ISO 22000 Resource Center: 2018

Friday, December 28, 2018

Unannounced Food Safety Audits II

The Unannounced Audit

Unannounced audits are simply explained as audits occurring without prior notice, because it is human nature to relax or drop the guard until they get close to audit time if organization knows exactly when to expect it, which creates an entire set of issues. Hence, unannounced audits are introduced, first in the medical device industry and its spreading across various industry sectors, where those checks are in addition to scheduled surveillance audits or main audits. Under the new regulations, auditors have a right and duty to conduct unannounced audits, where unannounced audits are designed to ensure that a product is being manufactured in compliance with the quality management system. Hence, companies selected for audit must provide full access to their manufacturing processes, as well as quality, batch, and purchasing records. On the other hand, plants that do not know when to expect a visit from their third-party auditors are likely to be more diligent at ensuring that their documents, operations, and personnel are continually prepared. When organizations are always potentially liable to face an unannounced visit, they are more likely to ensure everything is in place. The practice will improve the skills of the employees and thereby improving overall efficiency of the facility, because once adapted it is easy to maintain.

Once an unannounced audit is started,audit team usually conduct regular inspections of the entire facility, then small facilities will generally conduct quality self-inspections in one day, but large facilities will be considered for dividing their plants into four areas or zones that are inspected weekly. When you try to perform a self-inspection of a large facility in one day, it is difficult to stay on course due to all the other duties that self-inspection team members have. Thus, what often happens when you try to inspect too large of a facility in one day is that the first part of the inspection is detailed and thorough, then the inspection tends to go quicker as the audit continues, so key items and areas are often overlooked.Hence, audit teams also switch up the inspection and conduct it in different areas and on different days, where employees will not have clues to predict the day or area in which inspections would occur in the next time auditor comes.

The changing nature of food safety compliance arising from the shift towards unannounced audits which usually require food companies to bring their systems up to full compliance in the months or weeks before a scheduled audit. In a regular audit, tasks, process and procedures which went incomplete day to day could be brought up to date prior to the audit date, where unannounced audits change the phenomenon and perhaps in ways which most food businesses are unaware of, because the most significant impact arising from unannounced audits is the reduction of the compliance window to a just single day. In other words, companies who have to date operated the above activities now have to take steps to ensure compliance is maintained daily, which is very important since it is a fact that food companies may simply fail to close out scheduled actions due to insufficient resources. It may also be due to the fact that food safety systems demand human input and memory to ensure tasks are alerted, completed and closed out, where systems depend on human inputs to this extent it is evident that tasks will get overlooked.It is very common that the real impact in the shift to unannounced audits won’t be felt until the first audit is completed for many companies, but only then it will come to the attention of senior management, expose gaps in resources and highlight the difficulties of manual paper based systems.

However, there are steps that can be taken now to reduce adverse impact of the change in audit schemes. One of the key strategies is to prepare the employees by training and updating their practical knowledge as well as skills on the specific areas under their activities. Nonetheless, regular meetings can be conducted with all departments to discuss self-inspection and internal audit results, and to keep them alert to the third-party audit that could occur any day, because keeping employee morale high during this time was very important. Unannounced audits are like getting ready for a surprise party, but not knowing when it would occur. Certain areas of the plant that are having special concerns should be assigned to specific departments for compliance. Everyone need to assign with a small role which will be a part of the big picture of ensuring the plant is ready for any visit.

Documentation is one of the last items that you should look at, which must include maintenance records and work orders, master cleaning schedules, and even employee training records. As to the current developments, if you are facing a FDA audit, they can view more records under the Food Safety Modernization Act, which is very important that these documents are complete and accurate at all times.The self-inspection concept is similar to mock recalls, where you are testing own systems to ensure they are ready for the real event. The time to find out that there are gaps in your food safety system is not when your third-party auditor or FDA inspector is in the building, thus test your systems regularly so that when the auditor arrives you are ready and able to perform.

The FSSC 22000 states that audits must be completed at least once every 3 years, but not as a certification or recertification audit. The frequency is at least one audit for the current version which hopefully will be extended based on the risk of the product, compliance history, or specific reasons to suspect non-conformities. These audits will be no less than one day in length and require at least two auditors on site according to EU regulations.

