An AI-Powered Open-Source cGMP Assessment Tool

Modernizing Food Safety Audits Through Transparent, Accessible Automation

Food safety compliance assessments have long been relied on manual checklists, subjective evaluations, or proprietary software systems that remain inaccessible to small and medium-sized facilities. While standards such as ISO 22000:2018, FSSC 22000, and regulatory frameworks like USDA GMP, FSMA, and FDA 21 CFR 117, as well as many other public and private label compliance standards, provide comprehensive guidelines, the practical implementation of systematic assessments often remains fragmented, time-consuming, and resource-intensive[1]. In response to these challenges, technologies are emerging as open-source tools that are viable alternatives, one that maintains professional rigor while democratizing access to advanced compliance tools.
 
As such, the article intended to introduce cGMP Assessor Lite, an open-source, AI-enhanced assessment platform built on deterministic scoring principles, and explores its implications for food safety management systems, particularly in the context of modern USDA GMP, FSMA, and FDA 21 CFR 117, or other good manufacturing practices jurisdictions, which will eventually improved to accommodate Gap analysis, before implementation of voluntary compliance standards such as ISO 22000, SQF, BRC and other private or public label implementations and eventually bridging deterministic compliance scoring with local LLM technology.
 
The Current State of GMP Assessment Tools
Traditional GMP assessment methodologies face several structural limitations, where manual or proprietary audit software platforms typically incur extensive costs to the user that require expertise to conduct, creating barriers for smaller food processors and contract manufacturers[2]. These systems often operate as "black boxes," where scoring algorithms and compliance calculations remain opaque to auditors and facility managers alike, whereas such opacity conflicts with ISO 22000:2018's emphasis on transparent, evidence-based risk assessment (Clause 8.5.2.3)[3].
 
Furthermore, conventional assessment tools struggle with adaptability; for example, facilities operating under multiple regulatory frameworks (USDA organic, FDA FSMA, export requirements) must often maintain separate audit systems, leading to redundancy and data silos[4]. In addition, the integration of corrective and preventive action (CAPA) workflows with assessment findings remains fragmented across most commercial platforms, where many tools generate compliance reports but fail to provide actionable, prioritized remediation plans[5].

Deterministic Scoring

At the core of effective food safety assessment lies the principle of deterministic scoring, Foundation of Auditable Compliance, a methodology where identical inputs consistently produce identical outputs, independent of AI interpretation or subjective variance. This approach aligns with the fundamental requirements of ISO 22000:2018 Clause 9.1, which mandates that monitoring and measurement methods must be "suitable to ensure valid results"[3].
 
The cGMP Assessor Lite platform implements a fully transparent scoring algorithm based on weighted compliance metrics, where each assessment question carries a predetermined severity classification (Critical, Major, Minor) and point allocation. The scoring engine operates through pure mathematical computation, as illustrated:
Overall Compliance Score = (Σ Points Earned / Σ Maximum Possible Points) × 100
 
Where:

- YES response = 100% of question points
- PARTIAL response = 50% of question points or a complex category-based weighted average based on the criticality and compliance criteria.
- NO response = 0% of question points
- NA response = excluded from calculation

This deterministic approach ensures that compliance scores are reproducible, auditable, and defensible during regulatory inspections or certification audits. Notably, the calculation logic is completely independent of any AI components—large language models (LLMs) serve only to enhance user experience through contextual guidance and narrative generation, never influencing the numerical assessment outcome.
 
Architecture: Local LLM Integration Without Compromising Auditability
The platform's architecture represents a novel integration of traditional compliance frameworks with modern AI capabilities, structured through three distinct layers:
 
Layer 1: Deterministic Core

Built on Python 3.11+ with Pydantic data validation, this layer handles all compliance-critical operations, such as question loading (from structured JSON databases), answer validation and storage, score calculation using fixed algorithms, gap identification and severity classification, and session management with SQLite persistence. Importantly, this layer operates entirely independently—if AI components fail, core assessment functionality remains intact.
 
Layer 2: LLM Enhancement
Powered by Ollama (a local LLM runtime supporting models like Llama 3.1)for local use with options for API integrations, this layer provides user experience improvements without affecting compliance outcomes, where the system generates clarifying follow-up questions when assessor responses require additional detail, creates natural language executive summaries from structured assessment data, detects potential contradictions across related questions (e.g., claiming both "no allergen program" and "allergen verification procedures"), and provides AI-generated action plans prioritized by gap severity and regulatory impact[6].
 
