Nuno Soares talks about the importance of ISO certification and its recent update.
When ‘ISO 22000:2005 Food safety management systems - Requirements for any organization in the food chain’ was first published in 2005, other food safety certification programmes were already in use, namely SQF (1994), BRC (1998), and IFS (2003). In fact, in 2000 the world’s food retailers working together in the Consumer Goods Forum (at the time CIES - The Food Business Forum) had already created Global Food Safety Initiative (GFSI) with a compelling goal: once certified, recognised everywhere. Therefore, ISO was a late starter in the word of food safety systems but nevertheless, 13 years later, ISO 22000 is the most implemented system worldwide.
Image may be NSFW. Clik here to view.
Table 1 - Certified Organizations
When we look at the number of certified organisations in 2016/2017, ISO 22000 is clearly above all the others. If we take into consideration that FSSC 22000 is also based on ISO 22000, it becomes obvious how important and well accepted this system is by the food industry.
How can this success be explained?
The drivers for ISO 22000 family success are deep-rooted into the principles of all ISO’s standards: bringing together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards.
ISO is an independent, non-governmental international organisation with 162 national standards bodies that goes back to 1946, when delegates from 25 countries decided to create an international organisation. Specialists from over 30 countries worked on the ISO 22000:2005 revision.
Another important feature of ISO 22000 is presented in its scope: “All requirements of this document are generic and are intended to be applicable to all organizations in the food chain, regardless of size and complexity”. Independence, consensus-based and widely applicability are the core principles that distinguish ISO 22000 from other food safety systems.
The new version of the standard, ISO 22000:2018, was published in June 2018 and according with the technical committee responsible for updating the standard (ISO/TC 34/SC 17) as “after being on the market for 10 years the document needed to be updated, not only to integrate all the experience gained but also to follow the same structure as all the other ISO management system standards, the High Level Structure”. The main changes are presented below.
Standard Structure - What has changed?
The table below shows the main clauses from ISO 22000:2005 and ISO 22000:2018. In the new version, the different subjects addressed by the standard are organised according to their position in the PLAN-DO-CHECK-ACT (PDCA) cycle.
Image may be NSFW. Clik here to view.
Table 2 - Structural differences
In the introduction it is also noticed that the new version promotes the adoption of a process approach in the development and implementation of the food safety management system. This process approach is subdivided into a Plan-Do-Check-Act (PDCA) cycle and risk-based thinking. The concept of PDCA cycle, although not addressed in ISO 22000:2005, is not new for the system, being included into ISO 22004:2014 (Guidance on the application of ISO 22000). But now, there is a twist since this new version distinguishes between a PDCA for the organisational planning and another for the operational planning, being the control of communication between the two cycles. The risk-based thinking is only briefly mentioned as it has always been a characteristic of HACCP, but it is mentioned that it should also be addressed in two levels like the PDCA, and therefore it should also be applied in the organisational planning and control (i.e. also in all the system clauses besides nº 8).
Clause 4 - Context of the Organisation
This clause is nearly all new and is mainly focused on defining how organisations shall establish the Food Safety Management System (FSMS) scope. For that, according to the standard, there are three things organisations must do/know.
Image may be NSFW. Clik here to view.
Figure 1 - Scope
From these items, the one that is the most straightforward for food safety practitioners is the definition of requirements. For that, organisations must first determine who the interested parties are and then gather their requirements regarding food safety.
To identify the interested parties, it is essential to consider all the participants that have an impact on food safety, both internal or external. For example, employees, management, and owners can be considered internal interested parties; suppliers, society, government, customers, and consumers are examples of external interested parties.
The new approach where organisations must understand their context and how those issues are relevant to their purpose and ability to achieve the FSMS results may pose a challenge to organisations, not only in defining it but also in how to audit it. One option would be to seek advice from people that have other ISO management systems implemented (or have experience in implementing it) since this approach is common to all ISO management systems that have adopted the High Level (e.g., ISO 9001 or 14001).
Finally, the organisation must define the FSMS boundaries so that the scope may specify the products and services, processes, and production sites included in the FSMS. In the 2005 version, services were not included in what the scope should specify. The scope must also consider the context of the organisation and the needs and expectations of the interested parties, so that the FSMS will be established in an objective and consistent way to the reality of the company.
Clause 5 - Leadership
In this clause, the new standard presents a list of actions that top management should do to demonstrate its commitment towards the FSMS. The role of top management with respect to the FSMS is reinforced in the new version, since not only commitment (2005 version) but also leadership shall be demonstrated.
