ISO 22000 Revised
By John G. Surak, Ph.D.
On June 19, 2018, the International Organization for Standardization (ISO) released the revised version of ISO 22000. The major changes include the following:
• New format
• New concepts
• New clauses and added requirements
• Additions to existing clauses
• Revised definitions
The Food Safety Magazine eDigest has published three excellent articles on ISO 22000:2018.[1–3] This article is intended to provide some background information on the standard to help in the understanding of the requirements and in making the transition from the 2005 version.
ISO has changed the general format of all management system standards. The new format is known as the High Level Structure (HLS). Existing ISO management system standards are required to adopt this general format as part of the revision process. Table 1 presents the general structure of the HLS.
In addition, the HLS mandates two further items:
• Specific core text for a number of clauses common to all ISO management system standards
• Common definitions for technical words common to all ISO management system standards
One of the objectives of the HLS is to promote better integration of the requirements for a management system when a site is certified to multiple ISO management system standards. In the food industry, an example of such an integration occurs when a food processor is certified to Food Safety System Certification (FSSC) 22000-Q. This certification scheme is based on the requirements of ISO 22000:2018 and ISO 9001:2015.
One major change has occurred that might be confusing when using the revised standards. Because of the change in structure, some requirements have changed locations. For example, in the 2005 version, management review (clause 5.8) was found in the Management Responsibility clause (clause 5). In the 2018 version, management review (clause 9.3) is found in the Performance Evaluation clause (clause 9).
The following concepts are now formally present in the standard:
• Greater involvement of food safety at the strategic level
• Incorporation of risk-based thinking in managing food safety at the strategic level
• Formal incorporation of the Plan-Do-Check-Act (PDCA) cycle concept in managing food safety at both the strategic level and operational level
• Replacement of the terms “documents” and “records” with the term “documented information”
• Operational prerequisite program requirements have been redefined
The standard now focuses the efforts of managing food safety at two levels: strategic and operational. As a result of the need to manage food safety at the strategic level, further requirements have been added to the standard. These requirements include the following:
• Understanding the organization’s context with respect to food safety
• Understanding the need and expectations of interested parties with respect to food safety
The context of the organization includes both identifying internal and external factors that affect the organization and its ability to produce safe foods. These factors can include changes in regulatory and statutory requirements; changes in customer requirements; employment factors; and environmental factors including emerging pathogens.
Interested parties and their needs include a wide variety of individuals, such as company owners, customers, employees, external auditors, and suppliers.
The food safety management system is designed, implemented, maintained, and improved to meet both the internal and external factors, and the needs and expectations of interested parties at the strategic level. In addition, the strategic food safety management system must be linked to the business operations. This is achieved by linking the strategic food safety objectives to the business objectives.
The next step is linking the strategic food safety management system to the operating food safety management system. This is accomplished by linking the plant’s (operational) food safety objectives to the corporate food safety objectives.
ISO has incorporated the risk-based thinking approach at both the strategic and operational levels of the organization. There are several confusing parts to this requirement.
ISO certainly did not intend that ISO 22000:2018 be a risk management standard. The standard is intended to apply the concepts of risk-based thinking to managing a food safety management system. This starts with understanding the ISO meaning for risk. The standard defines risk as the effect of uncertainty. As a result, this definition of risk does not distinguish between positive and negative effects of uncertainty. For many food safety practitioners, this may be a confusing concept because Hazard Analysis and Critical Control Points (HACCP) and other food safety principles are used to mitigate the negative effects of food safety hazards. Fortunately, the standard uses the term “opportunities.” So it is possible that a food processor defines risk as negative effects and opportunities as potential positive effects. If your company does this, be sure to define these terms in appropriate documented information.
Revision Reflects Reality
An interesting process took place when ISO 9001 was revised. ISO 9001:2008 addressed both corrective and preventive actions. In the 2018 revision, the requirement for preventive actions was eliminated because risk-based thinking is a preventive action process. In ISO 22000:2005, there was no requirement for preventive actions. This decision was made because HACCP is a preventive action process. Thus, risk-based thinking was already practiced at the operational level. The new requirement in using ISO2200:2018 is the application of risk-based thinking to the strategic level.
Many food processors have informally used risk-based thinking at the strategic level. For those who have, all that may need to be done during the transition to the 2018 version is to adopt a formal process to meet the risk-based-thinking approach at the strategic level and document the results of these efforts.
The PDCA cycle has been formally incorporated into the standard both at the strategic level and the operational level. The PDCA cycle (Figure 1) was popularized by Dr. W. Edwards Deming in the early 1950s. He incorporated the concepts of the scientific method into a process-improvement cycle. In the 1960s, the PDCA cycle was incorporated into the structure of the HACCP plan. This has made the HACCP plan a very powerful tool for ensuring food safety. Thus, the PDCA concept is already practiced at the operational level. All that may need to be done is to formally apply the concept at the strategic level. This is done as part of the requirement to continually improve the food safety management system.
ISO 22000:2018 uses the term “documented information” instead of “documents” and “records.” This change was implemented because, in practice, there is a blurring between a document, procedure, or record. Often, a form such as a checklist may serve as a document, a procedure, and a record. The revised standard did not change the actual requirements for approving, maintaining, and revising documented information.
