This article is the second about the new ISO 22000:2018 published recently (19/06/2018). If you have not yet read the first article, please check it out in: . In the present article we share our vision about the changes in clauses 4, 5, 6 and 7. Part 3 will be published on the 1st of September and will review clauses 8, 9 and 10.
We had the opportunity to reach the technical committee ISO/TC 34/SC 17 (responsible for updating the standard) in search of clues about the main motivations and constraints along the updating process and also expectations about the future. The committee made it clear that “after being on the market for 10 years the document needed to be updated, not only to integrate all the experience gained but also to follow the same structure as all the other ISO management system standards, the High Level Structure”. As it can be expected in a group of specialists from over 30 countries, debate and consensus can sometimes be hard. In that matter “Clause 3 (CCP, OPRP, PRP, Control measures definitions) and Clause 8 (hazard analysis) were the most challenging ones”. Into the future this new revision reinforces ISO core principles of “having a strong document developed in a consensus process with stakeholders from all over the world and keep replying to the market needs”.
Clause 4 – Context of the organization
This clause is nearly all new and is mainly focused in defining how organizations shall establish the Food Safety Management System (FSMS) scope. For that, according to the standard, there are 3 things organizations must do/know:
From these 3 things, the one that is the most straightforward for food safety practitioners is the definition of requirements. For that, organizations must firstly determine the interested parties and then gather their requirements regarding food safety. To identify the interested parties, it is essential to consider all the participants that have an impact on Food Safety Management System, whether internal or external components of the organization. For example employees, management and owners are internal interested parties and suppliers, society, government, in addition to well-known customers and consumers, are considered external interested parties.
Despite of the examples of external and internal issues provided by the standard (in note 2 of clause 4.1), this new approach where organizations must understand their context and how those issues are relevant to their purpose and ability to achieve the FSMS results may pose a challenge, not only in defining it but also in how to audit it. Typically, tools such as SWOT and CANVAS are used to perform this assessment. After overcoming the challenge of understanding and defining the context, the organization will gain a more solid management system integrated with all internal and external aspects of the business. From here the specific planning of the Food Safety Management System will be designed (clause 4.4)
Finally, the organization must define the FSMS boundaries so that the scope may specify the products and services, processes and production sites included in the FSMS. In the 2005 version, services were not included in what the scope should specify! The scope must also consider the context of the organization and the needs and expectations of the interested parties, so that the Food Safety Management System will be established in an objective and consistent way to the reality of the company.
Clause 5 – Leadership
Clause 5 from the 2018 version is based on the same clause number of the 2005 version (Management responsibility) with the exception of communication (clause 5.6 of 2005’s version) that was moved to support (clause 7 of 2018’s version) and management review (clause 5.8 of 2005’s version) that was moved to performance evaluation of the FSMS (clause 9 of 2018’s version).
In its first clause, the new standard presents a list of actions that Top Management should do to demonstrate commitment towards the FSMS. Two of them (Policy and Directing and supporting people) are further detailed in clauses 5.2 and 5.3. The role of Top Management with respect to the FSMS is reinforced in the new version, since not only commitment (as in 2005’s version) but also leadership shall be demonstrated.
Regarding policy, there are no major differences when compared with the last version, although it includes an interesting reference to the importance of communicating policy with interested parties also.
Clause 5.3 presents details on which responsibilities and authorities Top Management shall assign and introduces the idea that the responsibility of Top Management is not limited to assigning and communicating responsibilities and authorities, but also ensuring that they are understood! Besides defining what the food safety team leader shall be responsible for (that was also present in the 2005 version), it also clarifies other responsibilities and authorities that Top Management shall define (e.g. reporting on the FSMS performance, ensuring that the FSMS conforms with requirements). It also encourages sharing more responsibility over the entire organization to achieve the effectiveness of the FSMS, designating persons with defined responsibility and authority to initiate and document actions(s).