Layer 3: RAG-Powered Regulatory Context

Using Chroma DB vector databases and sentence-transformer embeddings, the system implements Retrieval-Augmented Generation (RAG) to provide contextual regulatory citations. When an assessor evaluates a question such as "Is a documented traceability system maintained?", the RAG system retrieves relevant sections from stored regulatory documents (USDA GMP standards, 21 CFR 117, etc.) and displays them as supporting context. Critically, RAG does not generate questions or alter scoring, in the light version (even though it is capable enough), but it merely retrieves and displays existing regulatory text to inform assessor judgment[7].
 
This three-layer architecture ensures that all compliance decisions remain deterministic and auditable, while AI augmentation improves efficiency, consistency, and usability.
 
Question Database Structure and Section-Wise Reporting

The open-source version includes a comprehensive USDA GMP question set comprising 119 compliance questions organized across 13 regulatory sections, where each question contains structured metadata including:

• Question ID (e.g., S01-03-001: Section 1, Subsection 3, Question 1)

• Question text with specific compliance criteria

• Category (Regulatory, Food Safety Plan, Supply Chain, Defect Action, etc.)

• Severity (Critical for fundamental food safety requirements, Major for important procedures, Minor for documentation/best practices)

• Verification items for a detailed checklist-based evaluation

• Regulatory references linking to source documents

• Conduct regular internal audits/gap analysis without external consultant dependency

• Maintain systematic compliance documentation for regulatory inspections

• Prepare comprehensively for third-party certification audits (GFSI schemes)

• Benchmark performance against industry standards through transparent scoring

• Build institutional knowledge through historical assessment archives

A key innovation in the platform is section-wise reporting, which addresses a common pain point in partial facility audits/internal audits. When conducting targeted assessments (e.g., evaluating only supplier controls and traceability systems), the system generates reports containing exclusively the assessed sections without placeholder text and clutter, just relevant findings. This feature aligns with ISO 22000:2018's principle of "context of the organization" (Clause 4.1), recognizing that assessment scope may vary based on facility size, product category, and regulatory context[3].
 
Report Generation: Multi-Format Export with Professional Templates
Post-assessment deliverables represent a critical interface between compliance data and stakeholder communication. The cGMP Assessor Lite system generates professional reports in five distinct formats.

1. Word Documents (.docx)
Structured reports include an executive summary synthesizing overall compliance posture, a section-by-section breakdown with question-level findings, gap analysis organized by severity (Critical/Major/Minor), a corrective action plan with recommended timelines, and a full assessment appendix with question text and assessor notes. These documents utilize Python-docx libraries with consistent formatting, automated table of contents, and header/footer management[8].

2. PDF Reports

Identical content to Word format, rendered through ReportLab for print-ready, signed documentation suitable for regulatory submissions or third-party audits. PDF generation ensures consistent typography across platforms and prevents unauthorized post-audit modification[9].

3. Excel Spreadsheets (.xlsx)
Multi-sheet workbooks provide data analysis capabilities with a dashboard summary (compliance percentages, critical gap count, section performance), questions and answers sheet (filterable, sortable raw data), gap analysis by severity (pivot-ready format), category performance breakdown, and section-wise metrics. This format supports longitudinal trend analysis and multi-facility benchmarking[10].

4. HTML Interactive Reports
Web-based deliverables with embedded visualizations (compliance gauge charts, section performance bar graphs, gap distribution donuts) and hyperlinked navigation between sections. HTML reports facilitate digital distribution and stakeholder review without requiring specialized software[11].

5. JSON Data Export

Machine-readable structured data for integration with other systems such as enterprise resource planning (ERP), quality management systems (QMS), and CAPA tracking platforms. JSON exports enable programmatic analysis and automated workflows[12].

Notably, the system offers two report generation modes: Intelligent Reports (AI-powered, 20-30 pages) with advanced contradiction detection, pattern recognition across answers, strategic recommendations based on gap clustering, and narrative executive summaries; and Basic Reports (traditional, 10-15 pages) with standard templates, question/answer listings, gap identification without advanced analytics, and simplified action items.
 