The audits are usuallyfocused on:

Ongoing manufacture

Linking manufacturing to the documented information and technical specifications

Product identification and traceability

Verification of raw materials and ingredients

Witnessing of product testing

Auditors will also look at two of the following:

Design controls

Establishment of material specifications

Purchasing and control of incoming materials

Device assembly

Sterilization

Batch release

Packaging

Product quality control

Unannounced audits are random sampling checks of the food safety/quality management systems by notified bodies with the aim of

i) finding out if manufacturers are working in conformity with their quality management system (e.g. according to FSSC 22000, FDA, EU),

ii) being able to identify deviations and react quickly and

iii) to uncover fraud in a more reliable way.

How to Prepare for an Unannounced Audit

That’s a lot to consider, but there are seven key steps you can take to prepare for a successful unannounced audit.

Read and Prepare Your Team

Read the relevant recommendations according to the certification organization (FDA, EU or FSSC 22000 Auditor, etc.) as well as standards to be followed. Create the awareness, compliance requirements and ensure that you and your company thoroughly understand how this affects the organization, as well as your suppliers. Manage food safety team to follow detailed review of each and every department with any specific concerns to be addressed before the audit.

Review Supplier Quality Procedures

Create or update procedures that cover supplier quality while adapting to supplier requirement policies. Provide supplier training and awareness programs if necessary where, every organization should identify which suppliers are critical subcontractors, which are crucial suppliers, and define the criteria for evaluation. Apply more stringent criteria to suppliers of products and services that have a direct impact on the safety and performance of the product.

Effective procedures should describe the frequency of monitoring and re-evaluating suppliers. For example, a less critical supplier could be re-evaluated on an annual basis through a supplier questionnaire, an annual visit whereas a supplier who performs contract manufacturing may require multi-annual on-site visits as well as announced or unannounced supplier audits. The procedure should also include how non-conformances by the supplier will be addressed, responsibilities, and the method of communication between organizations.

Review Quality Agreements

Create or update quality agreements with the suppliers, while making sure your supplier understands that they are a critical supplier for your organization, which makes their organization subject to unannounced audits. Quality agreements should require mandatory notification of any changes the supplier makes to the purchased product, service, or new sub-tier suppliers. The agreement must also include the stipulation that the notified body auditors will not be turned away and will receive full access to the manufacturing area and all pertinent records.

Contact Your Certification Authority

Start the discussions with your certification authority if you have not already, which will give an understanding of how your contract is likely to change and have a full understanding of the costs associated with the audit. Note that the cost of unannounced audit is paid by the legal manufacturer even if the audit is conducted at a critical supplier’s facility.

The total cost includes the audit itself, travel costs for both assessors, as well as any products that are tested during the audit. Once the audit has concluded, the audit report will be sent along with any non-conformances to the legal manufacturer. It is the legal manufacturer’s responsibility to share it with the appropriate suppliers and develop a plan to address any non-conformances.

Update Supplier Folders

Update all critical supplier and crucial supplier folders. Ensure that you have the details of device types for which activities are performed and at what frequency. Make note of the facility details. These may include:

Hours of operation

Shut down periods and holidays

Contact names and phone numbers

Languages spoken on-site

Health and safety requirements

Any travel requirements

For example, if a visa is required to visit a supplier, the notified body is likely to ask for a “non-dated” invitation to obtain a visa in advance of the audit.

Supplier Monitoring

Continuous monitoring of all outsourced processes is key, where review and document everything is very important. You’ll need to review each supplier’s third-party certification status (such as an ISO 22000) and monitor compliance terms within the quality agreement. It’s also best practice to perform on-site visits to confirm compliance at the intervals stated in the quality agreement. Review all documents that relate to the audit focuses listed above as well as:

Design control and material specifications

Purchasing and control of incoming materials

Primary processing, secondary processing, manufacturing, sterilization, and batch release

Packaging and product quality control

Ensure that each procedure and quality record is accurate and up to date. If a procedure is deficient, then revise the procedure.

