nations,” says Fox. “I am proud to be part of it.”

According to Zachary Venegas, executive chairman and CEO of Helix TCS, Inc., Vicente Fox will help serve as a strategic advisor for their continued expansion abroad. “”We are honored to welcome former President Fox to our Board of Directors and to benefit from his strategic vision and global network,” says Venegas. “His addition is a significant multiplier in our further expansion into key production markets that we expect to become dominant cannabis export hubs that will require our full suite of services.”

According to Venegas, they are prepared to meet the needs of a globalizing cannabis economy. “As international markets develop and more countries create a legal cannabis industry, our technology and service solutions will continue to reach new markets quickly to meet the needs of businesses and regulators in any regulatory environment,” says Venegas. “We are very excited to see the progress of legal cannabis on the global stage and we look forward to continuing to play a vital role in enabling a transparent and secure supply chain.”

Food Safety Hazards for the Cannabis Industry: ERP Can Help

By Daniel Erickson
No Comments

To say that there has been explosive growth in the cannabis edibles market is an understatement. In the next 5 years, edibles are expected to become a $5.3 billion industry according to the Brightfield Group, a cannabis market research firm. Skyrocketing demand for cannabis infusion in food and beverage products, both recreational and medical, has prompted concern for the health and safety of consumers due to the lack of federal legality and regulatory guidelines for these products. Edibles consumers assume the same level of safety and quality present in other food and beverage products in the market. Progressive cannabis operations are opting to follow current food safety guidelines to mitigate hazards despite not being legally required to do so. Utilizing these guidelines, as well as incorporating an industry-specific ERP solution to automate processes, enables cannabis businesses to provide quality, consistent products and establish standards to support the eventuality of federal cannabis legalization.

FDAlogoEdibles consumption has grown not only in a recreational capacity but also for medicinal use to treat chronic pain, relieve epilepsy symptoms, decrease nausea, combat anxiety and other health issues. Cannabidiol (CBD) infused products take many forms including candies, baked goods, chocolate, oils, sprays, beer, soda, tea and coffee. Their popularity is partly due to their more socially acceptable use, creating an appeal to a wider audience. While the Food and Drug Administration (FDA) is responsible for overseeing food and beverage safety for products sold in the United States, their regulations are not enforced in the cannabis-infused marketplace. Without federal regulatory standards, there exist inherent food safety concerns that create risks to consumers. The average cannabis edibles customer is likely unaware of the “consume at your own risk” nature of the products.

The structure of cannabidiol (CBD), one of 400 active compounds found in cannabis.

There are many consequences of not addressing food safety hazards, as the possibility of food-borne illnesses resulting from unsafe and unsanitary manufacturing facilities have become increasingly likely in an unregulated market. In addition to these concerns, problems particular to cannabis growing and harvesting practices are also possible. Aflatoxins (mold carcinogens) on the cannabis bud, pesticide residue on plants, pest contamination, improper employee handling and training and inaccurate levels of CBD all contribute to the risk of outbreaks, hefty fines, recalls or business closure. To mitigate the risk of exposure, it is recommended that edible manufacturers employ a proactive approach of observing proper food safety standards that encompass the growing, manufacturing, packaging, handling, storing and selling of products. With a focus on safety, cannabis edible manufacturers utilizing an ERP solution and vendor with experience in food safety management will reap the benefits that food and beverage businesses have experienced for decades.

