ISO 22000: Externally Developed Combination of Control Measures in Food Safety

Externally Developed Control Measures 

Externally developed combinations of control measures are being created for many segments of the food chain in a wide variety of countries. This work has been done by industry associations, colleges and universities or in some cases, by governments as an aid to small food businesses where industry needs expert knowledge which is lacking in their organizations.  Intergovernmental organizations such as the Food and Agriculture Organization of the United Nations (FAO) have also done some work in this area. There are many examples of such programmes for primary production and some for small processors, packers and distributors, truckers, retailers and food service operators.

In this regard, ISO 22000 allows a small and/or less developed organization at any stage of the supply chain (e.g. a farm, a packer-distributor, a processor, a transporter, a retail or food service outlet) to implement an externally developed combination of control measures. This permits an organization to choose between developing its own control measures or using one of the developed food safety system by an industry association, government agency, university, etc., while customizing it according to the requirements of the company. The option of using an externally developed combination of control measures is important for a small and/or less developed organization, because small organizations may not have the scale or the resources required to undertake the hazard assessment and hazard analysis required by ISO 22000 to develop a site-specific food safety management system which basically affect their business if the organization mostly depends on the export market or with few specific buyers or a buyer. In such instances, it is much easier for a company to look out to get a consultant’s help as well as to use externally developed food safety measures to control the food safety.  ISO 22000 states that externally developed combinations of control measures must have been developed as specified. Not all the currently available programmes will meet this requirement, nor have all of them been developed using HACCP principles.

An externally developed combination of control measures to meet the requirements of ISO 22000 must be developed in compliance with exact  requirements in the given food business. In particular, the external body must demonstrate that it has followed the steps set out in respecting the hazard assessment, hazard analysis and selection of control measures outlined in the standard.

ISO 22000 sets out the steps for the development of a food safety management system. Those dealing with the development of control measures are detailed in Clause 7 of ISO 22000. They are particularly rigorous. Organizations that seek to provide generic combinations of control measures for specific segments of the supply chain (e.g. vegetable farmers or truckers or small poultry processing facilities, black tea manufacturers) must show that they have complied with these requirements.

These organizations need to make available to other organization, and to any third-party auditors, detailed information about:

1. The food safety team and the competence of team members;
   
2. The scope of the combination of control measures;
3. Product characteristics (e.g. raw materials, ingredients and product contact materials) as well as the end product characteristics and intended use;
4. Generic flow diagrams and site schematics;
5. Descriptions of process steps and control measures;
6. Details of the hazards identified and their acceptable limits;
7. Hazard assessment;
8. Selection of the control measures;
9. Prerequisite programes, including both those -initially selected and those determined by the hazard analysis;
10. Operational prerequisite programes;
11. Critical control points and their critical limits, etc.;
12. Program elements concerning control of non-conformist, verification, etc.;
13. Results of validations 

An external organization providing a commodity or segment-specific combination of control measures is taking on a long-term obligation. Just as an organization developing its own control measures which must have in place a process for evaluating effectiveness and updating the system, whereas the external organization must have same specific controls.

Externally developed combinations of control measures will have been established using a generic model (e.g. a set of facilities, processes, operational circumstances, etc.) which reflects the most likely situations for a small organization producing the specified products. As a result, the control measures will require adaptation to your organization and its operations.

Small organization must adapt any externally developed combination of control measures to the specific processes in the given organization. The control measures will have been developed based on certain assumptions which should be clearly stated in the material provided to that organization. The organization’s food safety team needs to review these control measures in detail to determine whether or not they correspond to the circumstances within organization. For example, the team must review the process flow diagram and conduct an on-site verification to identify any significant differences that might result in new hazards entering generic system or require changes to control measures (PRPs, operational PRPs and CCPs). The organization also need to take into account the differences between regulatory or customer requirements in the generic model and the requirements applicable to company’s operation. The process of adopting and then adapting an externally developed combination of control measures is not simply one of following the “guide”. Company’s food safety team needs to assure itself that the guide’s recommendations fit to the organization’s circumstances. Company’s food safety team should document the review and provide records that demonstrate it has undertaken the required comparisons, made the necessary changes, etc. If the company uses an externally developed combination of control measures, the organization will have to demonstrate that such measures have been implemented and are being operated in accordance with all the other requirements of ISO 22000.