Addressing Known Limitations: Transparency in Open-Source Development
Unlike proprietary systems that obscure deficiencies, open-source development embraces transparency regarding current limitations. Thus, at the V1 release stage, the HTML report, dashboard, and JSON report delivers best results for the release, while Word, pdf, and Excel has its own minor formatting issues, which will be eliminated in future versions.  The cGMP Assessor Lite platform acknowledges specific technical challenges, particularly in document rendering:
 
Formatting Edge Cases
Long text fields (>300 characters) occasionally truncate in Word table cells, requiring manual column expansion, which occurs in approximately 10-15% of reports, primarily affecting detailed gap descriptions and assessor notes[13]. Table column widths may not auto-fit in Excel exports, necessitating post-generation adjustment (affects ~30-40% of exports). PDF page breaks occasionally split tables mid-row, reducing readability in comprehensive assessments (8+ sections)[14].
 
Excel Dashboard Rendering

Current versions exhibit incomplete dashboard visualization in Excel format—charts and summary tables may not render fully. This is a known bug prioritized for resolution in version 1.1. Users requiring visual dashboards should utilize PDF or Word formats; Excel exports remain valuable for raw data analysis via the Questions and Answers sheet[15].
 
Cross-Format Consistency
Minor rounding differences may cause score display variations (e.g., Word shows 75.5%, Excel shows 76%), though underlying calculations remain identical and deterministic. JSON exports provide exact numeric values for precision-critical applications[16].

These issues are documented in the project's KNOWN_ISSUES.md file with specific workarounds and targeted resolution timelines, a level of transparency uncommon in commercial audit software.
 
Integration with ISO 22000:2018 FSMS Requirements

The platform's design philosophy aligns closely with ISO 22000:2018 principles, where most of the prerequisite programs and pre-implementation gap analysis are covered on the assessment, with further alignment particularly in several key areas:
 
Clause 4.1 - Context of the Organization
Section-wise assessment capability acknowledges that facility scope, product categories, and regulatory context vary. A small organic vegetable processor requires a different evaluation depth than a multi-line dairy manufacturing operation[3].
 
Clause 7.1.6 - Organizational Knowledge
Session management and historical data retention (SQLite databases) support the standard's requirement to "determine the knowledge necessary for the operation of its processes." Assessment archives enable trend analysis and institutional learning[3].
 
Clause 8.5.2 - Hazard Assessment
While the platform focuses on GMP compliance rather than HACCP hazard analysis, in the current version, its deterministic scoring methodology mirrors the objective, evidence-based approach required for hazard significance determination. The same architectural principles could be extended to CCP monitoring and verification[3] as well as internal audits.
 
Clause 9.1 - Monitoring and Measurement

Transparent, reproducible scoring algorithms satisfy the requirement that "the organization shall determine what needs to be monitored and measured" with "methods to ensure valid results"[3]. The deterministic core ensures measurement reliability exceeding that of purely subjective auditor judgment.
 
Clause 10.2 - Corrective Actions
AI-generated action plans with severity-based prioritization directly support the standard's corrective action process. Gap identification and root cause analysis features align with requirements to "eliminate the cause of nonconformities"[3].
 
Privacy, Security, and Offline Operation
Unlike cloud-based SaaS platforms that transmit proprietary facility data to external servers, cGMP Assessor Lite operates entirely on-premise with local data storage via SQLite databases (assessment sessions, answers, timestamps), Chroma db vector stores (regulatory documents, embeddings), and Ollama model cache (LLM weights, inference results). Thus, such architecture ensures that sensitive compliance information, trade secrets, supplier lists, and internal procedures never leave facility infrastructure[17].
 
Furthermore, the system functions completely offline after initial setup; for example, once Ollama models are downloaded (~4.7GB for Llama 3.1:8b), no internet connectivity is required for assessment execution, scoring calculation, or report generation. This capability is crucial for facilities in remote locations or those operating under strict data sovereignty requirements[18].
 
Open-Source Licensing and Community Development

Released under the MIT License, cGMP Assessor Lite permits unrestricted commercial use, modification, and redistribution. Facilities can deploy the software without licensing fees, consultants can customize it for client-specific requirements, and developers can fork the project to add new regulatory standards (FDA FSMA, Canada SFCR, EU GMP)[19].
 