Following established food safety protocols and guidelines of the food and beverage and dietary supplement industry, allows manufacturers of cannabis-infused edibles to implement a proactive approach by focusing on safety and reducing the risk to their operations. Food and beverage manufacturing best practices include: maintaining supplier list, quality control testing, sanitary handling of consumables, maintaining clean facilities and mitigating cross-contamination. Successful food and beverage manufacturers also incorporate a food safety team, preventative controls, and a food safety plan (FSP) including a detailed recall plan into their safety initiatives.HACCP

Establishing and maintaining a supplier list with approved quality ingredients is an essential building block for reducing food safety hazards and can be easily maintained within an ERP. Documentation of vendor information and recording of stringent testing results ensures that specific quality standards are met. Conducting extensive research regarding the source of the ingredients for use in cannabis edibles allows companies to confirm that raw ingredients were processed in a safe environment. The importance of supply chain visibility cannot be understated, as suppliers are in control of potential hazards. Quality processes and regularly performed testing is automated through the workflow of an ERP solution in the manufacturing facility – enabling noncompliant raw materials to be quarantined and removed from production. The ERP solution allows for management of critical control points to catch non-compliance issues and set-up of alternate suppliers in case of supplier-related issues. Maintaining approved supplier lists is an industry best practice that provides current and accurate information in the event of possible consumer adverse reactions.

GMPFollowing current Good Manufacturing Practices (cGMPs) should underlie efforts to address food safety concerns in the cannabis edibles industry. An ERP solution assists with documenting these quality initiatives to ensure the safe and sanitary manufacturing, storage and packaging of food for human consumption. This includes evaluating equipment status, establishing cleaning and sanitation procedures and eliminating allergen cross-contamination. Employee training is conducted and documentation maintained in the ERP solution to ensure hygienic procedures, allergen awareness, illness reporting and required food or cannabis handling certifications.

Cannabis businesses can benefit from establishing a food safety team tasked with developing a Hazard Analysis Critical Control Points (HACCP) plan to provide effective procedures and protect consumers from the hazards inherent in edible cannabis products – including biological, chemical and physical dangers. Automating processes within an ERP solution prevents and controls hazards before food safety is compromised. Since HACCP plans have historically been used by food and beverage manufacturers to ensure a safe product for the consumer, cannabis edibles manufacturers can apply the lessons from these food safety protocols and procedures in their initiatives.By utilizing food safety best practices partnered with an ERP solution, cannabis businesses can avoid the negative consequences resulting from failure to address food safety hazards in manufacturing, storage and packaging. 

A comprehensive FSP, as required by the FDA’s Food Safety Modernization Act (FSMA), identifies food safety hazards and guides the development of a company-specific, validated plan. This plan documents processes throughout the manufacturing, processing, packaging and storage stages of the operation. ERP software provides real-time, forward and backward lot traceability from seed-to-sale with the ability to track materials, document recipes and accurately label products. This detailed level of traceability provides an automated system that implements and documents food safety policies throughout the manufacturing process. With a trained Preventative Control Qualified Individual (PCQI) implementing the FSP, preventative controls, recall plans and employee training records are maintained in an integrated system.

The cannabis market’s tremendous growth has driven edibles manufacturers to follow the same guidelines as mainstream food and beverage companies to ensure safety is afforded equally to consumers of cannabis edibles. By utilizing food safety best practices partnered with an ERP solution, cannabis businesses can avoid the negative consequences resulting from failure to address food safety hazards in manufacturing, storage and packaging. At the end of the day, it’s up to cannabis manufacturers to be proactive in ensuring cannabis edibles are safe to consume until regulations are mandated.

The New ISO/IEC 17025:2017: The Updated Standard

By Ravi Kanipayor, Christian Bax, Dr. George Anastasopoulos
No Comments

As state cannabis regulatory frameworks across the country continue to evolve, accreditation is becoming increasingly important. Because it provides consistent, turnkey standards and third-party verification, accreditation is quickly emerging as an important tool for regulators. For cannabis testing laboratories, this trend has been especially pronounced with the increasing number of states that require accreditation to ISO/IEC 17025.

