Food Safety and Risk Assessment
By John G. Surak, Ph.D. and Gustavo Gonzalez, Ph.D.
Risk assessment plays a central role in the operations of food companies. Risks companies must address include the following: food safety, food quality, personal health and safety, adverse environmental effects, biosecurity, information security and financial.
Management, especially senior management, has a responsibility to identify and mitigate risks within the organization. This poses a challenge to management, who need to provide direction on conducting risk assessments, including how those identified risks will impact the business.
The International Organization for Standardization (ISO) has published a number of standards in the risk management area. These standards include:
• ISO 9001:2008 Quality management systems — Requirements
• ISO 14001:2004 Environmental management systems — Requirements with guidance for use
• ISO 22000:2005 Food safety management systems (FSMS) — Requirements for any organization in the food chain
• ISO 22002-1:2009 Prerequisite programs (PRPs) on food safety — Part 1: Food manufacturing
• ISO/IEC 27001:2005 Information technology — Security techniques — Information security management systems — Requirements
• ISO 31000 Risk management — Principles and guidelines
• ISO 31010:2009 Risk management — Risk assessment technique
• ISO Guide 73:2009 Risk management — Vocabulary
The ISO 31000 series of standards was published in 2009. This series provides general guidance on identifying risks and then developing mitigation strategies. ISO 31000 is summarized in the sidebar.
ISO 22000 follows the risk management principles outlined in ISO 31000. However, there are some differences in how key terms are used between the two standards. ISO 31000 uses the term risk assessment to describe the overall process of risk identification and analysis. Risk analysis is used to describe the process to determine the level of risk.
In contrast, ISO 22000 and Codex Hazard Analysis and Critical Control Points (HACCP) use the term hazard analysis to define the process of collecting and evaluating information on hazards, while hazard identification is the process that determines the hazards that are most reasonably expected to occur, and hazard assessment analyzes a combination of the severity of the hazard and the likelihood of occurrence to determine the risk of creating a food safety problem. Once this is completed, a control scheme is developed based on the output of hazard analysis.
Hazard analysis is the primary hazard mitigation tool used to develop the FSMS. Historically, HACCP was the first food safety hazard mitigation process. As food safety systems were refined, hazard analysis was expanded to include the PRPs. Finally, HACCP and PRPs were integrated with the other components of management systems to create the FSMS. All of the Global Food Safety Initiative (GFSI)-benchmarked FSMS’s are based on the following three components:
• Other requirements needed for a management system
These components must properly function as a system to minimize the risk for creating a food safety incident.
During FSMS implementation, management must assess the food hazards and develop strategies to control the hazard to an acceptable level, eliminate the hazard or, when possible, prevent the effect of the hazard on the process and product (the proactive approach). In addition, validation, verification and monitoring procedures must be used to ensure that the FSMS functions in an effective manner.
PRPs have a critical role in the FSMS. They establish the environment to permit the production of safe food. A properly developed, implemented and verified PRP leads to the simplification of the HACCP plan.
ISO 22000-based FSMS’s use ISO 22002-1 (PAS 220) to define the PRPs for food manufacturing operations (Table 1). PRPs have a number of unique features:
• PRPs deal indirectly with food safety issues; they establish the culture for the production of safe food.
• PRPs are general programs that can be applied across manufacturing lines and products.
• Momentary failure of a PRP typically does not lead to a food safety incident but indicates a potential threat to food safety.
• Breakdown of a PRP can lead to a food safety incident.
• Many PRPs do not lend themselves to the concepts of validation and monitoring as defined by ISO 22000 or to the Codex standard on the validation of control measures.
Recently, the British Standards Institute (BSI) published PAS 223:2011. This standard describes the PRPs needed for food packaging manufacturers. Thus, PAS 223 is intended to be used in conjunction with ISO 22000 for certification of the FSMS of food packaging suppliers. The Foundation for Food Safety Certification, the certification owner for FSSC 22000, announced that it will extend the certification scope of FSSC 22000 with packaging material manufacturing using PAS 223 as the definition for PRPs. (FSSC 22000 is one of two GFSI-benchmarked FSMS’s based on ISO 22000 and ISO 22008-1. The other ISO 22000 FSMS certification system is Synergy 22000.)
PRPs: A Moving Target
The interpretation of PRPs has not been consistent. It has changed over time. For example, in the 1970s, it was considered appropriate to wear a lab coat in a food production area that had buttons and a breast pocket that could be used to store a pen. However, now the same lab coat cannot be closed with buttons, and the breast pocket must be removed.
In addition, PRPs may be applied in different ways, which are dependent on the location of the organization in the food chain. One example is chemical manufacturing facilities that produce a food ingredient. Many times, these operations can be classified as very low risk for microbial hazards. In addition, the ingredient is processed in a sequence of continuous, sealed vessels. Thus, the ingredient is not exposed to opportunities for cross-contamination until final ingredient packaging. Another example is in the area of warehousing and transport areas of food manufacturers. In these areas, product is packaged in primary and/or secondary packages. The packaging material protects the product from contamination or cross-contamination. The question that is raised is whether the facility can have exemptions in the application of some of the PRPs, such as in hair restraints in nonpackaging areas.