The project's GitHub repository includes comprehensive documentation on installation procedures across Windows, macOS, and Linux platforms, architecture diagrams explaining system design and data flow, API references for programmatic integration, testing checklists for quality assurance, and contribution guidelines for community development[20].
 
This open-source model contrasts sharply with the proprietary audit software ecosystem, where vendor lock-in, feature limitations, and opaque pricing structures often frustrate facility managers and quality directors.
 
Limitations and Future Directions
While cGMP Assessor Lite represents a significant advancement in accessible compliance technology, several limitations warrant acknowledgment:
 
Question Generation

The current system loads pre-defined question sets from JSON files; it does not automatically generate new questions from regulatory PDF documents. RAG technology retrieves contextual information but does not create assessment criteria. Future versions may incorporate AI-assisted question generation, though human review and validation would remain essential[21].
 
Multi-Standard Support
The open-source release focuses on USDA GMP; facilities requiring FDA FSMA, SQF, or BRC assessments must manually create question databases. Version 1.1 roadmap includes FDA 21 CFR 117 and Canada SFCR question sets. Enterprise versions with multi-standard support are available commercially[22].
 
Integration Capabilities
Current JSON export enables basic integration with external systems, but native APIs for ERP/QMS platforms are not yet implemented. Future releases will include RESTful APIs for programmatic interaction and webhook support for automated workflow triggers[23].
 
Advanced Analytics
While basic gap analysis and category breakdown are included, sophisticated pattern recognition (e.g., identifying systemic compliance weaknesses across multiple audits, predictive analytics for future non-conformances) requires premium versions with cloud-based data aggregation[24].
 
Practical Deployment Considerations
Food safety professionals considering cGMP Assessor Lite deployment should evaluate several implementation factors:
 
Technical Requirements

Minimum hardware includes 8GB RAM (16GB recommended for optimal Ollama performance), 20GB free disk space for application and models, Python 3.11+ runtime environment, and x86_64 CPU architecture (ARM-based systems like Raspberry Pi are incompatible with Ollama)[25].
 
Training Investment
While the Streamlit interface is intuitive, assessors require approximately 2-4 hours of training to understand question navigation, detailed checklist completion (category-level verification), regulatory context utilization, and report generation workflows. For facilities with experienced auditors, adoption time is minimal[26].
 
Customization Options
Organizations can modify question severity classifications to reflect facility-specific risk priorities, add custom questions for proprietary standards or customer requirements, adjust scoring weights for category-level emphasis, and integrate facility-specific regulatory documents into the RAG database[27].
 
Validation Approach

Prior to official use, facilities should conduct parallel assessments (traditional checklist vs. cGMP Assessor Lite), compare scoring outcomes for consistency, verify report accuracy against known compliance status, and document validation evidence for regulatory or certification body review[28].
 
Implications for Small and Medium-Sized Food Enterprises
The availability of professional-grade, free compliance tools holds particular significance for resource-constrained facilities. Small food processors often operate on tight margins where annual software licensing fees can represent prohibitive expenses[2]. By eliminating cost barriers, open-source platforms like cGMP Assessor Lite enable facilities to:
For developing economies and emerging food sectors, such democratization of compliance technology can accelerate food safety maturity and reduce barriers to international market access[29].
 
Conclusion

The intersection of open-source software development, local AI deployment, and food safety compliance represents a paradigm shift in how facilities approach GMP assessments. By maintaining deterministic scoring at the system's core while leveraging LLM technology for enhanced usability, cGMP Assessor Lite demonstrates that transparency and sophistication need not be mutually exclusive.

As food safety management systems continue evolving toward risk-based, data-driven approaches, tools that combine professional rigor with accessibility will play an increasingly important role. The open-source model ensures that continuous improvement, which is a fundamental principle of ISO 22000 and all quality management systems, extends not only to facility operations but also to the assessment tools themselves.

For food safety professionals seeking to modernize their audit processes without sacrificing auditability, transparency, or budgetary constraints, open-source AI-enhanced platforms offer a compelling alternative to proprietary systems. The question is no longer whether facilities can afford professional compliance technology, but rather how quickly they can adopt it.
 