Customer Monitoring

Continuous monitoring of distribution and sales processes is key. Thus, review and document everything. You’ll need to review and monitor compliance terms with storage conditions and traceability requirements. It’s also best practice to perform on-site visits to confirm compliance at the intervals. Conduct mock-recalls and record and evaluate effectiveness as well as efficiency of the product recall system.

Prepare Your Network

Once you have a good understanding of how to prepare for an unannounced audit, your first step is to schedule an organizational meeting to discuss what departments are responsible for which actions. Consider bringing in outside help as it can be overwhelming to manage documents and agreements and implement the new procedures.

Brief your organization and suppliers on unannounced audit procedures. The auditors will arrive onsite and present identification. They will speak to the most senior person and provide a brief explanation of the visit.

Note: This is not a formal “opening meeting,” which occurs in other regulatory audits.

The assessors will then go to the manufacturing sites and audit the areas described above. To conclude, the assessors will provide a brief closing meeting and may provide details of the findings.Third-parties are also better equipped to remain impartial and provide successful and accurate audit preparation.

Your report will be provided within one week of the audit. You should follow up on non-conformities as you would any other audit. You may want to consider drafting a new procedure or updating an existing procedure to address this type of audit and ensure it runs smoothly. Remember, any problems conducted during an audit pose a risk to your compliance certificates.

Knowing what you’re up against and following given tips will make sure your audit go smoothly, which never hurts to put your best foot forward and show the auditors that your company is both organized and prepared. Consider getting through this important process as a stepping stone on the way to bringing a successful product to market.

Tuesday, December 11, 2018

Unannounced Food Safety Audits

What is an Unannounced Food Safety Audit?

Creating a 24/7 audit-ready operation is all about cultivating a food safety culture with an understanding of the importance and appropriate implementation of prerequisite programs and the implications of the food safety management system which will help to ensure organization would be ready whenever unannounced visit began. The unannounced audits are additional audits for which Notified Bodies (NBs) do not announce the date to manufacturers, which means the auditors commissioned by the notified body will arrive on the sites to be audited and proceed to the audit without giving the manufacturer prior notice. This type of audit comes in addition to the initial, surveillance or renewal audits of the three-year certification cycle. I.e. European Commission Recommendation 2013/473/EU defines their objectives and procedures for execution as from September 24, 2013, as a result of the breast implant scandal, after which the demand emerged to check medical device manufacturers not only in the context of the ISO 13485, but also to take unannounced and random samples to ensure that the requirements of the QM system are met in everyday work. That requires manufacturer has to be performed at least once every three years, which should last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.

Many industries are moving toward unannounced third-party certification audits and the food industry is no different, because there are a number of benefits to unannounced audits, most importantly is their positive impact on a company’s food safety culture and how they prepare facilities to face sudden inspections If regulatory audits are unannounced, why is the food industry reluctant to adopt unannounced third-party audits?. Typically, regulatory audits such as FDA are always unannounced. Unannounced audits for food are required for many third-party certification audits, because unannounced audits help demonstrate compliance and provide confidence to all stakeholders that your manufacturing sites are operating on the same GMP level, day to day, shift to shift, for every day your organization is manufacturing and distributing food products. Nonetheless with announced audits, companies tend to prepare for them before they occur. However, if there is a significant amount of difference between your sanitary operations prior to and during an announced audit versus normal operating conditions, you are sending your employees the wrong message.

FDA are already practicing unannounced audits for some time and most current example of the unannounced audit official integration is FSSC 22000 version 4.1. Hence, the unannounced audits are mandatory for any organization that is certified under FSSC 22000 version 4.1., whereas the new guidelines, the unannounced audits can be conducted in a period of between 3 and 12 months after the previous audits. While the certification body holds the decision of which audits will be unannounced, the guidelines state that the initial audit and recertification audit can never be unannounced. Thus, this will be soon integrated in to other food safety certifications such as ISO 22000:2018, or even in the ISO audit models where food safety landscape is moving towards a positive direction to improve the health conditions of the food as well as prevention strategies of the food processing industry.

Although there are differences between certification schemes, the GFSI third-party unannounced audits usually have a 40 to 60 day window. Within the period, the audit must be completed to allow the certification body to complete technical reviews and review corrective actions so that the certificate does not lapse. Hence, if it is a surveillance audit, then the audit is more likely to be truly unannounced, but a company still has the option of using blackout dates and the auditor will verify that the request was necessary. The bottom line is most companies have a certain time frame when they know unannounced audits will occur.