Regarding policy, there are no major differences when compared with the last version, although it includes an interesting reference to the importance of communicating policy with interested parties.
Clause 5.3 presents details about responsibilities and authorities top management shall assign and introduces the idea that the responsibility of top management is not limited to assigning and communicating responsibilities and authorities, but also to ensuring that they are understood. Besides defining what the food safety team leader shall be responsible for (that was also present in the 2005 version), it also clarifies other responsibilities and authorities that top management shall define (e.g. reporting on the FSMS performance, ensuring that the FSMS conforms to requirements). It also encourages sharing more responsibility over the entire organisation to achieve the effectiveness of the FSMS, designating persons with defined responsibility and authority to initiate and document actions(s).
Clause 6 - Planning
In clause 6.1, the concepts of risks and opportunities are introduced as something that the organisation must determine, considering relevant issues (internal or external) and requirements from interested parties. Then the organisation must plan, not only actions to address these risks and opportunities, but also how to integrate, implement, and evaluate the effectiveness of these actions.
The responsibility for establishing objectives and retaining documented information on them is set on clause 6.2. There is a higher emphasis on the importance of objectives than in the last version. Objectives shall be consistent and measurable, take into account the requirements, and be monitored, verifiable, communicated, and updated.
Image may be NSFW. Clik here to view.
Figure 2 - Plan
When planning how to achieve objectives, the steps shown in Figure 2 should be taken in consideration.
Clause 7 - Support
Clause 7 presents requirements regarding several supporting activities like resource management, people competence and awareness, communication and documented information management.
Resources in clause (7.1) are divided into:
• People (7.1.2)
• Infrastructure (7.1.3)
• Work environment (7.1.4)
• Externally developed elements of the FSMS (7.1.5)
• Control of externally provided process, products or services (7.1.6)
Resources can be approached by the prism of external or internal resources. Clause 7.1.3 and 7.1.4 manage internal resources, and clause 7.1.5 and clause 7.1.6 manage external resources. People (clause 7.1.2) can be either internal or external. Internal people are addressed in clause 7.2 (Competence) and 7.3 (Awareness) mainly to imply that the organisation determines and ensures the competence and awareness (e.g. policy, objectives) of relevant persons. When assistance from external people is needed (e.g. experts), the organisation shall retain documented information (e.g. contracts defining competencies). Retaining relevant information is also mandatory when the organisation opts to:
• develop elements of the FSMS externally – guaranteeing that they are applicable, adapted, and updated
• use external providers of processes, products, and services – guaranteeing communication, evaluation, and monitoring
When comparing clause 7.4 (communication) with clause 5.6 in the 2005 version, the new version adds that the organisation shall not only ensure that the requirements for effective communication are understood but also determines the details shown in Figure 3.
Image may be NSFW. Clik here to view.
Figure 3 - Communication
In terms of managing documentation, there is a different approach in the new version. Instead of dividing the clause into control of documents and control of records, it is presented as creating, updating, and controling documented information. Another significant change is the fact that a formal written procedure to control documents and records is no longer mandatory. This seems to be in line with the guidelines of ISO 9001:2015, promoting a more process-focused management system than document-based. This new version gives a focus on protection of confidentiality and integrity of documented information, reflecting the increasing importance of these issues to organisations and to society as a whole. In a note, it is explained that control of access to documented information may imply defining different permissions (view only or view and change).
Clause 8 - Operation
In clause 8 we reach the core of the standard and we can find most of the content related to the Codex HACCP principles and its steps. In fact, only Step 1 (Assemble HACCP team) and Step 12 (Establishing documentation and record keeping) are totally addressed outside clause 8 (in clauses 5.3 and 7.5 respectively). Internal audit, which is a verification procedure (Step 11), is covered in clause 9.2.
Clause 8.1 - Operational planning and control
This clause has several differences when compared with the equivalent 7.1 of the 2005 version. It is more precise about an organisation’s responsibility regarding processes that are needed to meet requirements (plan, implement, control, maintain, and update) and provides examples on how to do it (establishing criteria, implementing control of the processes and demonstrating that processes have been carried out as planned). It also introduces the necessity to implement actions in the risk and opportunities assessment.
Clause 8.2 - Prerequisite programmes
Prerequisite programmes are a key aspect of any food safety system. There are some differences when compared with the 2005 version as the word update was added in “establish, implement, maintain and update PRP(s)”
When selecting and/or implementing PRP(s) organisations:
Image may be NSFW. Clik here to view.