If a company is looking for an exemption from standard practices, it needs to develop a hazard analysis, and review this analysis with the certification body, prior to an audit. In this way, the company has reasonable assurance the auditor will accept the risk analysis and the control strategy.
An approach to conducting a hazard analysis is to use the same principles used in creating a HACCP plan. There is a need to conduct a risk analysis, develop and implement effective control measures and take appropriate action if there is a loss of control.
First, if the objective is to use an alternative control measure for a PRP in place of what is typically used, one must identify why the specific PRP was developed and why the typical control measure is used. Once the underlying issue is identified, a hazard analysis can be developed that defines the severity of the issue in light of a specific operation. For example, if the PRP in question is buttons on shirts in a chemical manufacturing operation that produces a food ingredient, and the product is produced in sequence-sealed vessels that are opened only for maintenance, do the operators need to wear button-free shirts? The risk analysis question is, what is the risk of a button falling off a shirt and into a sealed vessel that contains a product? Justification can be made that the risk is extremely low (maybe not zero, but very close to zero). Thus, is there justification for the need to have button-free shirts for the operators? However, in the same case, if maintenance needs to be done inside the vessel, and a mechanic needs to enter the vessel, there is an increased risk that a button will fall off a shirt, and that the button may not be recovered prior to transfer of the maintained vessel to production. Then the maintenance personnel need to wear button-free shirts.
A Case Study Example
Hair and beard restraint procedures and protocols vary from site to site.
Examples include the following:
• The use of hair restraints in operations where food is manufactured.
• No hair restraints are required if a person has a clean-shaven head and the person has less than 1 day’s hair growth.
• No hair restraints are required, for example, where food is handled such as in restaurants.
• The use of caps where food is handled, for example, at quick-service restaurants or in kitchens of restaurants.
• Beard restraints required for any individual with facial hair.
• Beard restraints required for beards and mustaches that have hair extending over the top lip.
• No beard restraints required for individuals with short, cropped mustaches.
• Every person in the processing facility wearing a face mask.
• The wearing of “bunny suits” or cleanroom suits with goggles and a mask that covers all hair.
This raises the question, what should the hair restraint policy be?
Starting with ISO 22002-1 (PAS 220), either standard states in clause 13.4 (work wear and protective clothing):
Workwear shall provide adequate coverage to ensure that hair, perspiration, etc. cannot contaminate the product. Hair, beards and mustaches shall be protected (i.e., completely enclosed) by restraints unless hazard analysis indicates otherwise.
The FDA regulations on Good Manufacturing Practices state the following:
Wearing, where appropriate, in an effective manner, hairnets, headbands, caps, beard covers or other effective hair restraints.
Thus, looking at the ISO 22002-1 and FDA regulations, there are no prescriptive requirements for what practices should be used. Best practices typically state that hair restraints should be worn at all times and that there should be a defined policy for beard and mustaches.
If a company has a policy that deviates from best practices and an auditor questions a policy, the auditor does not want to hear responses such as:
• This is a low-hazard food.
• This is a low-risk process.
• What about the eyebrows?
If the company wants to deviate from the best practice or wants an exclusion from a practice, a hazard analysis should be prepared to justify the position. The following items need to be considered in the hazard analysis:
• What is the potential for product contamination with a food hazard?
• How is the product protected?
• What are combination control measures or what are the alternative control measures?
• How robust are the existing control measures?
• How effective are the control measures?
• Are there any concerns?
• What is the reasoning for the proposed policy?
• What are the current best industry practices? Are there multiple best practices?
• Is there any chance for food safety to be compromised?
• Will exclusion in one part of the site affect the environment for food safety and affect the potential for food safety in other parts of the site?
The hazard analysis needs to show that food safety is not compromised. If a section of an FSMS is being excluded, then there will be a change in the context or assumptions for the FSMS.
A documented hazard that would exclude a section of an FSMS standard should include the following sections:
• Scope that describes the areas addressed by the hazard analysis. In addition, the scope should identify the reason for the exclusion.
• Describe the context or environment for ensuring food safety. Most exclusions will change the context on a site or part of the site. In addition, if the exclusion is in one part of the site, then there should be a description why this exclusion will not affect the environment for ensuring food safety in other parts of the site where the exclusion does not apply. This would include a description of how the product would be protected.
• Categorize the severity of the hazard and the likelihood of occurrence. If the organization does not feel there is a change in the likelihood of occurrence, the rationale for the decision needs to be described.
• Any description of best practices or validation studies to support the hazard analysis.
Exclusions to requirements of FSMS standards can be obtained, but a proper and detailed risk analysis must be conducted prior to implemention.
