Understanding the “Other” Clauses of ISO 22000
By Richard F. Stier and John G. Surak, Ph.D.
The ISO 22000 standard “Food Safety Management Systems — Requirements for Any Organization in the Food Chain” is just what the title says it is: a food safety management system (FSMS) with emphasis on the words management and system. Since this standard was issued in September 2005, it has been widely adopted globally. At the time this article was being prepared, over 2,400 companies throughout the world had received ISO 22000 certifications or its offspring, Food Safety System Certification (FSSC) 22000. FSSC 22000 is basically the ISO 22000 standard plus ISO 22002-1:2009 “Prerequisite programmes on food safety – Part 1: Food manufacturing.” FSSC 22000 was developed to meet the benchmarking requirements for the Global Food Safety Initiative (GFSI) (see “GFSI-Benchmarked Audit Schemes”). GFSI felt that ISO 22000 did not provide sufficient guidance to companies for the prerequisite programs. Besides those companies seeking certification of an FSMS, there are many that utilize ISO 22000 as a framework to develop an FSMS but have elected not to spend the money on certification. Buyers throughout the world now mandate that their suppliers adopt one of the GFSI-approved audit schemes to ensure the safety of what they are purchasing.
The building blocks of the ISO 22000 standard are:
1. Hazard Analysis and Critical Control Points (HACCP) as defined in the Codex Food Hygiene document
2. Prerequisite programs that define the basic conditions to maintain an hygienic environment
3. The components that are needed to have an effective management system
The final building block is based on ISO 9001:2000 and ISO 9001:2008 “Quality management systems – Requirements.” It is these elements that have occasionally given companies, especially in the U.S., some problems. By this, we mean there are some clauses that are literally a new paradigm for these operators. The FSSC 22000 management system is more than a superenhanced food safety system. It is a system that defines how food safety must be managed in the company. Building a successful FSMS using either ISO 22000 or FSSC 22000 is a multistep process. Figure 1 shows the process from management commitment to certification.
The different clauses in ISO 22000 may be seen in “ISO Clauses.” The specific clauses that have given people some problems include:
• Management responsibility, specifically management commitment, communication and management review
• Human Resources — Competence and work environment
• FSMS verification, specifically internal audits, process validation, prerequisite program verification and continual improvement
Processors generally understand how to develop, implement and document an HACCP program. It has been 25 years since the Codex Food Hygiene document and since the National Advisory Committee on Microbiological Criteria for Foods published their harmonized HACCP documents. Since that time, HACCP has been driven by economic and regulatory pressures. In the U.S., HACCP has been mandated for seafood, meat and poultry, as well as by buyers for all types of industries. However, it will be mandatory for all industries, once the Food Safety Modernization Act regulations are finalized.
Granted, processors still have problems with their HACCP programs and many may have gaps, but they are fairly clear on the concept. This article has been developed to help processors better understand these clauses, which are also elements in the other GFSI-benchmarked food safety schemes.
Management responsibility is strongly emphasized in ISO 22000. In general, individuals follow the directions and orders of their supervisors. Thus, if a company wants a strong emphasis on food safety, top management must take a proactive role in developing, documenting, implementing and, most importantly, maintaining the FSMS.
Food Safety Policy. There are audit schemes that emphasize a signed and dated food safety policy or mission statement, and assume a management committed to the program. The policy is a small but important part of the equation. It should be a concise summary of the operation’s commitment to food safety. However, when an auditor evaluates a company, he/she should see all employees conducting their work in compliance with the food safety policy.
An example of a food safety/quality policy may be seen in “Food Safety/Quality Policy.” The policy should emphasize the commitment to safety, meeting customer expectations, adherence to the regulations and continual improvement.
The policy needs to be communicated to the workforce. Management ensures that plant management and staff not only understand the policy but also follow it. A facility can communicate a policy in many ways. It should be included in an employee’s orientation session; it can be posted in different locations at the site; it may be addressed in refresher training or included in a document that everyone will read: their paycheck envelope. Auditors will ask employees if they are familiar with the policy as part of an audit or ask questions to describe how their activities affect food safety. At one facility, all team meetings begin by reciting their food safety policy.
The policy should be reviewed and updated on a regular basis. A large corporation will usually have a corporate food safety policy. Companies or divisions will usually adopt a policy that reflects the corporate document but focuses on the local operation.
Communication. Communication is another area processors may have some trouble implementing. The processor should ask the following questions: What do we mean by “external and internal communication?” How do we routinely communicate food safety issues both internally and externally?
Let’s first look at internal communication. Remember that the focus of the standard is food safety and properly communicating any potential issues. One of the most important messages in this area is never take anything for granted. Communication must be done clearly and concisely and follow documented protocols. The food safety team leader needs to be involved in either setting up, reviewing or ensuring the effectiveness of the protocols.