Considerations of an Unannounced Audit

The standard/regulatory body usually publishes their own recommendation on how these audits should be carried out, but an aggravation applies to unscheduled audits by notified bodies. For example, the following is to be checked:

Is there a precise intended use description?

Is the product correctly classified?

Are the general performance and safety requirements met?

Are the hazards determined?

Are risks minimized as much as possible?

Is there an acceptable risk-benefit ratio?

A representative of a notified body reported that they would take care, especially in unannounced audits, to check whether the documentation is up to date and whether the products actually comply with the criteria. The first point concerns the development a lot more, the second the production. This prioritization is understandable because, regulatory organizations wants to ensure that food/medical device manufacturers do not, in preparation for regular audits, bring everything to order and in doing so, not comply with the requirements of its own quality management system, or even deliberately violate them. However, with an unannounced audit the manufacturer has no chance, to update or improve outdated or missing developing documents or to conceal missing product tests and to falsify records of product testing.

The Impacts

The biggest impact on third-party audits is when the audit score is directly related to financial incentives for employees, which motivates employees to pursue activities to achieve the maximum score, not directly related to food safety. On the other hand, activities may include significant audit preparation to eliminate or reduce GMP deficiencies, reduce or control the auditor’s access to records or areas of known plant deficiencies and to appeal any audit finding that lowers the score. Hence, switching auditors or appealing findings can be legitimate tools to correct a system when auditors make errors in judgement or behavior. Thus, choice of activities to achieve the highest score should be reasonably governed because they could take away from the primary goal to operate in a food safe mode.

The goal of an internal audit program is to be compliant with regulatory inspections and third-party certification requirements which should be risk-based to actually determine what factors present the most risk to an organization and then align internal audits with those risks. Thus, conducting an unannounced audit to perform well on a regulatory audit should be a primary concern. If your food safety system is primarily audited by FDA, they usually perform unannounced inspections, if it is FSSC 22000, then there will be an opportunity for you to calculate the time line of unannounced auditing time, however in both cases it would seem necessary to have your food safety system, prerequisite programs and operations in a constant state of readiness to mitigate the risk of potentially unsafe food in commerce resulting in a recall.

Self-Evaluation

One way to evaluate organization’s food safety culture is to anonymously survey employees at all levels of the organization to gather information on attitudes and opinions about food safety and institute changes to improve organization’s position. Nonetheless, it is advisable to initiate change by instituting unannounced audits on all manufacturing shifts as a form of internal audits with mandatory participation by all departments in the audit function to move away from QA-centric food safety verification systems. The significant change is that all departments would be involved as an auditor and responsible for maintaining regulatory compliance. For some companies, the inclusion of all departments of the facility in the audit function has moved the needle in the goal to improve their food safety culture. It is also important to enhance food safety culture through adhering to GMPs all the time, while educating the importance of accurately completing and verifying food safety records, and fostering consensus between departments on the severity of food safety non-conformances requiring prompt corrective actions.

For food safety purposes, maintaining GFSI certification is an excellent way to achieve food safety requirements for compliance with FDA unannounced inspections. Although not specifically required by GFSI, another application of your internal audit program is to review your regulatory policy by performing a mock FSSC 22000 inspection to identify any gaps in hazard analysis, identify preventive controls including the supply chain controls, accurately complete food safety records, and provide examples of corrective actions when preventive controls were not completed properly, and environmental corrective actions. On the other hand, if organization decides to perform a mock FDA inspection of the processing facility, do not forget to include the FDA Guidance document criteria, as it is important to understand what the FDA expects to see when they are evaluating FSMS implementation. Organization’s internal audit program is a proactive program to note non-conformances before they become full blown problems, so don’t be afraid to use it to its fullest extent.