As of 2017 there were nearly 68,000 laboratories accredited to ISO/IEC 17025, making it the single most important benchmark for testing laboratories around the world. ISO/IEC 17025:2005 specifies the general requirements for the competence to carry out tests including sampling. It covers testing performed using standard methods, non-standard methods and laboratory-developed methods. It is applicable to all organizations performing tests including cannabis labs. The standard is applicable to all labs regardless of the number of personnel or the extent of the scope of testing activities.  Developed to promote confidence in the operation of laboratories, the standard is now being used as a key prerequisite to operate as a cannabis lab in many states.

There are currently 26 states in the United States (also Canada) that require medical or adult-use cannabis to be tested as of February 2019. Of those states, 18 require cannabis testing laboratories to be accredited – with the vast majority requiring ISO/IEC 17025 accreditation. States that require testing laboratories to attain ISO/IEC 17025 accreditation represent some of the largest and most sophisticated cannabis regulatory structures in the country, including California, Colorado, Maryland, Massachusetts, Michigan, Nevada and Ohio. As a consequence, many cannabis testing laboratories are taking note of recent changes to ISO/IEC 17025 standards.

ISO/IEC 17025 was first issued in 1999 by the International Organization for Standardization. The standard was updated in 2005, and again in 2017. The most recent update keeps many of the legacy standards from 2005, but adds several components – specifically requirements for impartiality, risk assessment and assessing measurement uncertainty. The remainder of this article takes a deeper dive into these three areas of ISO/IEC 17025, and what that means for cannabis testing laboratories.Objectivity is the absence or resolution of conflicts of interest to prevent adverse influence on laboratory activities.

Impartiality

ISO/IEC 17025:2005 touched on an impartiality requirement, but only briefly. The previous standard required laboratories that belonged to organizations performing activities other than testing and/or calibration to identify potential conflicts of interest for personnel involved with testing or calibration. It further required that laboratories had policies and procedures to avoid impartiality, though that requirement was quite vague.

ISO/IEC17025:2017 emphasizes the importance of impartiality and establishes strict requirements. Under the new standard, labs are responsible for conducting laboratory activities impartially and must structure and manage all laboratory activities to prevent commercial, financial or other operational pressures from undermining impartiality. The definitions section of the standard defines impartiality as the “presence of objectivity.” Objectivity is the absence or resolution of conflicts of interest to prevent adverse influence on laboratory activities. For further elaboration, the standard provides similar terms that also convey the meaning of impartiality: lack of prejudice, neutrality, balance, fairness, open-mindedness, even-handedness, detachment, freedom from conflicts of interest and freedom from bias.

To comply with the new standard, all personnel that could influence laboratory activities must act impartially. ISO/IEC 17025:2017 also requires that laboratory management demonstrate a commitment to impartiality. However, the standard is silent on how labs must demonstrate such commitment. As a starting point, some cannabis laboratories have incorporated statements emphasizing impartiality into their employee handbooks and requiring management and employee training on identifying and avoiding conflicts of interest.

Risk Assessment

Both the 2005 and 2017 versions contain management system requirements. A major update to this is the requirement in ISO/IEC 17025:2017 that laboratory management systems incorporate actions to address risks and opportunities. The new risk-based thinking in the 2017 version reduces prescriptive requirements and incorporates performance-based requirements.

Under ISO/IEC 17025:2017, laboratories must consider risks and opportunities associated with conducting laboratory activities. This analysis includes measures that ensure that:

  • The lab’s management system is successful;
  • The lab has policies to increase opportunities to achieve its goals and purpose;
  • The lab has taken steps to prevent or reduce undesired consequences and potential failures; and
  • The lab is achieving overall improvement.

Labs must be able to demonstrate how they prevent or mitigate any risks to impartiality that they identify.To comply with ISO/IEC 17025:2017, labs must plan and implement actions to address identified risks and opportunities into management systems. They must also measure the effectiveness of such actions. Importantly, the standard requires that the extent of risk assessments must be proportional to the impact a given risk may have on the validity of the laboratory’s test results.