ISO management system standards provide flexibility in modifying the definitions in the standard. For example, an organization may want to still use the terms “documents,” “procedures,” and “records” instead of “documented information.” Definitions may be modified to improve communications both within the organization and between the organization and external stakeholders. If a definition is modified, be sure to adequately communicate the modification to the appropriate stakeholders. The overall concept is to develop, maintain, and improve a food safety system that at least meets the minimum requirements of the standard and the minimum requirements of government regulations. Organizations are permitted to go beyond the standard and governmental regulations. If you do, be sure to adequately document and communicate these issues to the auditor.
One of the most significant changes is in redefining the definition and the requirements for operational prerequisite programs or OPRPs. As a control measure, OPRPs have been elevated to the same level as CCPs with critical limits. Thus, both OPRPs and CCPs with critical limits are used as control measures to prevent a food safety hazard or reduce it to an acceptable level. There are some minor differences between the OPRPs and the CCPs with critical limits. However, the chief issue is that both OPRPs and CCPs with critical limits must be validated to ensure that the control measure is effective in controlling a significant food safety hazard.
Food processors that must meet the U.S. Food and Drug Administration (FDA)’s Preventive Controls for Human Food (PCHF) rules should be aware that validation is mandatory only for process preventive controls (CCPs),6 which include sanitation preventive controls, supplier preventive controls, and allergen preventive controls. (Although FDA requires that validation should be done, in practice, an appropriate validation study may be difficult to perform.) Thus, food processors who are implementing both ISO 22000 and PCHF requirements should consider not identifying sanitation preventive controls, supplier preventive controls, and allergen preventive controls as OPRPs. One approach is to identify these preventive controls as FDA preventive controls. There are no problems if the food processor identifies the process preventive controls as CCPs, because ISO 22000 and PCHF have equivalent requirements. If a company elects to define the sanitation preventive controls, allergen preventive controls, and the supplier preventive controls as outside the ISO 22000 hazard control plan, this should be documented and justified. ISO 22000 requires compliance with all appropriate governmental regulations.
ISO 22000:2018 has new requirements when compared with the 2005 version. These new requirements are documented as either new clauses or additions to clauses in the 2005 version. Table 2 summarizes the new clauses in ISO 22000, and Table 3 summarizes clauses that have additional requirements.
Some of these concepts are not new to practitioners who develop food safety management systems. Thus, for some companies, the new changes may be an exercise in revising documentation. However, it is recommended that a company conduct a gap analysis to the revised standard to ensure that its food safety management system meets the new requirements.
Deadline for Transition
ISO has issued the requirement that sites certified to ISO 22000:2005 must transition to ISO 22000:2018. The transition process must be completed within 3 years of the publication of the revised standard (June 19, 2018).
The actual timetable for transition was incorporated in version 5 of the FSSC requirements. These requirements were published in June 2019. It is recommended that companies that are currently certified to FSSC 22000 or ISO 22000 should be starting their gap analysis, implementing any necessary changes to their food safety management system.
I do not recommend that a company’s numbering system be based on the clause numbers. If a company is using both ISO 9001 and ISO 22000, for example, the numbering of the subclauses is different. For example, in ISO 9001, clause 8.2 is titled “Requirements for products and services.” ISO 22000 has no clause with that title, so its clause 8.2 is titled “Prerequisite programs (PRPs).” The number system should reflect the company’s food safety management system. ISO has started the revision of the HLS, and one never knows how this revision will affect the numbering of the clauses.
Both ISO 22000 and either FDA or U.S. Department of Agriculture regulatory documents are minimum requirements. Both agencies are moving in the same direction, requiring food processors to use a risk-based approach to manage their food safety systems, so that the company reduces the risk of making product than can harm the consumer. Therefore, any food processor should evaluate the possibility of going beyond either the ISO 22000 requirements or the regulatory requirements to provide products that are free of food safety hazards.
Future of ISO 22000
The ISO Working Group that is responsible for the ISO 22000 family of standards has several major projects under development. One project is to develop a revision to the booklet titled How to Use ISO 22000. The other project is to revise the ISO 22002 series of the prerequisite program standards. Currently, ISO 22002 has six parts. It is expected that the number of parts to ISO 22000 will be consolidated into two or three parts. In addition, ISO is planning to withdraw ISO 22004 (Food Safety Management Systems – Guidance on the Application of ISO 22000).
The American Society for Agriculture and Biological Engineers (ASABE) has started a project to adopt, as a U.S. national standard, the international standard with revisions. Revisions will be made to the Annexes in the standard. The changes are designed to assist food processors in developing a better understanding of the standard and to help implement the standard. No revisions will be made to the auditable portion of the standard. Thus, the auditable parts of the standard will be identical to the international standard. As a result, the U.S. version can be used as part of the reference documents for meeting FSSC 22000 or FSSC 22000-Q certification scheme requirements. It is expected that ASABE will charge $65 for the printed U.S. standard, which will be available for purchase from either ASABE or the American National Standards Institute. Currently, ASABE expects to publish the U.S. version by the end of 2019. We will keep you informed through Food Safety Magazine as this project develops.
John G. Surak, Ph.D., is the principal of Surak and Associates, and provides consulting on food safety and quality management systems, auditing management systems, validating manufacturing processes, designing and implementing process control systems, and implementing Six Sigma and business analytics. He is a member of the Editorial Advisory Board of Food Safety Magazine. His website is www.stratecon-intl.com/jsurak.html. He can be reached at email@example.com.
4. ISO standards that use the HLS include: ISO 22000 (food safety), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (occupational health and safety).
5. ISO. ISO 22000:2018 Food Safety Management System Requirements – For Any Organization in the Food Chain, 2nd ed. (Geneva: International Organization for Standardization, 2018).