Tuesday, November 20, 2018

ISO 22000:2018 Structural Changes – IV

Performance Evaluation

The ISO 22000:2018 revision has changed much on the structure where it has introduced a new section which is called performance evaluation base on the Annex SL format. Since, ISO 22000 is applicable to all organizations in the food and feed industries, regardless of size or sector it needs more integrity to work with combination of other standards. Hence, following the same High-Level Structure (HLS) as other ISO management system standards, such as ISO 9001 (quality management), it is designed in a way that it can be integrated into an organization’s existing management processes but can also be used alone, where integration of performance evaluation has collapse several areas together which are differently considered before. Therefore, following topics has been considered in the given order under performance evaluation.

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

Monitoring, Measurement, Analysis and Evaluation

The section specifically discussed on the major requirements of;

a) What needs to be monitored and measured?

specific areas needs to be considered by the management according to the identified food safety hazards, PRPs, OPRPs and CCPs as well as any other requirements specified by interested parties.

b) The methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;

The specific methods to be employed and the requirements to ensure valid results obtained during the operation as to the pre-specified requirements

c) When the monitoring and measuring shall be performed;

The time lines, intervals for specified activities

d) When the results from monitoring and measurement shall be analyzed and evaluated;

Time line for decision making from the outcome

e) Who shall analyze and evaluate the results from monitoring and measurement.

The responsibilities and authorities for decision making

The objective of the section is to prepare documented information of the procedures to be followed during the course of action against predetermined requirements with appropriate methods and practices. The evidence of the results will be collected in a specified manner to support the next steps of the process such as analysis and evaluation, internal audits as well as management review. Thus, section has completely focus on the system performance while connecting each other in a sequential manner. In the previous version of the ISO 22000:2005, management review was one of the first things which came first before anything, but in the new version it has come out at last because after the initial meeting to set up a food safety management system, it is come as a review meeting where you need information, results and outcomes to manage a review.

Analysis and evaluation

As it is specified in the standard “The organization shall analyze and evaluate appropriate data and information arising from monitoring and measurement including the results of verification activities related to PRPs and hazard control plan (8.8 and 8.5.4), the internal audits (9.2) and external audits”. Thus, section should specify the relevant methods that are used evaluate and analyze obtained results as explained in the above section which will be applied here to make decisions based on the system performance. Hence, it further explains where analysis shall be carried out in order to:

a) Confirm that the overall performance of the system meets the planned arrangements and the FSMS requirements established by the organization;

b) Identify the need for updating or improving the FSMS;

c) Identify trends which indicate a higher incidence of potentially unsafe products or process failures;

d) Establish information for planning of the internal audit program related to the status and importance of areas to be audited;

e) Provide evidence that any corrections and corrective actions are effective.

The results of the analysis and any resulting activities are documented as specified and kept for further references during internal or external audits, management reviews as well as to improve the FSMS while identify trends for future considerations.

Internal Audit

As of internal audits, there is no much difference to the scope of the activities from the previous version, most of the standard audit practices are included as the previous version. Hence, if you have a previous audit procedure which can be used in the new system with minimal changes where you should consider anything if you have missed in the following areas given in the standard.

As it explains the organization shall conduct internal audits at planned intervals to provide information on whether the FSMS is conforms to the organization’s own requirements for its FSMS and the requirements of this document, as well as if it is effectively implemented and maintained.

Nonetheless, organization also need to have to plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes in the FSMS, and the results of monitoring, measurement and previous audits. The program must define the audit criteria and scope for each audit while selecting competent auditors and conduct audits to ensure objectivity and the impartiality of the audit process. Ensure the results of the audits are reported to the food safety team and relevant management while retaining the documented information as evidence of the implementation of the audit program and the audit results. The evidence should further specify the necessary correction and corrective action taken within agreed time frame, to determine if the FSMS meets the intent of the food safety policy (5.2), and objectives of the FSMS (6.2).

In addition, follow-up activities by the organization should include the verification of the actions taken and the reporting of the verification results.

Management Review

As of previous version, management review has no much difference where your previous procedure can be reused with slight modifications. It requests top management to review the organization’s FSMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Hence, the management review input and the output has no much difference either where your company specifications based on the product manufactured and the requirements of the interested parties may add few more specific requirements to the scope. Thus, only difference is the scope has been widened than the previous version including monitoring, measuring analysis, evaluations and audits.