Take a step back and think about all the individuals or departments involved in processing, handling and storage of foods, ingredients and packaging, and how a seemingly innocuous activity can compromise food safety.
Internal communication involves more than just issues related to processing. It is imperative that issues that relate to food safety be not just understood but communicated throughout the organization. This is why many companies will have one or more persons on staff whose job is to follow regulatory developments and communicate these developments throughout the company. Not knowing is no excuse for noncompliance. To address regulatory issues, companies often maintain a register that includes all regulations to which they must comply.
Processors may want to document the primary ways they communicate food safety issues to employees. These communications can include discussing food safety at team meetings, posting videos or publishing newsletters. It should be noted that the processor needs to verify that all documented communication methods are effective.
Processors may also develop a register that lists all persons and/or departments within the company that are part of “internal communication” that would list contact information, highlight the means of communication, specifically citing documented procedures, and describe situations that must be communicated.
External communication is a little easier to understand. The rules are the same when it comes to food safety: clear and concise communication. A register is also an extremely useful tool and great first step when highlighting external communication. Listing all the organizations a company deals with can be a challenge: regulators, customers, suppliers, distributors, contractors, personnel agencies, service providers, trade associations and others. The same guidelines for establishing a register and procedures apply. It is also imperative that the company clearly define which group or persons should be responsible for different external communications and how they should be done.
With both external and internal communication, a regular program for verification and updating these programs must be implemented. Some may review and update their registers monthly and others quarterly. Make sure that all registers are dated and that the dates are changed whenever there is a review and update. Auditors will downgrade a company if lists have not been updated. In addition, auditors will ask employees if they understand and utilize the food safety information that was presented in communication programs.
Management Review. The management review is another problem area. All companies have management meetings, but the management review is more than that. The function of management review is a high-level review to determine whether the FSMS is effective and efficient.
How a management review is conducted varies with the size of the company. Small companies are now being required to implement management review in response to the requirements of GFSI-recognized audit schemes. In small companies, one person typically wears many hats. In a large company, the workload will be divided. One hint to better understand the management system and to create the foundation for the management review is to define who is responsible for managing each of the areas that comprise the FSMS. The job descriptions for each of these individuals must define their responsibilities within the FSMS. In addition, it is a good idea to create a single document that lists all the food safety areas and have each responsible person sign that list. This allows top management to better understand who is doing what, but will also help an auditor better understand who manages what. All of these persons will have a role in the management review.
When preparing for a management review, each person will be responsible for collating and analyzing the information related to food safety prior to the meeting. This information should include information from third-party audits, internal audit issues, quality issues, deviations from the HACCP plan, assessments of the results of verification activities, assessment of continual improvement activities that affect food safety, customer/consumer complaints, regulatory concerns, new technical data that affect their areas, emergency issues, “near misses” or other findings. Each manager, whether he/she is responsible for one area or many, will then bring this analysis to the review. In addition, the managers should bring ideas for further improving the FSMS to the meeting. Ideally, they should also conduct a preliminary evaluation of the potential benefits of the proposed change (i.e., a risk assessment of the proposed change).
The review will be convened and led by top management. Records or minutes of the meeting will be maintained. The presentations will focus on providing management with an overview of how the FSMS is being maintained, problems that have occurred and how the FSMS can be improved. The improvement plans will be evaluated by the management team. They should be prioritized based on potential risk to the business, and those proposals that have the greatest potential benefits for the business should be targeted for implementation. One of the outputs of the meeting should be not only the selection of possible improvements, but establishing timelines for completion, assignment of resources to do the work and establishing responsibility for managing the program. The management review, therefore, becomes a tool for continual improvement.
Verification and validation are perhaps the least understood of the basic HACCP principles.[1, 2] A requirement for an internal audit program adds another level of concern. Processors generally include activities such as review of measurements taken at CCPs and calibration records in their HACCP program. Controls have been established to ensure the safety of foods, beverages and ingredients at each CCP.
An internal audit entails much more work. The idea is for the company to examine all programs affecting food safety to determine if they are working as designed from a management perspective. Internal audits must be linked to other audit activities such as preoperational, finished product or facility audits.
Many companies conduct regular internal checks of the efficacy of their Good Manufacturing Practices, but these still do not address all that is expected in an internal audit. The expectations for an internal audit are as follows:
• Each section that is being audited be done independently
• Auditors have been trained and are competent to audit
• The audit examines documented procedures to determine that they are being properly followed
• The audit examines records to ensure that monitoring and verifying activities have been done as documented
• Persons have been trained and are competent to do their work, and the training records are available for review
• Issues identified during the internal audit are documented, and corrective actions have been completed and are effective
• Corrective actions developed by the managers responsible for the area being audited are reviewed to ensure that the corrective actions are completed and effective
And, like all elements of ISO 22000, the results of the internal audit are an integral part of the management review and continual improvement.