John G. Surak, Ph.D., is the principal of Surak and Associates and provides consulting on food safety and quality management systems, auditing management systems, designing and implementing process control systems and implementing Six Sigma and business analytics systems. He serves on the editorial board of Food Safety Magazine. His website is www.stratecon-intl.com/jsurak.html. Dr. Surak can be reached at [email protected].
Gustavo Gonzalez, Ph.D., is the corporate director of food safety at Specialty Foods Group Inc. He has extensive experience providing support and management for short courses, seminars and consulting services to the small- and medium-size food processing industry, especially to the meat industry.
CAC. 2008. CAC/GL 69 2008 Guideline for the validation of food safety control measures. Geneva: Codex Alimentarius Commission.
CAC. 2009. Food hygiene — Basic texts, 4th ed. Geneva: Codex Alimentarius Commission.
BSI. 2008. PAS 220:2008 Prerequisite programmes on food safety for food manufacturing. London: British Standards Institution.
BSI. 2011. PAS 223:2011 Prerequisite programmes on food safety for design and manufacture of food packaging — Specification. London: British Standards Institution.
FDA. 2011. Title 21 Food and Drugs — Part 110 Current good manufacturing practice in manufacturing, packaging, or holding foods. Washington, DC: The U.S. Food and Drug Administration.
ISO. 2004. ISO 14001:2004 Environmental management systems — Requirements with guidance for use. Geneva: International Organization for Standardization.
ISO. 2005. ISO 22000:2005 Food safety management systems — Requirements for any organization in the food chain. Geneva: International Organization for Standardization.
ISO. 2005. ISO/IEC 27001:2005 Information technology — Security techniques — Information security management systems — Requirements. Geneva: International Organization for Standardization.
ISO. 2008. ISO 9001:2008 Quality management systems — Requirements. Geneva: International Organization for Standardization.
ISO. 2009. ISO/TS 22002-1:2009 Prerequisite programmes on food safety — Part 1: Food manufacturing. Geneva: International Organization for Standardization.
ISO. 2009. ISO 31000:2009 Risk management — Principles and guidelines. Geneva: International Organization for Standardization.
ISO. 2009. ISO/IEC 31010:2009 Risk management — Risk assessment technique. Geneva: International Organization for Standardization.
ISO. 2009. ISO Guide 73:2009 Risk management — Vocabulary. Geneva: International Organization for Standardization.
In 2009, ISO issued a risk management standard. The standard provides 11 risk management principles, a framework for conducting risk management and process. In food safety, we assume that risk is negative. The standard assumes that risk is neutral, since the standard defines risk as “the effect of uncertainty on objectives.” Thus, if a company has an unexpectedly high amount of sales on a new product, there is a risk. The sales are unexpected, so has the company taken proper actions to deal with the situation?
The risk management process consists of five clauses within the standard. Two clauses are applied across the entire risk management process and one clause is divided into three subclauses.
The following figure outlines the risk management process.
Communications and monitoring review are activities that affect the entire risk management process. Communications address both the external and internal communications at all stages during the risk management process. Monitoring ensures that all controls are effective and efficient, generate information and knowledge to improve the risk assessment, detect changes in the external context and identify emerging risks. The first step is understanding the context or environment of the risk. In HACCP, this is accomplished in steps one through five of Codex HACCP. For PRPs, this can be done by understanding why specific PRPs are established and how these programs establish an environment for the production of safe food. Once this is done, risk analysis moves forward. This consists of risk identification, risk analysis and risk evaluation. Finally, risk treatment establishes the control strategy to manage the risk.
Validation, Verification and Monitoring
Validation, verification and monitoring are three terms that many food safety practitioners do not fully understand. ISO 22000 defines these activities in the following manner:
Validation is obtaining “evidence that the control measures managed by the HACCP plan and by the operational PRPs are capable of being effective.” Validation is normally conducted prior to operating a process.
Verification is “confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.” Verification is done during or after a process has been performed.
Monitoring involves “conducting a planned sequence of observations or measurements to assess whether control measures are operating as intended.”
Many PRPs cannot be easily validated. Instead, most PRPs are developed based on experience and successful programs. For proper validation, these PRPs should be developed, implemented and shown to be successful for specific manufacturing sites prior to the manufacture of food for the market. ISO 22000 requires that PRPs be continually verified for effectiveness. One of the outputs of the process becomes the input for updating the FSMS.
Table 1: PRPs listed in ISO 22002-1:
• Construction and layout of buildings
• Layout of premises and workforce
• Utilities: air, water, energy
• Waste disposal
• Equipment suitability, cleaning and maintenance
• Management of purchased materials
• Measures for prevention of cross-contamination
• Cleaning and sanitizing
• Pest control
• Personnel hygiene and employee facilities
• Product recall procedure
• Product information/consumer awareness
• Food defense, biovigilance and bioterrorism