Table 3 - Prerequisits
The wording is very important; the standard includes the terms “shall” indicating a mandatory requirement and “should” indicating a recommendation. This signifies that the ONLY prerequisites organisations must implement (mandatory) are the ones presented in the standard (clause 8.2.4) since ISO/TS 22002 series prerequisites are not compulsory.
When clause 8.2.4 of the standard is compared with ISO/TS 22002-1 (Prerequisites for Food manufacturing) something stands out immediately: Food defense, biovigilance and bioterrorism. This is mandatory if organisations follow ISO/TS 22002-1 but not if you set your prerequisites according to ISO 22000:2018.
The list of prerequisites in the new ISO 22000 closely resembles those addressed in the 2005 version. The two main differences are the addition of the terms product information/consumer awareness and supplier approval (although it is probable that most organisations have some related procedure in place to address the management of purchased materials that was present in the previous version).
Clause 8.3 - Traceability system
The new standard presents a list of topics that organisation should consider when establishing traceability systems. For example, reworking of materials/products (not mentioned in the previous version) and the relation between the lots of received materials, ingredients and intermediate products to the end products.
The mandatory verification and testing of the traceability system effectiveness is presented in the 2018 version. Although this was not specified in the 2005 version, the guide for its application (ISO 22004:2014) did include a reference to making tests.
What is totally new,however, is the reference to quantities reconciliation (end products vs ingredients).
Clause 8.4 - Emergency preparedness and response
In comparison with clause 5.7 of ISO 22000:2005, it is apparent that the term “accident” has been substituted for the term “incident”. This new clause is more comprehensive than the 2005 version (which was just a small paragraph) but most of the new content was developed in ISO 22004:2014. Nevertheless, it should be emphasised that it is now mandatory to take actions to reduce the consequences of the emergency situation, and then review and update documentation.
Some new examples of emergency situations were added, including: workplace accidents, public health emergencies, interruptions of services like water, electricity or refrigeration supply.
Clause 8.5 - Hazard Control
Clause 8.5.1 - Preliminary steps to enable hazard analysis
The first step of hazard control is to identify raw materials, ingredients, product contact materials and end products (and their intended use) and to prepare flow diagrams and describe processes.
In this new version, more detail is provided regarding the information that shall be collected to carry out hazard analysis. The previous version only mentioned “All relevant information needed to conduct hazard analysis”. Now, it is clear that, at a minimum, the information that shall be collected by the food safety team should include:
1) statutory, regulatory and customer requirements
2) products processes and equipment and
3) food safety hazards
A new item has been added to the information that organisations shall maintain about raw materials, ingredients, product contact materials – namely the source (e.g. animal, mineral or vegetable). This new information is also in place to clarify some misunderstandings that the term “origin” used in the last version brought. In fact, the new wording (for origin) is “place of origin (provenance)” which makes it more obvious that the organisation shall identify the provenance of the products.
Regarding flow diagrams and their preparation, it has been specified that the introduction of processing aids, packaging materials and utilities in the flow shall be included in the diagrams.
The number of issues that the food safety team must address when describing processes for the hazards analysis was expanded to:
Image may be NSFW. Clik here to view.
Figure 4 - Issues that the food safety team must address
Clause 8.5.2 - Hazard analysis
Where the 2005 version included the implicit understanding that the food safety team shall conduct hazard analysis based on the preliminary information, in the new version it is stated explicitly at the beginning.
There are also changes to the kind of information that shall be used to identify food safety hazards. The organisation shall now use also internal information (epidemiological, scientific and historical data) as well as statutory, regulatory and customer requirements for that purpose. When it comes to identifying the hazards, it was added that organisations shall now consider all steps in the flow diagram (instead of only the steps preceding and following the specified operation) and persons.
In hazard assessment, two very interesting remarks were added (in bold): the likelihood of occurrence shall be determined prior to the application if control measures and the severity evaluated in relation to the intended use.
After hazard identification, determination of acceptable levels and hazard assessment, the next step is to select and categorize control measures. For this, the new version presents several aspects to take in consideration (most of them similar to the last version). But three things are worthy of special consideration:
Assessing the feasibility of establishing measurable critical limits and/or measurable/ observable action criteria. This is not entirely new since something was already mentioned in table 1 of ISO 22004:2014
Assessing the feasibility of applying timely corrections in case of failure
The use of external requirements to choose control measures or impact their strictness
Clause 8.5.4 - Hazard control plan (HACCP/OPRP plan)
This clause combines information that was previously divided into two separate clauses: Establishing the operational prerequisite programmes and Establishing the HACCP plan. This assists in recognising that the Hazard Control Plan includes not only critical limit(s) at CCP but also action criteria for OPRP.
