We see the requirements of the ISO 22000 standard as “the WHAT” and the new Handbook as “the HOW” which is an essential guideline that complements the standard. Whilst the new ISO 22000 Handbook is targeted at Small to Medium Size Enterprizes (SMEs), we believe this is a useful guideline for any organization that is implementing or has implemented any FSMS scheme.
1- Organizational Risk Management
Organizational Risk Management is one to the major changes brought by the 2018 version of ISO. In the operational level we have the well-known hazard assessment where risks are identified and then measures are taken to minimize their negative effects. When we are talking about business risks, it is different, uncertainty can lead to opportunities (positive consequences) and risks (negative consequences).
In the handbook it is clearly defined that business risks that have an impact on the performance of the FSMS must always be considered when applying the Standard”.
The Organization should then plan actions to enhance opportunities identified and prevent business risks.
2- Internal and External Issues
This is also a new concept for the ISO 22000 and follows the adoption of the High-Level Structure. Now Standards like ISO 9001, ISO 14000 and ISO 22000 all have the same 10 clauses structure (see section 4).
The handbooks share examples of sources for relevant information about external and internal issues (e.g., press, websites, product specifications) and also information we need to look for (e.g., food outbreaks, new technologies).
There are some tools organizations may use as a framework to identify internal and external issues. SWOT (Strengths, Weaknesses, Opportunities and Threats) and PESTEL (Political, Economic, Social, Technological, Legal, Environmental) analysis are two of the most used tools for this identification and are referred in the handbook.
Food Safety Professionals aren’t so used to manage topics such as Internal and External issues and this may be challenging especially at the beginning. Don’t be discouraged by it. By the contrary, use this to increase Top Management awareness to the impact (besides food safety) the Food Safety Management System can have in the organization.
3- Interested Parties
Interested Parties according to ISO 22000 definitions are person or organization that can affect, be affected by, or perceive Itself to be affected by a decision or activity. Food safety professionals should look beyond the direct customer/consumer and assess the needs and requirements of those who have an impact in the ability of the organization to provide safe food.
But first the Interested Parties need to be identified. The handbook provides several examples of possible interested parties.
Some Interested Parties may be quite obvious such as:
• Ingredients/Packaging materials providers
• Transport and logistics providers
• Maintenance, human resources
• Regulatory agencies
Examples of interested parties that may not be on food safety professionals top of mind are:
• Uniform providers
• External/internal trainers
• Internal/external Lab services
• Information technology services
The organization shall collect relevant information to understand the requirements, needs and expectations of the interested parties. For that, consider defining to each interested party what, when, how, who and with whom you communicate.
4- Commitment and Leadership of Top Management
It is important to note terminology changed from “Management Commitment” in ISO 22000:2005 to “Leadership” in ISO 22000:2018. This was a shift for all ISO Management System Standards (MSS) with the introduction of Annex SL (now referred to as Annex L or High-Level Structure) that was designed to harmonize structure, clauses, text and terms and definitions:
- Clause 1 Scope
- Clause 2 Normative references
- Clause 3 Terms and definitions
- Clause 4 Context of the organization
- Clause 5 Leadership
- Clause 6 Planning
- Clause 7 Support
- Clause 8 Operation
- Clause 9 Performance evaluation
- Clause 10 Improvement
ISO defines “Leadership is the person or group of people who directs and controls an organization at the highest level. Top management has the power to delegate authority and provide resources within the organization”.
So why the change? The answer, because there is a fundamental difference between leadership and management. Management is about managing processes. Leadership is about behaviors. Management of processes is demonstrated by data points that are measurable, whereas leadership is more about attitude and personal character. Essentially, leadership can drive behaviors of an organization. This in turn drives culture. In this case, the food safety culture of an organization.
Top management establish and communicate the food safety policy. There must be evidence to support key communications related to food safety truly comes from leadership. If not, whether there a disconnect with ‘Top management’. In addition, leadership must define the scope of the integration process to ensure roles and responsibilities are defined and allocated appropriately across the organization. Otherwise, if delegated to the food safety team leader, food safety could operate in a functional silo. There must be evidence that various functions are supporting food safety as per their defined responsibilities. With Top management as the overall accountable for food safety.
In the handbook are provided as examples of evidence of Management commitment and leadership: supply of required resources, formulation of policies and objectives of FSMS, management reviews and communication of the importance of satisfying the food safety requirements.
5- Risks, Opportunities and Objectives
Risk is inherent in all aspects of a food safety management system. There are risks in all systems, processes and functions. Therefore, it is important risk- based thinking is applied throughout the management system. This ensures these risks are identified, considered and controlled throughout the design, planning and execution of the food safety management system.
Risk-based thinking is part of the process approach. Not all the processes of a food safety management system represent the same level of risk in terms of the organization’s ability to meet its objectives. Certain food safety processes need more planning and controls than others.
Risk is commonly understood to have only negative consequences; however, the effects of risk can be either negative or positive. Risks and opportunities are often cited together, however, opportunity is not the positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk.