This can be a real challenge for small companies. Many elements make up an FSMS: cleaning, water quality maintenance, calibration, HACCP, personal hygiene, worker training, management review, allergen control, shipping and receiving, customer complaints, product testing, metal detection, vendor approval/management, traceability and recalls and others. To ensure that these programs are properly audited, the company needs to make a commitment to identifying and training a cadre of auditors.
Training may be done internally or a firm may be hired. Many companies will send their people to a program organized by a firm that conducts ISO internal auditor training. The company must also develop the audit format. This depends upon the company and the complexity of its programs. Some use forms, and others define the procedures subject to auditing. The bottom line is that the internal audit program, like the ISO 22000 standard, is a systems approach to verifying that procedures are being followed as documented.
The ISO 22000 standard is nearly 8 years old and has been growing in popularity year by year. It has also had a major influence not only on the format of all the audit schemes recognized by GFSI but also on many of the other private audit programs that have been developed. Nonetheless, it has been the elements discussed in this article that have created some problems with many processors. Recognizing that there is great interest in the standard among food processors, warehouse operations and others, the committee responsible for developing the standard has been actively working to develop a support document, entitled, aptly enough, How to Use ISO 22000. The guidance document looks at each clause of the standard and has been designed to provide users, especially small processors who may not have the expertise present in large companies, with assistance on how to develop and implement their programs. We hope this article will help processors interested in ISO 22000 move forward to use the standard, whether toward certification or simply to utilize the standard as the basis for their FSMS.
Richard F. Stier is a consulting food scientist and an editorial advisor to Food Safety Magazine. He can be reached at firstname.lastname@example.org.
John G. Surak, Ph.D., is the principal of Surak and Associates and is an editorial advisor to Food Safety Magazine. His website is www.stratecon-intl.com/jsurak.html. He can be reached at email@example.com.
1. Stier, R.F. and J.G. Surak. 2010. Verification: Making sure your food safety management system is working. Food Safety Magazine 16(2):24–29.
2. Surak, J.G. and R.F. Stier. 2009. Validating food safety controls. Food Safety Magazine 15(4):16–21, 67.
The Global Food Safety Initiative (GFSI) benchmarks food safety management system audit schemes. GFSI does not write or approve food safety standards. The organization determines whether a scheme meets GFSI’s requirements as defined in its Guidance Document.
Audit schemes have been developed for both production agriculture and food manufacturing. GFSI recognizes the following audit schemes:
• British Retail Consortium Global Standard for Food Safety (Fifth Edition)
• CanadaGAP (Canadian Horticultural Council On-Farm Food Safety Program)
• FSSC 22000 Food Products
• Global Aquaculture Alliance Seafood Processing Standard
• Global Red Meat Standard
• International Food Standard Version 5
• Safe Quality Food
An audit scheme consists of two parts:
1. Audit standard(s) such as ISO 22000 and ISO 22002-1
2. The audit protocol
The audit protocol defines the requirements for auditors, certification bodies and accreditation bodies. These are defined in special ISO standards. These standards are necessary to make the certification process work.
2 Normative references
3 Terms and definitions
4.1 General requirements
4.2 Documentation requirements
5 Management responsibility
5.1 Management commitment
5.2 Food safety policy
5.3 FSMS planning
5.4 Responsibility and authority
5.5 Food safety team leader
5.7 Emergency preparedness and response
5.8 Management review
6 Resource management
6.1 Provision of resources
6.2 Human resources
6.4 Work environment
7 Planning and realization of safe products
7.2 Prerequisite programs (PRPs)
7.3 Preliminary steps to enable Hazard Analysis
7.4 Hazard Analysis
7.5 Establishing the operational PRPs
7.6 Establishing the HACCP plan
7.7 Updating of preliminary information and documents specifying the PRPs and the HACCP plan
7.8 Verification planning
7.9 Traceability system
7.10 Control of nonconformity
8 Validation, verification and improvement of the FSMS
8.2 Validation of control measure combinations
8.3 Control of monitoring and measuring
8.4 FSMS verification
This plant is committed to the production of high-quality, safe and wholesome foods that meet the expectations of our customer base. This will be accomplished through the application of the basic principles of the Hazard Analysis and Critical Control Points (HACCP) system, Good Manufacturing Practices (GMPs), Sanitation Standard Operating Procedures (SSOPs) and Standard Operating Procedures (SOPs) for production, packaging, shipping and receiving. The facility will be operated to ensure compliance with all applicable federal, state and local regulations.
This plant also is committed to education and training to ensure that all personnel understand the procedures and programs necessary to ensure quality and safety and so that the company not only can maintain our current programs, but also can improve them.