ISO/IEC 17025:2017 does not require that labs document a formal risk management process, though labs have discretion to develop more extensive methods and processes if desired. To meet the requirements of the standard, actions to address risks can include sharing the risk, retaining the risk by informed decision, eliminating the risk source, pinpointing and avoiding threats, taking risks in order to pursue an opportunity, and changing the likelihood or consequence of the risk.

ISO/IEC 17025:2017 references “risks” generally throughout most of the standard. However, it specifically addresses risks to a laboratory’s impartiality in section 4.1. Note, the new standard requires that labs must not only conduct activities impartially, but also actively identify risks to their impartiality. This requirement is on-going, not annually or bi-annually. Risks to impartiality include risks arising from laboratory activities, from laboratory relationships, or from relationships of laboratory personnel. Relationships based on ownership, governance, shared resources, contracts, finances, marketing, management, personnel and payment of a sales commission or other inducements to perform under pressure can threaten a laboratory’s impartiality. Labs must be able to demonstrate how they prevent or mitigate any risks to impartiality that they identify.

Assessing Measurement Uncertainty With Decision Rules

ISO/IEC 17025:2005 required (only where necessary and relevant) test result reports to include a statement of compliance/non-compliance with specifications and to identify which clauses of the specification were met or not met. Such statements were required to take into account measurement uncertainty and if measurement results and uncertainties were omitted from the statement, the lab was required to record and maintain the results for future reference.

ISO/IEC 17025:2017 requires similar statements of conformity with an added “decision rule” element. When statements of conformity to a specification or standard are provided, labs must record the decision rule it uses and consider the level of risk the decision rule will have on recording false positive or negative test results. Like the 2005 version, labs must include statements of conformity in test result reports (only if necessary and relevant- see 5.10.3.1 (b)). Now, test result reports on statements of conformity must include the decision rule that was employed. 

Moving Forward

Because many states require ISO/IEC 17025 accreditation for licensing, cannabis testing labs across the country would be well advised to closely monitor the implications of changes in ISO/IEC 17025:2017 related to impartiality, risk assessment and measurement uncertainty. If you run a cannabis testing lab, the best way to ensure compliance is education, and the best place to learn more about the new requirements is from a globally recognized accreditation body, especially if it is a signatory to the International Laboratory Accreditation Cooperation (ILAC) for testing laboratories, calibration laboratories and inspection agencies.

References

Facts & Figures

ISO/IEC 17025:2005: General requirements for the competence of testing and calibration laboratories

ISO/IEC 17025:2017: General requirements for the competence of testing and calibration laboratories 

Soapbox

ERP’s Role in Ensuring Traceability & Compliance in the Cannabis Market

By Daniel Erickson
1 Comment

Recent trends in the cannabis space and media headlines reveal the challenges and complexities of the evolving cannabis industry with regard to traceability and compliance. Keeping abreast of the evolving state of legislative requirements is complex and requires effective procedures to ensure your business will flourish. At the forefront is the need to provide complete seed-to-sale traceability from the cannabis plant to the consumer, increasing the demand for effective tracking and reporting technologies to assure cultivators, manufacturers, processors and dispensaries are able to meet regulatory compliance requirements. An enterprise resource planning (ERP) solution offers a business management solution designed to integrate all aspects from the greenhouse and growing to inventory, recipe/formulation, production, quality and sales, providing complete traceability to meet compliance regulations.

The main force driving cannabusinesses’ adoption of strict traceability and secure systems to monitor the growth, production and distribution of cannabis is the Cole Memorandum of 2013 issued by former US Deputy Attorney General James Cole. The document was designed to prevent the distribution of cannabis to minors, as well as prevent marijuana revenue from being used for criminal enterprises. Due to the non-legal status of cannabis on the federal level, the memo provides guidance for states whose voters have passed legislation permitting recreational or medical cannabis use. If states institute procedures for transparent inventory control and tracking documentation, the memo indicates that the federal government will refrain from interference and/or prosecution. Despite the Trump administration rescinding the memo in early 2018, companies have largely continued to follow its guidelines in an attempt to avoid targeted enforcement of federal law. Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody. 