The implementation of an externally developed combination of control measures is in principle and practice no different than implementing a set of control measures developed internally. For example, the organization needs to undertake training, monitoring and verification activities, as well as engage in the evaluation and updating of the food safety management system. An externally developed combination of control measures reduces the burden of the development phase but does not limit the given organization’s responsibility and accountability for implementation of the food safety management system.

ISO 22000: Documentation

Document Management

A document management system is a system (in the case of the management of digital documents based on computer programs) used to track and store documents. It is usually also capable of keeping track of the different versions modified by different users (history tracking). The term has some overlap with the concepts of content management systems. It is often viewed as a component of enterprise content management (ECM) systems and related to digital asset management, document imaging, workflow systems and records management systems.

A food safety management system needs to be documented. This means any organization who is intended to have a ISO 22000 food safety management system must have, as a minimum, a written food safety policy and related objectives, the procedures and records required by ISO 22000 standard and any other documents that you might need to ensure the effective development, implementation and updating of the food safety management system.

The documentation provides complete history of operations carried out on a system whether they relate to documents or user accounts. Typical history information that may be required is:

Who reviewed a document?

What were their comments?

When was the document approved?

Which customers received this version of the document?

With traceability such an important aspect of ISO 22000 this feature provides an invaluable mechanism for making such history information readily available to all users.

Inform Users of Document Changes.

Inform the user of a new document release.

Notify them that a document has been updated and requires their review.

Remind the user that they have a document requiring their review if the requested review date has passed.

Request for their approval of a document for release and notify a user that a document has been withdrawn and is no longer available.

Users may also take actions such as “putting a watch” on a particular document that they care about such that if it is updated they are notified.

It is mandatory to guard against over-complicating the documentation and it will be a good idea to invest some time in carefully researching what your organization will need. The organization or its staff may require some training. Many of the certification bodies have posted information on their Web sites that will assist you in understanding the basic concepts of documentation. At this time, most of these will be written from either the ISO 9001 (Quality management) or the ISO 14001 (Environmental management) perspective, but the basic principles will also apply to the ISO 22000 food safety management system.

Documentation should be seen as a tool to help your employees do their jobs properly. It should not be seen as a burden or needless expense. There are some simple questions that you can ask yourself, to determine whether or not the documents or the words in a document add value to your management system:

1. Does anyone really need this document or read this section of the document?
2. Does proper performance of the activity affect the safety of the product, service or process?
3. What is the cost if an activity is not done correctly? Some of the costs include the cost of reworking a product, the cost of recalling a product because of a food safety hazard, and the cost of litigation if customers become sick because of a food safety incident in the marketplace. The costs can be major for any size business. For example, a product recall can cost a food processor several millions of -dollars.
4. Is a statement or document really necessary? Is the same requirement addressed elsewhere? Can I just include a reference?
5. Is a document just mumbo-jumbo that really doesn’t tell anyone anything? Do I understand it and will my employees understand it?
6. Am I really reviewing this document or am I just signing it, hoping that other people review the document to ensure its accuracy?

Typically, if an activity is not performed on a regular basis, there is a need to document it. The amount of documentation can be reduced through training and education (Example: Sanitize the counter).

ISO 22000 states that a food business must have the documents required for the development, implementation and updating of its food safety management system.

Although following the analysis we will have a comprehensive view of which the required documents are. Once identified these documents it will be necessary to analyze in which process they should be generated, and how they should be handled, studying the procedures and responsibilities associated with their management. That is, document processes must be defined. In this respect ISO needs defining how documents will be created, and how they will be approved before being issued, and explaining how further review will be carried out to ensure their updating. These three elements are the key document processes: creation, approval and review.

In addition, the Standard states that a written procedure must be defined to establish:

Documents Identification

Documents must incorporate some type of control to allow its clear identification.

Storage

The organization must define a plan to file/store all the relevant generated documents.

Security

Documents, depending on their format and way of storage, must require the implementation of protection methods, for instance, the generation of back-up copies.

Retrieval

Documents are created to be used, or potentially used, in the future. When retrieval of documents is complex, specific retrieval methods must be implemented.

Retention period

Documents contain information on past facts that can be meaningless and useless in the future. The organization must define how long documents must be preserved.

Disposition

The term refers to the order arrangement and distribution. This requirement is closely related to the storage. The organization shall define in writing those management and distribution methods that are needed to easily locate documents.