Regarding monitoring systems, the new version introduces the need to document the monitoring methods used and it adds the possibility of using equivalent methods (to calibration) for verification of reliable measurements or observations in the case of OPRPs.
Clause 8.6 - Updating the information specifying the PRPs and the hazard control plan.
This clause remains very similar to the equivalent in the 2005 version (clause 7.7). Besides using a hazard control plan to substitute what was previously considered as operational PRP(s) and HACCP plan, it introduces the requirement to update raw materials, ingredients and product-contact materials characteristics after establishing the hazard control plan.
Clause 8.7 - Control of monitoring and measuring.
There are no major differences in this clause but some adjustments that make it clearer and more specific.
The generic statement in the previous version, “The organisation shall provide evidence that the specified monitoring and measuring methods and equipment are adequate to ensure the performance of the monitoring and measuring procedures” has now been declared as mandatory for “monitoring and measuring activities related with the PRP(s) and hazard control plan”.
The clause is more demanding when it comes to the use of software for monitoring and measuring; demanding validation of its adequacy prior to use, and whenever it is changed/updated.
Clause 8.8 - Verification related to PRPs and the hazard control plan
There are 3 differences in this clause that are worth exploring. The list of what verification activities shall consist of, is equivalent to clause 7.8 of the 2005 version with one exception – more than just the implementation of PRP(s) shall be confirmed, but also its effectiveness. Rewording of operational OPRP(s) and HACCP plan to hazard control plan is also to be noted. It is now mandatory for the organisation to ensure the independence of the person that does verification activities. The new version indicates the need to take corrective actions whenever nonconformity is found on testing end product or direct process samples.
Clause 8.9 - Control of product and process nonconformities
Right from the title, it is strikingly clear that process nonconformities shall be controlled. Processes nonconformities are addressed in clause 8.9.2.4 which details the information that shall be retained to describe corrections made.
A general clause is added right at the beginning to define that only designated persons (with competence and authority) may evaluate nonconformities, and initiate corrections and corrective actions. In the 2005 version this information was dispersed throughout the clause.
Organisations are now clearly required to take actions to review nonconformities identified by consumers or in regulatory inspections reports (in the last version only customer complaints were given as example).
It is now also unambiguous that any product that fails to remain within critical limits at CCPs shall not be released, and treated according to clause 8.9.4.3 - Dispositions of nonconforming products.
Clause 9 - Performance evaluation
In clause 9 evaluation of the system performance is addressed. It is divided in 3 sub-clauses. Monitoring, measurement, analysis and evaluation is new and forces the organisation to define what and when monitoring and measurement should take place and how, when and who shall analyse and evaluate their results.
Within internal audits, the importance of taking into consideration changes in the FSMS and the results of monitoring and measurement when defining the audits program has been introduced. It also states that there is a duty to report the audit results to the food safety team and relevant management, and that internal audit should check compliance of the FSMS against food safety objectives and policy.
Management review has undergone several changes, especially in the inputs. Nonconformities and corrective actions, performance of external providers, adequacy of resources and opportunities for continual improvement shall also to be considered as inputs. The concept of external and internal issues is also covered in this clause as an input, whenever any change is considered relevant for the FSMS. Regarding the outputs the mains change is the inclusion of any decisions and actions related to continual improvement opportunities.
Clause 10 - Improvement
The first thing that is noticeable when comparing clause 10 - Improvement (2018 version) and clause 8.5- Improvement (2005 version) is that there is a new sub-clause which addresses nonconformity and corrective action. There is now clear guidance for the steps to take when nonconformity occurs:
Image may be NSFW. Clik here to view.
Figure 5 - Nonconformity
The sub-clause continual improvement (already present in the previous version) now includes the need for an organization to continuously improve the effectiveness of the FSMS as well as its suitability and adequacy. No relevant changes can be found in the last clause of the system (updating the FSMS).
Nuno Soares is a food engineer specialist working in food industry since 1999. Since gaining his professional experience, he has been working with people as quality and production manager. Together they have grown technically and as human beings, joining efforts in developing more efficient production sites and safer food products. Looking to know more about the business side of the food industry, he completed an MBA. With the goal of reaching further with his ideas for food safety and support other professionals in their daily work, he embraced more recently researching and publishing activities. For his PhD he researched on improving frozen shelf-live and protection developing a new glazing solution. After his first book Food safety in the Seafood Industry (Wiley) he has recently self-published the e-book: ISO 22000:2018 Explained in 25 diagrams.
