Published: 17 Aug 2017

As the standard for food safety management systems undergoes a major revision, Ian Dunlop, CQP FCQI, explains the most significant changes.

As the European Union announces its intention to hold a crisis meeting in the wake of yet another food safety incident (Fipronil egg scandal, August 2017), national populations are left once again questioning who they can trust to ensure that what they eat will not harm them.

Since its launch in 2005, ISO 22000 has been adopted as the food safety management system (FSMS) standard of choice for more than 32,000 organisations worldwide (based on data from the annual ISO Survey last published in 2016). In addition, more than 16,000 organisations have been certified under the Food Safety System Certification 22000 (FSSC) private certification scheme, the core requirements of which replicate ISO 22000. Given that many of these organisations are global players in the food manufacturing and processing sectors, these figures demonstrate the considerable influence that the standard exerts on global food safety.

The first major revision to ISO 22000 since its launch is expected to be published in 2018. The Draft International Standard (DIS) is now available and indicates that some significant changes are planned. This will affect not only those organisations that wish to maintain their system certification, but also those that are involved in the associated auditing programmes.

The main changes

In line with agreed policy for management system standards, ISO 22000:2018 will adopt the 10-section, high-level structure created by ISO based on identical core text and common terms and definitions. This change alone will impact the system scope, top management involvement, documentation of the system, application of the risk-based approach to organisational needs, and create a clear focus on the process approach through the Plan-Do-Check-Act (PDCA) cycle.

The changes will facilitate assimilation of the FSMS with other management system disciplines using this structure. Other changes are designed to clarify and simplify existing requirements such as the differences between PRPs, OPRPs and CCPs. The revision also seeks to take account of international developments in food safety approaches in the past 13 years.

Context and scope

In line with other system standards, ISO 22000:2018 will require organisations to consider upstream and downstream issues affecting customers and consumers as well as suppliers of products and services. This may impact the scope of the food safety system, eg coverage of food fraud, food terrorism and related legal issues. This is likely to have a bearing on the management of food safety risk both for the management system and the product/process operations. 

Management involvement

The role of top management in the food safety system is emphasised through the responsibility to demonstrate leadership and commitment to food safety, including the setting of appropriate policy and relevant business objectives. Overall responsibility is retained by top management for oversight of system planning, communication, resource provision and ongoing improvement by reviewing the system’s suitability, adequacy and effectiveness.

Risk management in the FSMS is no longer limited to the use of hazard analysis and critical control point principles at the operational level

Risk management

The risk-based thinking approach now embodied in management system standards means that risk management in the FSMS is no longer limited to the use of hazard analysis and critical control point (HACCP) principles at the operational level, although this focus is still a key ingredient. There are implications for business planning, management objectives, identifying improvement opportunities and allocating resources to reduce or eliminate unacceptable risk to food safety from a wide range of sources.

System support

A number of requirements relating to basic system elements are clarified and strengthened, including communication systems and needs. Resource planning is required along with tighter controls over external contributors to system development. Competence needs of personnel, both internal and external, are more fully explained. A system for greater control of suppliers of goods and services needs to be established.

One of the basic changes to the system is the convergence of ‘procedures’ and ‘records’ into ‘documented information’. This gives the organisation freedom to define the type and extent of documented information to be used, although some mandatory documentation is still specified. The established controls for documents in the system are retained.

Operational processes

The application of a PDCA cycle to the operational planning and controls for food safety in the organisation is more clearly established. Based on HACCP principles and the latest versions of the Codex Alimentarius standards, the requirements clarify the role of PRPs, OPRPs and CCPs in the system.

The applicable Technical Specification ISO/TS 22002-X must be considered in the determination of PRPs for the relevant sector in the food chain. A new entity – ‘action criteria’ – is introduced for the control of OPRPs and which will be determined from the hazard analysis. A ‘hazard control plan’ must include relevant OPRPs and CCPs which are now dealt with in similar ways within the system, albeit recognising the different food safety risk levels involved. A number of other requirements such as those relating to traceability and emergency response are tightened up, including a range of new verification activities.

Evaluation and improvement

The requirements for evaluation of the performance of the FSMS by monitoring, measurement, auditing and review are retained, with a greater emphasis on the use of a more integrated, systematic approach to performing these activities across the whole system. Evaluation outcomes should be directed towards the prevention of failure in the food safety management system in order to improve the effectiveness of the system.

Implications for stakeholders

External stakeholders in the FSMS include customers, vendors, regulatory authorities, certification organisations, emergency responders and personnel affected by the performance of the organisation relating to food safety. All stakeholders will be affected to some degree by the revised requirements of the standard but it is likely that external system auditors will be among those most impacted.

Auditor transition

As with previous revisions to management system standards, third party auditors will be required to undergo some form of transition training. This is likely to cover two main elements. The first is the adoption of the ISO high-level structure being employed and the second relates to the technical changes in the requirements. A two-day course would normally suffice for this coverage but could be reduced for those auditors who work in other disciplines and have already undergone training in the ISO high-level structure.

The CQI will specify the content of such training in due course around the time of release of the final draft (FDIS version) which is planned for late-2017. IRCA certificated auditors will have several years to complete this training to allow their auditor certification to continue.

The end goal

Bearing in mind that further changes to the draft standard are likely as it progresses towards final release, it is clear that organisations currently using ISO 22000 to control their food safety responsibilities will be required to make some changes. These are likely to focus on the wider scope of the system, the broader application of risk-based thinking and the greater involvement of top management (who will need to be interviewed by system auditors, both internal and external).

Auditors will review changes to system documentation, check that additional elements are correctly built into food safety risk processes and ensure that the implementation of the revised requirements is effective.

As was the case with the initial publication of ISO 22000, private certification schemes in the food industry (such as BRC Global Standards, FSSC 22000 and other programmes recognised by the Global Food Safety Initiative) are likely to consider the revised standard requirements in the light of their own schemes. Subsequent amendments to these programmes may well take place in due course.

There is no doubt that the forthcoming revision to ISO 22000 will have a ripple effect throughout the global food industry as it is embraced by certified organisations, related food chain entities and the certification industry in general. If this work results in further protection from food safety hazards for the global public, it will have achieved its objective.

Ian Dunlop, CQP FCQI, is an CQI and IRCA Training Assessor