Clause 6 – Planning
Most of clause 6 is new. In the comparison between the previous version and the new one (Annex B of the standard) it is referred that clause 5.3 from 2005 version (Food safety management system planning) is included in this new clause. The old 5.3 clause only enforces Top Management to ensure planning out to meet requirements and objectives and to guarantee system integrity. The new clause 6 has a much broader amplitude and presents new concepts. Starting on clause 6.1, the concepts of risks and opportunities are introduced as something that the organization must determine considering: a) relevant issues (internal or external) and b) requirements from the interested parties. Then the organization must plan, not only actions to address these risks and opportunities, but also how to integrate, implement and evaluate the effectiveness of these actions.
Note: Stay tuned (!) I am developing more flow diagrams like this one to simplify the FSMS interpretation. More news about it together with this article PDF on August 15th. It would be outstanding if I had your oppinion on it replying to 3 questions. (takes 1 minute)
The risk approach is also contemplated in the other standards of the ISO family and aims at being a preventive tool that ensures the integrity of the Management System developed. Organizations may decide to use or not an extensive risk management methodology through the application of other guidelines or standards such as ISO 31000: 2018 Risk Management, updated last February.
The responsibility for establishing objectives and retaining documented information on them is set on clause 6.2. There is a higher emphasis on the importance of objectives that in the last version. Objectives shall: be consistent and measurable, take into account the requirements, be monitored, verifiable, communicated and updated.
It is also defined that when planning how to achieve objectives, it should be taken in consideration:
The importance of guaranteeing the integrity of the food safety management system is something that should be considered before changing the system. Besides that (also presented in the last version) clause 6.3 brings to the table the importance of considering the purpose of changes and potential consequences, the availability of resources, and managing responsibilities and authorities when planning for any change on the system.
Clause 7 – Support
Clause 7 presents requirements regarding several supporting activities like resource management, people competence and awareness, communication and documented information management. Besides some new information (not so much, anyway) this clause includes requirements previously found in clauses 4.2 (Documentation requirements), 5.6 (Communication), and 6 (Resource management) of 2005’s version. Besides this new structural organization of the standard, the content shows no major novelties.
Resources clause (7.1) is divided in:
- People (7.1.2),
- Infrastructure (7.1.3),
- Work environment (7.1.4),
- Externally developed elements of the FSMS (7.1.5),
- Control of externally provided process, products or services (7.1.6)
Resources can be approached by the prism of external or internal resources. Clause 7.1.3 and 7.1.4 manage internal resources and clause 7.1.5 and 7.1.6 manage external resources. People (clause 7.1.2) can be either internal or external. Internal people is addressed in clause 7.2 (Competence) and 7.3 (Awareness), mainly to impose that the organization determines and ensures the competence and awareness (e.g. policy, objectives) of relevant persons. When assistance from external people is needed (e.g. experts), the organization shall retain documented information (e.g. contracts defining competencies). Retaining relevant information is also mandatory when the organization opts to:
- develop elements of the FSMS externally – guaranteeing that they are applicable, adapted and updated
- use external providers of processes, products and services – guaranteeing communication, evaluation and monitoring.
When comparing clause 7.4 (communication) with clause 5.6 of the 2005 version, the new version adds that the organization shall not only ensure that the requirements for effective communication are understood but also determines:
In terms of managing documentation, there is a different approach in the new version. Instead of dividing the clause in control of documents and control of records it is presented as creating and updating and control of documented information. Another significant change is the fact that a formal written procedure to control documents and records is no longer mandatory. This seems to be in line with the guidelines of ISO 9001:2015, promoting a more process-focused management system than document-based. This new version gives a focus on protection of confidentiality and integrity of documented information, reflecting the increasing importance of these issues to organizations and to society as a whole. In a note, it is explained that control of access to documented information may imply defining different permissions (view only or view and change).
And this is all for this month 🙂
Hope it adds value and please share it and come back next month for Part 3!