Process metrics within an ERP solution are essential in providing the accountability necessary to meet required cannabis compliance initiatives. With a centralized, streamlined and secure system, each process becomes documented and repeatable – enabling best practices to provide an audit trail for accountability in all cannabis activities. Whether cultivating, extracting, manufacturing or dispensing cannabis, an ERP’s functionality assists with compliance demands to manage and support traceability and other state-level requirements.

An ERP solution solves the traceability and compliance issues faced by the industry by providing inventory control management and best practices that automates track and trace record keeping from seed to consumer. Growers are also implementing cultivation management solutions within their ERP and highly secure plant identification methods to mobilize greenhouse and inventory to support real-time tracking. Monitoring the loss of inventory due to damage, shrinkage, accidentally or purposeful destruction is efficiently documented to assure that inventory is accounted for. Similar to other process manufacturing industries, it is possible to produce tainted or unsafe products, therefore an ERP solution that supports product recall capabilities is fundamental. With a centralized framework for forward and backward lot, serial and plant ID tracking, the solution streamlines supply chain and inventory transactions to further ensure compliance-driven track and trace record keeping is met.

Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody. Data regarding inventory audit and inspection details, complete with any discrepancies, must be reported to a states’ seed-to-sale tracking system to conform with legal requirements. An ERP utilizes cGMP best practices and reporting as safeguards to keep your company from violating compliance regulations. Failure to complete audits and meet reporting guidelines can be detrimental to your bottom line and lead to criminal penalties or a loss of license from a variety of entities including state regulators, auditors and law enforcement agencies. A comprehensive ERP solution integrates with the state-administered traceability systems more easily and reliably as compared to manual or stand-alone systems – saving time, money and detriment resulting from non-compliance.

Similar to other food and beverage manufacturers, the growing market for cannabis edibles can benefit from employing an ERP system to handle compliance with food safety initiatives – encompassing current and future requirements. Producers of cannabis-infused products for recreational and medicinal use are pursuing Global Food Safety Initiative (GFSI) certification, employing food safety professionals and implementing comprehensive food safety practices–taking advantage of ERP functionality and processes currently in place in similarly FDA regulated industries.

As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.In addition to lot, serial and plant ID tracking, tracing a product back to the strain is equally important. An ERP can efficiently trace a cannabis strain from seedling through the final product, monitoring its genealogy, ongoing clone potency, CBD and THC content ratios and other attributes. The health, weight and required growing conditions of each individual plant or group of plants in the growing stages may be recorded throughout the plant’s lifecycle. In addition, unique plant identification regarding the performance of a particular strain or variety, how it was received by the market and other critical elements are tracked within ERP system. This tracking of particular strains assists with compliance-focused labeling and determining the specific market for selling and distribution of cannabis products.

Collecting, maintaining and accessing traceability and compliance data in a centralized ERP system is significant, but ensuring that information is safe from theft or corruption is imperative as well. An ERP solution with a secure platform that employs automated backups and redundancy plans is essential as it uses best practices to ensure proper procedures are followed within the company. User-based role permissions provide secure accessibility restricted to those with proper authorization. This level of security allows for monitoring and recording of processes and transactions throughout the growing stages, production and distribution; ensuring accountability and proper procedures are being followed. Investing in an ERP solution that implements this level of security aids companies in their data assurance measures and provides proper audit trails to meet regulations.

In this ever-changing industry, regulatory compliance is being met by cannabusinesses through the implementation of an ERP solution designed for the cannabis industry. Industry-specific ERP provides functionality to manage critical business metrics, inventory control, local and state reporting and record keeping, and data security ensuring complete seed-to-sale traceability while offering an integrated business management solution that supports growth and competitive advantage in the marketplace. As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.