The documentation requirements of management systems are often illustrated using a pyramid, as in Figure 1, with a series of levels, usually numbered from the top, 1-4.

                                                           Figure 1 – Documentation

Level 1 – requirements are the policy statements.

Level 2 – describes your procedures.

A documented procedure should cover the following key elements:

Title – to clearly identify it;

Purpose – to explain why the procedure exists (this may be written in the standard itself);

Scope – to describe what the procedure covers and its application (i.e. every product, service, department or document this procedure applies to);

Responsibility – to clearly set out “who” is responsible;

Activities – a clear description of actions covered by the procedure (i.e. the what is to be done as well as the when, where and how);

Records – if any, required;

Record of revision – this section should include “what” or “where” the change occurred, the new revision and the approvals.

Documented Procedures

ISO 22000 states that you must have documented procedures for:

Control of documents;

Control of records;

Potentially unsafe products;

Corrections;

Corrective actions;

Withdrawals;

Internal audits;

Level 3 – Work Instructions

Level 3 refers to work instructions. These should describe how a procedural step is performed by one job title or function. They should include the “action(s)” and the “record of revision”. Start work instructions with a verb2. There is no need to state responsibility since this is already set out in the procedure. If you are writing a work instruction where there are different people responsible for different tasks, then this document, or a portion of it, should be in a procedure.

Level 4

Level 4, documentation, includes forms, checklists, flow charts, templates, “data collection” documents, other job aids (e.g. signs) and records. There tends to be some confusion between documentation and records. Documents provide a description on how to do an activity. Records are a special type of document that are to be established, maintained and controlled to provide evidence of conformity to requirements and evidence of the effective operation of your food safety management system. Records must be legible, readily identifiable and retrievable. They provide a history, to demonstrate that you have followed your documentation descriptions.

As your organization develops its ISO 22000 food safety management system, it will be required to carefully document its activities. These will include the written food safety policy and related objectives, your procedures and the required records as noted above. However, the scope of the required documentation is much broader. For example, in establishing your control measures you are required to document your hazard assessment and your hazard analysis, including the decision-making process and the selection of control measures. Your organization will also have to document the validation of your system and its verification activities. The work of the food safety team and the management review also require documentation.

Document Control

Understanding all the requirements for documentation and establishing a process to ensure that your organization initiates and maintains the required documentation should be one of the first tasks undertaken once you decide to start to develop a food safety management system. The documents related to the ISO 22000 food safety management system must be controlled to ensure that they are approved prior to issue, reviewed and updated as necessary, properly identified and available where and when needed, legible, etc. This facilitates their use and prevents the unintended use of obsolete documents.

Your business will not only need to document its policies and procedures but it will have to have in place a procedure for controlling its documentation, including records. Food safety management systems will change over time, as will the people doing the activity. Therefore, one reason for controlling documents is to ensure that the individual using the document has the most recent version of the document.

Part of document control ensures that all the proposed changes are reviewed prior to implementation so you can determine their effects on food safety and their impact on your management system. This procedure will cover the controls/processes for:

Approval of documents for adequacy, prior to use;

Reviewing and updating documents (and re-approval);

Identification of all changes to and the current revision status of the document;

Availability of the current version, at points of use;

Ensuring that documents are legible and readily identifiable;

Identifying documents of external origin and controlling their distribution;

Preventing the unintended use of obsolete documents and, if they are retained, ensuring that they are suitably identified.

Records

Records are a special type of document that provides evidence of conformity to requirements and of the effective operation of the food safety management system. They need to be legible, readily identifiable and retrievable. They are defined as “stating results achieved or providing evidence of activities performed”. Some examples might include evidence of the work of your food safety team, the decisions from your management review, the results of internal or external audits, the paper or electronic output of monitoring equipment, etc. ISO 22000 food safety management system does not limit the format of either documents or records but it does require that records be legible, readily identifiable and retrievable. This means they can be on paper, electronic or in picture or other illustrative formats. You will need to have a procedure to define how you plan to identify, store, protect, retrieve and dispose of records. This procedure must define the retention times for various records. These times may be set by statute or regulation. When deciding on retention times you must consider the food safety aspects of the record and, as a minimum, define the retention time in relation to your product’s intended use and expected shelf-life.