By considering risk throughout the food safety management system and all processes the likelihood of achieving stated objectives is improved, output and the expected outcome of safe food is more consistent and customers can be confident that they can trust the food product. For further reading:
ISO 31000:2009 Risk Management – Principles and guidelines
ISO/TR 31004:2013 Risk management – Guidance for the implementation of ISO 31000
ISO 31010:2010 Risk management – Risk assessment techniques
But where and when we consider risks? Is probably an everyday tasks right but strategy meetings, management reviews, or food safety related meetings are good comments to look in a structured way to risks (examples included the handbook). Risks can be documented in a risk register which is shared with Top management driving transparency and accountability.
6- Food Safety Policy
The 2018 version of ISO 22000 brought some new requirements to the Food Safety Policy namely, for example, addressing the need to ensure competencies related to food safety and including a commitment to continual improvement.
Nonetheless, probably the most interesting change related to food safety policy is the mandatory requirement for the Food Safety Policy to be understood (and not only communicated).
The handbook provides very interesting examples of evidence of communication and understanding the policy. For the first evidence can be posters, e-mails, notice boards or meetings, and for the later interviews, internal audits, quizzes or tests.
7- Externally developed elements of the FSMS
The new version from ISO 22000 has broadened the use of externally developed elements of the FSMS. In the 2005 version was included the possibility of small and/or less developed food businesses such as small farm, small retail among others use externally developed combinations of control measures. The 2018 version describes in clause 7.1.5 conditions for the use of any externally developed elements in the Food Safety Management System.
Examples of externally developed elements of the FSMS and sources provided by ISO Handbook (see figure).
All these externally developed must be:
- In conformance with ISO 22000:2018 requirements
- Applicable and adapted to the organization
- Implemented, maintained and updated
- Retained as documented information.
8- Management of documented information
ISO Management System Standards (MSS) in general is dependent on documented information. ISO 22000 follows a process approach which means it is well suited to a Process Framework Model. Here is an example were processes are divided into 5 levels.
A Food Safety Management System requires the disciplined organization of the following criteria; processes, documents, records and reviews. By using a process framework, it provides the structure for process owners to update the criteria they are responsible for to meet defined food safety requirements. This same structure is used for all other management system requirements like Quality (ISO 9001), Occupational Health & Safety (ISO 45001) and Environmental Management (ISO 14001). This process framework supported by integrated management systems breaks down the functional silos.
There are several recommendations in the hand book related with management of documented information, for example:
- Clear definition on how documented information should be changed, how long and how they should be store and how to be destroyed
- Documenting records of destruction
- Standardized format for procedures and work instructions
- Procedure for creation, updating and control of documented information.
- Definition of retention time according with applicable laws and regulations
- Follow the rule of 3 U’s (Useful, Useable and Utilized)
9- Flow Diagrams
Process flow diagrams are discussed in the Handbook in Task 5.3. Flow Diagrams and Process Mapping are critical for a Food Safety Management System. The ability to visualize a process flow will ultimately determine how robust an organization’s hazard analysis is and its ability to produce safe food.
ISO 22000 allows multi-site certification, where large organizations can improve performance and streamline operations with less resources. Essentially multi-site will generate one certificate for multiple locations for under a single organization under the same legal entity. One of the key requirements is performing similar activities. This is where templates and flow diagrams and mapping processes need to be managed centrally.
Model HACCP plans can be developed and deployed across a large organization and adapted locally. This approach allows a corporate food safety entity to confirm the accuracy of process flow diagrams.
The handbook includes suggestions for what should be aimed for in this section. Among others is described the importance of describing the steps of the procedure using 5M method (Methods, Machinery, M-environmental, Materials, Manpower), describe process parameters that may affect food safety and describe the existing control measures.
The PDCA cycle is critical for all Food Safety Management Systems. ISO 22000 benefits for two PDCA cycles. One PDCA for the overall framework (management of the system) and one PDCA operational processes within the food safety system.
This is where verification fits in. If you think in terms of PDCA, verification is all about checking operational food safety processes. This check then leads to act when the verification determines whether or not the operational food safety processes are under control.
When you think in PDCA terms for operational food safety processes, often an organization is stronger in some parts of the PDCA cycle than others. In this case the effort that must be made for validation (plan) must be equally supported by the effort for verification (check). With this in mind PDCA questions that can be applied to ISO 22000 to determine the effectiveness of cycle which can focus on verification criteria.
The handbook suggests as examples of verification activities:
- Review and evaluation of documents OPRP and/or CCP records
- Measurements and evaluations activities to ensure PPRs or process are operating within parameters
- Internal and external audits
- Evaluation of indicators
- Evaluate verification results and audits reports.
This article was written with Colin Christmas
Disclaimer: The information contained on this article is based on research done in the last months and the authors personal experience and opinion. It is not intended to represent the view of any organization they work for or collaborate with. The authors will not be held liable for the use or misuse of the information provided in the article.