Why Comply: A Closer Look At Traceability For California’s Cannabis Businesses

By Scott Hinerfeld
3 Comments

Compliance should be top of mind for California’s cannabis operators. As the state works to implement regulations in the rapidly-growing cannabis industry, business owners need to be aware of what’s required to stay in good standing. As of January 1, 2019, that means reporting data to the state’s new track-and-trace system, Metrc.

What Is Track-and-Trace?

Track-and-Trace programs enable government oversight of commercial cannabis throughout its lifecycle—from “seed-to-sale.” Regulators can track a product’s journey from grower to processor to distributor to consumer, through data points captured at each step of the supply chain. Track-and-trace systems are practical for a number of reasons:

  • Taxation: ensure businesses pay their share of owed taxes
  • Quality assurance & safety: ensure cannabis products are safe to consume, coordinate product recalls
  • Account for cannabis grown vs. cannabis sold: curb inventory disappearing to the black market
  • Helps government get a macro view of the cannabis industry

The California Cannabis Track-and-Trace system (CCTT) gives state officials the ability to supervise and regulate the burgeoning cannabis industry in the golden state.

What Is Metrc?

Metrc is the platform California cannabis operators must use to record, track and maintain detailed information about their product for reporting. Metrc compiles this data and pushes it to the state.

Who Is Required To Use Metrc?

Starting January 1, 2019, all California state cannabis licensees are required to use Metrc. This includes licenses for cannabis: Proper tagging ensures that regulators can quickly trace inventory back to a particular plant or place of origin.

  • Cultivation
  • Manufacturing
  • Retail
  • Distribution
  • Testing labs
  • Microbusinesses

How Does Metrc Work?

Metrc uses a system of tagging and unique ID numbers to categorize and track cannabis from seed to sale. Tagged inventory in Metrc is sorted into 2 categories: plants and packages. Plants are further categorized as either immature or flowering. All plants are required to enter Metrc through immature plant lots of up to 100/plants per lot. Each lot is assigned a lot unique ID (UID), and each plant in the lot gets a unique Identifier plant tag. Immature plants are labeled with the lot UID, while flowering plants get a plant tag. Metrc generates these ID numbers and they cannot be reused. In addition to the UID, tags include a facility name, facility license number, application identifier (medical or recreational), and order dates for the tag. Proper tagging ensures that regulators can quickly trace inventory back to a particular plant or place of origin.

Packages are formed from immature plants, harvest batches, or other packages. Package tags are important for tracking inventory through processing, as the product changes form and changes hands. Each package receives a UID package tag, and as packages are refined and/or combined, they receive a new ID number, which holds all the other ID numbers in it and tells that package’s unique story.

Do I Have To Enter Data Into Metrc Manually?

You certainly can enter data into Metrc manually, but you probably won’t want to, and thankfully, you don’t have to. Metrc’s API allows for seamless communication between the system and many of your company’s existing tracking and reporting tools used for inventory, production, POS, invoices, orders, etc. These integrations automate the data entry process in many areas.As California operators work to get their ducks in a row, some ambiguity and confusion around Metrc’s roll out remains. 

Adopting and implementing cannabis ERP software is another way operators can automate compliance. These platforms combine software for point of sale, cultivation, distribution, processing and ecommerce into one unified system, which tracks everything and pushes it automatically to Metrc via the API. Since they’ve been developed specifically for the cannabis industry, they’re designed with cannabis supply chain and regulatory demands in mind.

As California operators work to get their ducks in a row, some ambiguity and confusion around Metrc’s roll out remains. Only businesses with full annual licenses are required to comply, leaving some temporary licensees unsure of how to proceed. Others are simply reluctant to transition from an off-the-grid, off-the-cuff model to digitally tracking and reporting everything down to the gram. But the stakes of non-compliance are high— the prospect of fines or loss of business is causing fear and concern for many. Integrated cannabis ERP software can simplify operations and offer continual, automated compliance, which should give operators peace of mind.