ISO 22000: Communication

Communication

Global challenges need global solutions and ISO, through its national members and organizations in liaison has a unique framework for bringing together the international expertise that can develop these solutions, and for disseminating them in an orderly and effective manner. ISO standards also ensure that innovative solutions can be transferred to develop countries so that the benefits are also available on a global basis.

Innovative technologies, interconnectivity and global availability raise issues related to intellectual property rights. By allowing patent technologies to be embedded and signaled in its standards, under fair and nondiscriminatory conditions, ISO is ensuring the continuing interplay between innovation and standardization, and that great ideas are brought to market.

ISO 22000:2005, Food safety management systems Requirements for any organization in the food chain is the first management system standard on food safety to go beyond the recommendations put forward in 1993 by the Codex Alimentarius Commission. Inevitably, the arrival of this brand new standard with its updated approach is accompanied by issues of interpretation and how to meet its requirements. These innovations mainly relate to the interpretation, consistency and thoroughness of the HACCP method of controlling food safety hazards. Indeed, ISO 22000 is the first standard that not only endorses the Codex Alimentarius recommendations, but also attempts to fill the gaps and inconsistencies brought to light by 13 years of accumulated experience with HACCP.

Interactive Communication 

Interactive communications is an exchange of ideas where both participants, whether human, machine or art form, are active and can have an effect on one another. It is a dynamic, two-way flow of information. Many forms of communication previously thought one-way, like books and television, have become interactive with the rise of computers, the Internet, and digital and mobile devices. These developing collaborative technologies, or new media, have rapidly increased the opportunities for interactive communication across mediums, disciplines, cultures, social classes, locations, and even time. Interactive communication is a modern term that encompasses these evolving forms of conversation. It is a primary characteristic of the present Information Age. New experiments in interaction design are evolving on a daily basis.

Effective interactive communication strategies can help you give and receive the input and feedback you need to run your food safety system effectively. Good business communication skills have the potential to eliminate or reduce food safety risks, food hygiene issues, workplace mistakes, oversights and interoffice conflict. A proactive stance to productive modes of communication whether electronic or in person can also improve efficiency and productivity in your food manufacturing environment. In ISO 22000, External communication relating to food safety hazards throughout the food chain (upstream and down- stream) while internal communication to ensure that the HACCP team is informed in real-time of all changes (e.g. raw materials, facilities and installations, recipes, requirements, etc.) likely to affect the system.

Establish Communication Preferences

Ask employees and team leaders about their preferences for exchanging job relevant information. Some people might prefer electronic forms of interactive communication, while others might be more comfortable in face-to-face or group settings in which information is exchanged verbally. Once you understand the ways that your employees prefer to interact, you can tailor your approach to best meet individual needs.

Develop Communication Policies

Communication policies can help you define the parameters in which you want employees to work when it comes to information exchange. For example, you can develop guidelines for sending emails, copying others, forwarding messages and even the appropriate response time for answering queries. Also develop telephone and written communication guidelines and outline when it is appropriate to use one form over another. When employees understand what you want from them in terms of interactive communication, they are better able to comply.

Use Technology When Appropriate

Interactive communication can be facilitated through a variety of electronic mediums, including video-conferences and teleconferences. While this allows for a wider range of business communication channels, sometimes in-person communication is more appropriate and effective. Examples include instances when team members have not met in person for a period of time, when a discussion topic is complex, there are numerous participants, or where it’s important to read non-verbal signals and cues from one another. When using interactive technology, make an effort to include everyone just as you would in a live meeting.

According to ISO 22000

Clause 5.6.1 External Communication

How is sufficient information provided to all involved in the food chain?

How is it determined which external bodies to communicate with

Who is/are the designated responsible person(s) for external communications?

Are records of external communications maintained (record samples seen?)

How are statutory, regulatory and customer food safety requirements communicated (record samples seen)

Clause 5.6.2 Internal Communication

What are the internal communication processes?

How are the food safety team updated as required of items a-m of the standard?

Are communications understood at all levels of the company (record the names and positions of the persons interviewed?)