Management review input

The management review request you to include consideration of:

a) The status of actions from previous management reviews;

b) Changes in external and internal issues that are relevant to the FSMS including changes in the organization and its context (4.1);

c) Information on the performance and the effectiveness of the FSMS, including trends in:

1) Result of system updating activities (4.4 and 10.3);

2) Monitoring and measurement results;

3) Analysis of the results of verification activities related to PRPs and the hazard control plan (8.8.2);

4) Nonconformities and corrective actions;

5) Audit results (internal and external);

6) Inspections (e.g. regulatory, customer);

7) Performance of external providers;

8) Review of risks and opportunities and of the effectiveness of actions taken to address them (6.1);

9) Extent to which objectives of the FSMS have been met.

d) The adequacy of resources;

e) Any emergency situation, incident (8.4.2) or withdrawal/recall (8.9.5) that occurred;

f) Relevant information obtained through external (7.4.2) and internal (7.4.3) communication, including requests and complaints from interested parties;

g) Opportunities for continual improvement.

Considering the above factors it is basically the same management review model without major differences, where it further requests you to present data in a manner that enables top management to relate the information to stated objectives of the FSMS.

Management review output

As usual management output also similar to its predecessor which request to include decisions and actions related to continual improvement opportunities as well as any need for updates and changes to the FSMS, including resource needs and revision of the food safety policy and objectives of the FSMS. The relevant information must be retained as documented information for evidence of the results of management reviews.

While adapting to the new format, the performance of the system is being evaluated and organized under a single section where it has given greater opportunities for merging any ISO standard manufacturer intended to follow. Thus, inclusion of additional audit requirements to a single procedure has been possible with reduction of complexities while adapting a single format.

Reference: ISO 22000:2018 Standard

Monday, November 5, 2018

ISO 22000:2018 Structural Changes – III

The Documentation Process

The major changes in the standard applied in documentation process, since Annex SL format has adjusted its wording from documentation and record keeping to documented information in the recently modified versions of ISO standards. Hence, at the documentation level, the standard has flatten its controls while introducing the bare minimum thus, releasing the complete responsibility to the user, which is one of the best improvements, because standard 3^rd party auditors are crazy and hectic headache to users. They change their documentation requirements from one audit to another, person to person, organization to organization if they couldn’t find any minor concerns, but they mostly ignored major concerns to retain the client. Now company can decide what documents to be kept, at which format, the way they want to document, and what documents are really required based on the process requirements, but it doesn’t mean that company do not require documentation. Thus, there are mandatory documented information as evidence of proper implementation and maintenance, which is mentioned in the standard without basically dictating whether it is a manual or a procedure or a work instruction or something else.

However, considering the documented information, it still requires much more than it asked from the food manufacturer where it is best advised to consider the original documentation model or what we call the documentation pyramid to ease the development of better FSMS. The company can eliminate the manual, but manual can be used as an explanatory document of company’s food safety/quality system which can amalgamate several ISO standards together such as ISO 9001, ISO 22000, ISO 14001, etc. Thus, common Annex SL can be used to setup initial documents and references to the relevant procedures or secondary documents as well as system performance documents, while linking several standard together to build a single company manual. Nonetheless, it also provide the opportunity to club all the relevant documents to a one place while using them in a flattened structure.

Considering the mandatory documented information, the standard still requests to provide hazard analysis, PRPs, CCPs, OPRPs, hazard control plans, and procedures or sort of evidence of protocols for the below mentioned areas. In addition, same procedures and activities are applied to the prerequisite programs and operational prerequisite programs identified according to the risk levels of the product manufactured.

The ISO 22000 management elements are handled through mandatory documented information in addition to the above mentioned areas which consists of;

1. Control of documented information

2. Statutory, regulatory and customer requirements

3. Communication

4. Product identification and traceability

5. Emergency preparedness and response

6. Corrections and corrective actions

7. Handling of potentially unsafe products

8. Withdrawals and recalls

9. Internal audits

10. Management review

Some of these procedures are not requested as procedures directly, but as documented information, but practitioners of ISO 22000 can consider to write them as procedures since it is easier to upgrade from previous model to the new version without much documentation work rather than completely revising the existing system. Nonetheless, some of these requirements are basically identical to ISO 9001, and compatible with its requirements, thus it can be used in harmony if required. The ISO 22000 FSMS has procedure for emergency preparedness and response, which is inherited from reputed safety standards while it is also identical to ISO 9001. The organization and the top management must be prepared to respond to potential emergency situations and accidents that can impact on food safety. These can include incidents such as fire, flooding, bio-terrorism and sabotage, energy failure, vehicle accidents, contamination of the environment, various types of weather-related events, or the impact of a pandemic.

