ISO 22000:2018 Gap Analysis and Internal Audit

How to Get Started on ISO 22000: 2018

How are you going to assess your system whether it is complying with ISO 22000:2018 version? This was a critical question raised by several readers recently through my personal mail. Hence, it looks like this is an interesting area to make bit of an exploration. Thus, lest see what shortcuts available to evaluate system gap and how it should be carried out. If the processing plant already got certified for ISO 22000:2005 system certification, definitely it has most of the requirement, but very critical to be not all the requirements suggested by the 22000:2018 version, since standard has been updated with several ways, where food safety team’s first act should be to conduct a gap analysis. However, if the plant is not certified for the ISO 22000 FSMS, then it will be a preliminary analysis where organization need to follow a different path, because it has to start from the scratches because it is a completely a new system which do not require to understand differences between two versions of the same standard. Instead purchase the new version, study it and follow the guidelines while building a new system, which is less complex operation even through you need much longer time to build and operate.  On the other hand, selected FST needs to participate in several trainings before start building a new system and at the same time hiring a subject expert will give a better relief since he will guide organization through the process.

Several readers are critically interesting in internal audits, which actually comes at the latter stage of the system development, because there should be an ongoing system with enough data to evaluate it; usually minimum of three months. Most of the internal audit related activities, basic requirements, process flow and conducting audit as well as their pros and cons were discussed in here long before where they are still applicable and useful information. Hence, it is user’s responsibility to find out basic requirements as well as good training to update themselves with how to conduct an internal audit or mock audit as well as how to face third party audits such as certification audits, surveillance audits, unannounced audits, compliance audits by clients or their third-party nominees, etc. Nonetheless, it is manufacturer’s responsibility to conduct supplier audits at pre-agreed intervals as well as to conduct compliance audits with newly selected suppliers. Thus, it is an endearing work, if you know the subject well and pre-prepared before starting to work on it.

Gap Analysis

Consider that organization already got an existing ISO 22000:2005 system, and the organization is planning to upgrade to ISO 22000:2018 version, where its FST need to read the standard in first place. Hence, understanding the technical jargon in the standard will require some time if FST has less experience people who new to the subject, but eventually it will penetrate into the basics that they already know. Nonetheless, there are ample resources to understand gap analysis and how to conduct a one, which are posted in many website or blogs that you required to read. Thus, you should carefully understand the newly adapted requirements in the standard which is not currently available in your existing system. Write-down what are the new requirements added and how they have been placed, because ISO 22000:2018 has adapted the Annex SL format of ISO which is also call the high-level structure. Therefore, your system documents required to adjust with new structure while considering major structural changes proposed.

The structural and contextual changes are also a public domain information right now because there are hundreds of articles already published about the new changes where it is practitioner’s responsibility to spend some time in the internet and find it out. This will be an easy task, instead of reading the standard or comparing it with previous version intending to find out what they have changed and wondering how you should apply it. It is actually a job of experts, who has already critical views or explanations about it. Thus, go read the stuff, don’t waste your time while trying to reinvent something that already available which is a waste of valuable time. This exercise will give you a better understanding of the new changes of the standard where you have to note down new features added to the standard as well as old features omitted from it. The activity will easily cover the gap analysis which food safety team leader can conduct as a team work while managing to expose his food safety team to update their knowledge. The best option is to participate some training programs and do involve in home work to understand the new changes as explained. Assign some of the tasks to your team based on their expertise and subject knowledge, where you need to send your team or participate yourself on ISO 22000:2018 new features or whatever it calls to upgrade older version. The internal audit training should come after the given homework which will help the understanding of the subject greatly.

Nonetheless, follow existing gap analysis models or formats which you can find in the internet if you are unable to prepare your own one. The best way to work on gap analysis formats is to find some reliable formats and customize them according to your requirements and understanding of the specific production facility you are working on. Once you complete your gap analysis format conduct a gap analysis, first on the system documents to understand the gap to be bridged and then on the evidences that are to be collected as records or documented information. Then move it to the production areas to evaluate practical changes required to amend the system. As to the new changes, documented information has replaced previously used terms in system documentation work. But it is a tricky wording, where you should still manage all the relevant documents you managed before, may be more and nothing less. However, they have simplified the process by clubbing some of the procedures to make one and sometime it demands for more procedures or new additions in some areas such as PRPs.

Internal Audits

The standard has changed little bit of its way of deciding on how to select CCPs and OPRPs where you need to change your hazard analysis documents to align with it. Nonetheless, there are drastic changes to wording of the standard instead of the core. Consider the HACCP which was discussed in previous version which has been almost completely eliminated from the standard, but they have kept the practices as it is in most instances with different wording. The decision making on CCP and OPRP has been slightly changed but what happens there was actually new sequence has been introduced to the old wording while adding some new parameters, but they haven’t given a clear cut idea on it yet.

Back to the internal audits, you need to consider all these such small instances changed in the standard as well as major drastic changes like structural changes. Reduce the number of documents you need to keep in here and there and concentrate them in to specific locations from your previous standard while cutting down the repetition. Once you have done all these activities, it will be the time to conduct a mock audit or testify your internal audit system once again. Validation, verification and internal audits are different parts of the internal audit process, hence you need to conduct validation and verification studies for the newly developed or updated system. Initially follow a complete documentation audit before you move to the production floor. Consider all aspects of the documents including every minor details such as date, version, authorization, etc., once you completed the documentation audit, then conduct validation studies for CCPs and OPRPs. Validation of control measures may require you to adjust or reinvent existing control methods or critical limits, thus use of an expert/consultant may help you to reduce problems you may encounter during this process. Nonetheless, you may have to adjust your PRPs according to the new requirements while validating them or completely adding new PRPs with different set of requirements based on the process. Justify your changes and revalidate where required while updating documented verification results for every control point considered.

Once the mock audit, validation, and verification studies are completed, the system required to run at least three months to gather reliable information to understand if the new system accurately deliver intended results. Hence, now it is the time to conduct full internal audit on all aspects of the system, while preparing complete analysis on each area of consideration. The internal audit documents are to be prepared based on the specific requirements of the production, where it is not possible to explain exact activities required for internal audits other than usual procedures. However, following a generic internal audit requirements will greatly help to cut down the additional time where you can check out ISO 22000:2018 GENERIC MODEL on Amazon bookstore which provides all the basic formats you required. The internal audits has not introduced drastic changes in the current version, but there are differences in the process which you can observe by considering to buy the standard.

As to the ISO 22000:2018 it request organization to conform to its own requirements for the developed FSMS as well as to the ISO 22000:2018 while it effectively implemented and maintained. Further to that, standard demands organization to a) plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes in the FSMS, and the results of monitoring, measurement and previous audits. Thus, b) define the audit criteria and scope for each audit and c) select competent auditors and conduct audits to ensure objectivity and the impartiality of the audit process. Nonetheless organization shall d) ensure that the results of the audits are reported to the food safety team and relevant management while e) retaining documented information as evidence of the implementation of the audit program and the audit results. In addition, organization shall f) take the necessary correction and corrective action within agreed time frame while g) determining  if the FSMS meets the intent of the food safety policy (5.2), and objectives of the FSMS (6.2) (reference ISO 22000:2018).