This is direct from that standard but the key is your determine what the significant issues are to be communicated, if you determine everything is significant then you will have a massive amount of paperwork to deal with. This means the hazard analysis needs to have been effective and you can justify the ranking of hazards

Responsibility for food safety is shared along the food chain. To ensure that sufficient information on food safety issues is available throughout the chain, organizations need to establish mechanisms for effectively communicating with their suppliers and contractors, customers or consumers, statutory and regulatory authorities and others that have an impact on, or will be affected by, the effectiveness or up-dating of their system. It is particularly important to provide information about food safety hazards that need to be controlled by other organizations along the chain.

ISO 22000 identifies the following four “pillars” of a food safety management system:

Interactive communication;

System management;

Prerequisite programmes;

HACCP principles;

Communication should ensure that the necessary interactions occur within the organization and along the food supply chain. External communication should ensure that any relevant hazards are controlled at the appropriate steps in the food chain. It provides the method by which the organization and the external organizations agree by contract, or other means, upon the level of food safety required and on the capability of delivering to the agreed requirements.

External communications are planned activities. Channels of communication should be established. Therefore, your organization must identify the organizations involved in this activity. The external organizations include suppliers, customers, trade organizations and statutory or regulatory authorities. You will also need to consider whether or not your organization must communicate directly with consumers. With respect to food safety hazards, your organization needs to take the initiative in communicating and securing information about: 

Food safety hazards:

that it may not or cannot control and which consequently need to be controlled at other steps in the food chain (e.g. by your suppliers or customers or by consumers). The levels of food safety that your organization requires or can attain as the basis for mutual acceptance with your suppliers or your customers;

Withdrawal of nonconforming product(s);

Newly identified hazards or changes to your food safety management system that impact on the food safety management systems of your suppliers or customers;

Statutory or regulatory requirements in your country or in foreign markets if your products are exported. One of the responsibilities of the food safety team leader may be liaison with external parties on matters relating to food safety. This could include communication about hazards, control measures, supplier or customer requirements, withdrawals, etc.

Employees must be assigned specific responsibilities for liaison with external organizations on food safety matters. The person may be the food safety team leader or another employee (e.g. marketing manager). The organization must ensure that the internal channels of communication facilitate the flow of information to the food safety team in a timely manner. New information about hazards and changes in customer requirements, supplier capability, statutes or regulations, etc., must be incorporated into your food safety management system. New information about your system needs to be communicated to your suppliers, customers, regulatory or statutory authorities and consumers, as required. Information about food safety issues needs to be retained. In addition, the organization needs to have available the food safety requirements from statutory or regulatory authorities and customers.

To demonstrate that your organization has undertaken the appropriate external communications with suppliers, customers and statutory or regulatory authorities, you will need to keep records or have access to the information. In the case of statutory or regulatory requirements, it may be difficult for small or medium-sized businesses to keep up to date. Government offices or Web sites as well as those of associations representing your sector are likely to be good sources of information. You need to assure yourself that the version you are using is the most recent and you will need to have in place a process for regularly updating these external documents. ISO 22000 demands either availability or accessibility. This means you may not need to have materials on site – you may just need to know where and when you accessed them and be able to do so again. One way of accomplishing this is to bookmark a webpage on your Web browser program. Your procedure must also comply with any stated regulatory requirements.

You will also need to provide evidence of your communications with suppliers, customers and statutory or regulatory authorities. These records should include the information that you have exchanged about your food safety management systems, the hazards your team has identified, etc. Your purchasing specifications and the contracts can also be part of these records. Contracts can include information about food safety issues, such as microbiological requirements, etc.

Internal communication is just as important as external communication in ensuring that your organization’s system is effective. Any changes, such as the planned introduction of new products or changes to current products, processes or production systems and equipment, need to be taken into account. The food safety team must have this information in a timely manner so that it can be included in the updating of the food safety management system.

Your food safety management system needs to be fully integrated into the planning processes within your organization. The food safety team needs to be made aware of changes in processes and products since these changes may affect food safety.

Examples of process or product changes include:

Products or new products;

Raw materials, ingredients and services;

Production systems and equipment;

Production premises, location of equipment, surrounding environment;

Cleaning and sanitation programmes;

Packaging, storage and distribution systems;

Personnel qualification levels and/or allocation of responsibilities and authorizations;

Statutory and regulatory requirements;

Knowledge regarding food safety hazards and control measures;

Customer, sector and other requirements that the organization observes;

Relevant inquiries from external interested parties;

Complaints indicating food safety hazards associated with the product;

Other conditions that have an impact on food safety.