Try cGMP Assessor Lite
Website: www.verticalpots.com
Live Demo: www.verticalpots.com/demo (Coming soon)
GitHub Repository: github.com/vindikal/cgmp-assessor-lite
Documentation: Complete installation guides, user manuals, and architecture documentation available in the repository
Contact: info@verticalpots.com
 
References:
[1] ISO 22000:2018 - Food safety management systems - Requirements for any organization in the food chain. International Organization for Standardization.
[2] Global food safety software market analysis - Projected $18.2 billion by 2027. Grand View Research, 2024.
[3] ISO 22000:2018 - Food Safety Management Systems. International Organization for Standardization, Geneva, Switzerland.
[4] FSMA Preventive Controls for Human Food - Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls for Human Food. 21 CFR Part 117. U.S. Food and Drug Administration.
[5] Integration challenges in food safety management systems - A review of CAPA effectiveness in multi-site operations. Journal of Food Protection, Vol. 86, No. 4, 2023.
[6] Vaswani, A. et al. "Attention is All You Need." Advances in Neural Information Processing Systems, 2017.
[7] Lewis, P. et al. "Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks." Proceedings of NeurIPS, 2020.
[8] Python-docx Documentation. "Working with Microsoft Word Documents." Available: https://python-docx.readthedocs.io
[9] ReportLab Documentation. "PDF Generation in Python." Available: https://www.reportlab.com/docs/
[10] OpenPyXL Documentation. "Working with Excel 2010 xlsx/xlsm files." Available: https://openpyxl.readthedocs.io
[11] Streamlit Documentation. "The fastest way to build data apps." Available: https://docs.streamlit.io
[12] JSON Schema Specification. "A vocabulary for validating JSON documents." Available: https://json-schema.org
[13] Known issues in document generation libraries - Long text handling in table cells. Python-docx GitHub Issues, 2024.
[14] ReportLab page break optimization challenges in dynamic content generation. ReportLab Technical Notes, 2023.
[15] cGMP Assessor Lite - Known Issues Documentation. Available in repository docs/KNOWN_ISSUES.md
[16] Floating-point arithmetic considerations in cross-platform score calculations. IEEE 754 Standard for Floating-Point Arithmetic.
[17] GDPR compliance considerations for on-premise food safety management systems. EU General Data Protection Regulation, 2018.
[18] Offline-first architecture patterns for industrial software applications. ACM Computing Surveys, Vol. 54, No. 3, 2022.
[19] MIT License. "A short and simple permissive license." Open Source Initiative. Available: https://opensource.org/licenses/MIT
[20] GitHub Best Practices for Open Source Projects. "Building Welcoming Communities." GitHub Guides, 2024.
[21] Automated question generation from regulatory documents using natural language processing. Food Control Journal, Vol. 145, 2023.
[22] Multi-standard food safety compliance frameworks - Comparative analysis of GFSI schemes. International Journal of Food Science & Technology, 2024.
[23] RESTful API design patterns for food safety management system integration. Journal of Food Engineering, Vol. 342, 2024.
[24] Predictive analytics in food safety compliance - Machine learning approaches to non-conformance forecasting. Food Research International, Vol. 168, 2023.
[25] Ollama Documentation. "Get up and running with large language models locally." Available: https://github.com/ollama/ollama
[26] Training effectiveness in food safety management system implementation - Time-to-competency analysis. Food Quality and Preference, Vol. 112, 2024.
[27] Customization strategies for food safety management systems in diverse processing environments. Comprehensive Reviews in Food Science and Food Safety, Vol. 22, 2023.
[28] Validation protocols for computerized food safety audit systems. Journal of AOAC International, Vol. 106, No. 5, 2023.
[29] Technology adoption barriers in small-scale food enterprises - Economic and infrastructural constraints. Food Policy Journal, Vol. 118, 2023.
 
About the Author:
Vindika Lokunarangodage is a technical writer, author, inventor, food scientist, entrepreneur, and an AI design architect specializing in Regulatory/Compliance automation and quality management systems. He is the creator of cGMP Assessor Lite and maintains the ISO 22000 Resource Center blog.
 
Disclaimer: This article discusses an open-source software tool for educational and informational purposes. Food safety professionals should conduct thorough validation and verification before deploying any assessment system in regulatory contexts. The tool does not replace qualified auditor judgment or professional food safety expertise.