Hence, food safety management system needs to be documented as it requires documented information. This means that the organization must have, as a minimum, a written food safety policy and related objectives, the procedures/way of execution/rules and performance evidence as required by ISO 22000 as well as any other documented information that might need to ensure the effective development, implementation and updating of the system. In addition, organization will not only need to document its policies and procedures but it also need to have a procedure for controlling its documentation and records, because food safety management systems will change over time, as will the people doing the activity. Therefore, one reason for controlling documented information is to ensure that the individual using the document has the most recent version of the document. Part of document control ensures that all the proposed changes are reviewed prior to implementation which determines their effects on food safety and the impact on the management system.

The documentation system is still identical to the ISO 9001 which consisted of four layers in its previous version that has been flatten in the latest revision in 2015. As the organization develops its food safety management system, it has been advised to carefully document its activities. These will include the written food safety policy and related objectives, food safety procedures and the required records as to pervious terminology, even though their names have been changed to a generic documented information. Further, the scope of the required documentation has been extended wherever possible. For example, in establishing your control measures you are required to document your hazard analysis and hazard assessment, including the decision-making process and the selection of control measures, whereas decision making process requires additional categorizations based on two types of logics which require more information than previous version. Nonetheless, organization will have to have evidence of documented information on the validation of its system and verification activities. The work of the food safety team and the management review also require documentation as it was required before.

Prerequisite programs were basically developed as part of good manufacturing practices initially and later-on it was became one of the major components in HACCP, because most of the system developers wanted to keep lowest number of HACCP studies in a system where PRPs were used to cover less critical control points as well as which cannot be measured in real time. In ISO 22000:2005, this uncertainty was addressed with separating real time immeasurable critical control points in to operational prerequisite programs, which was not properly segregated in HACCP, even though later versions of HACCP addressed the issue up to a certain extent. As it didn’t completely cover the gap until the ISO 22000:2005 was released, where ISO 22000:2005 version introduced separation through ISO 22000 decision tree with logical sequence of questions to segregate them. However, most of the users never understand the complete logic behind it in ISO 22000:2005 and they compel to use HACCP decision tree, where there was a great disagreement between many auditors and user to clearly define them. Because, people love logical trees and select CCPs easily, but distinguishing OPRP had great differences which was ignorant in many cases.

Considering the changes in the new version of ISO 22000, it has nominated HACCP plan and OPRP plan as hazard control plan by clubbing both CCP plan and OPRP plan together which is a terminological improvement, rather than system, where standard has struggled to come out of better solution to differentiate, segregation of CCP and OPRP. But the technical committee has not come out with a completely successful solution which practitioners can easily understand. This is one of the major weak points so far in the previous standard, which is still remains a mystery to average users. When considering the private standards like FSSC 22000, it is also depend on the ISO 22000, where they have added additional parameters or streamlined the issues with the ISO 22000, but never address this part of the misunderstanding to the average user completely.

Nevertheless, all prerequisite programs have four common factors which are; address indirect or less critical food safety issues, cover general programs related to food safety and it can be applied to multiple production lines. Momentary failure to meet prerequisite programs seldom results in a food safety hazard. The organization should use documented information of external origin relevant for food safety in its various activities, for example in meeting statutory, regulatory and customer requirements and their interests. The new version has also considered paperless management situations, where electronic documentation has added as part of documented information which may be required to comply with regulatory requirements.

As a whole, ISO 22000 can be considered as a business management tool which links food safety to business processes and encourages organizations to analyze requirements of interested parties, define processes and keep them in control where it enables integration of quality management and food safety management. In this way ISO 22000 FSMS is considered as more focused, more coherent and integrated food safety management system which can satisfy any food safety statutory or regulatory requirements.