Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
TD54 (V4)
1.1. ISO 22000 certificate statistics
1.2. Revision of the Standards
ISO standards are usually revised every 5 years. The revision of the 2005 version was only completed in 2018. The benefits of the new ISO 22000 Standard include:
Greater emphasis on leadership engagement
A structured approach to address organisational risks and opportunities
The use of simplified language, common structure and terms
The new Standard can be easily integrated with other management systems, such as
quality, environmental and health and safety.
Module 1 Structure of the new ISO 22000 Standard, key aspects and overview of the changes
133 266 356 717 637 802 9491130 1281 105992 247 257
414 451 585 639739 740 576
49 48 103181 231 321
344 533534
2782749
48656050
7083 73618307
935710181
1118111083
704
1541
5247
82718906
1108510306
12007
14666 15505
281
960
1393
14141330
15221936
2370
2772 2636
114
258
432
500435
656684
730
887 1002
,0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
ISO 22000 - Worldwide total
Middle East
Central and
South Asia
East Asia and
Pacific
Europe
North America
Central / South
America
Africa
2
TD54 (V4)
The main differences between the old and new Standards are:
• The new Standard adopted the new high-level structure
• There is an explicit requirement for risk-based thinking
• The new Standard has less prescriptive requirements
• There is more flexibility regarding documentation
• There is increased emphasis on the organisational context
• There are increased leadership requirements.
The FSSC 22000 version 5 was developed with inputs from stakeholders such as representatives from Certification Bodies, Accreditation
Bodies, training organisations and industry. The development project was managed by the FSSC 22000 team with guidance by the FSSC 22000 advisory Committee and Board of stakeholders.
1.3. New structure of the ISO 22000 Standard
ISO management system Standards will have the same structure in future. This structure makes it possible to address multiple management system requirements in a single system and provides
the opportunity of integrating management systems. Standardised core definitions will be used.
The Standard is divided into 10 clauses:
Clause 1 is the scope.
Clause 2 outlines normative references.
Clause 3 stipulates terms and definitions.
Clause 4 – 10 are the requirements that should be met by an organisation seeking ISO 22000
certification – these are outlined in the table.
The following must be considered when reading the ISO 22000 standard:
Clause ISO 22000:2005 clauses ISO 22000:2018 clauses
Clause 1: Scope Scope
Clause 2: Normative Reference Normative References
Clause 3: Terms and Definitions Terms and Definitions
Clause 4: Food safety management system Context of the organization
Clause 5: Management Responsibility Leadership
Clause 6: Resource Management Planning
Clause 7: Planning & realisation of safe
products Support
Clause 8: Validation, verification and
improvement of the FSMS Operation
Clause 9: - Performance evaluation
Clause 10: - Improvement
IMS
Food safety
Quality Environment
Health &
safety
SHALL
indicates a requirement
SHOULD
indicates a recommendation
MAY
indicates a permission
CAN
indicates a possibility or a
capability
NOTE
guidance in understanding or
clarifying the requirement
3
TD54 (V4)
Context of the organisation
•4.1 Understanding the organisation and its context
•4.2 Understanding the needs & expectations of interested parties
•4.3 Determining the scope of the FSMS
•4.4 FSMS
Leadership
•5.1 Leadership & commitment
•5.2 Policy
•5.3 Organisational roles, responsibilities & authorities
Planning
•6.1 Actions to address risks & opportunities
•6.2 Objectives of the FSMS & planning to achieve them
•6.3 Planning of changes
Support
7.1 Resources
7.2 Competence
7.3 Awareness
Operation
8.1 Operational planning & control
8.2 PRPs
8.3 Traceability system
8.4 Emergency preparedness & response
8.5 Hazard control
Performance evaluation of the FSMS
9.1 Monitoring, measurement, analysis & evaluation
9.2 Internal audit
9.3 Management review
Improvement of the FSMS
10.1 Nonconformity & corrective action
10.2 Continual improvement
10.3 Update of the FSMS
4
5
6
7
8
9
10
Pla
n
Do
C
he
ck
Act
7.4 Communication
7.5 Documented information
8.6 Updating the information specifying
the PRPs and hazard control plan
8.7 Control of monitoring & measuring
8.8 Verification related to PRPs & the
hazard control plan 8.9 Control of product & process
nonconformities
4
TD54 (V4)
1.4. Timeline for FSSC version 5 audits
• Companies will be audited against version 5 between 1 January and 31 December 2020.
• Initial audits (stage 1 and 2) must be performed against the same version requirements.
• Upgrade audits for surveillance and re-certification must be performed announced, unless the company would like it to be unannounced.
• Audits against FSSC 22000 version 4.1 are only allowed latest 31/12/19.
• Upgrade audits against FSSC 22000 version 5 must be performed between 1 January and 31 December 2020.
• Under extraordinary circumstances, the version 5 upgrade could take place in 2021, however this process must be completed in accordance with the FSSC scheme requirements and before the
29/06/21. After this date, version 4.1 certificates will expire and the certification process will start again to regain certification.
• It will not be mandatory to add additional on-site audit time to assess the implementation of FSSC 22000 version 5. The following scenarios are possible:
2018 2019 2020 2021 2022
Version 4.1, surveillance 1 upgrade
audit
Version 4.1, surveillance 2
unannounced audit Version 5 recertification
Version 5, surveillance 1 announced
or unannounced audit
Version 5, surveillance 2 announced
or announced audit
Version 4.1, surveillance 2 upgrade
audit Version 4.1 recertification
Version 5, surveillance 1 upgrade
audit
Version 5, surveillance 2
unannounced audit Version 5 recertification
Version 4.1 recertification Version 4.1, surveillance 1
announced audit
Version 5, surveillance 2 upgrade
audit Version 5 recertification
Version 5, surveillance 1 announced
audit
Version 4.1 recertification Version 4.1, surveillance 1,
unannounced audit
Version 5, surveillance 2 upgrade
audit Version 5 recertification
Version 5, surveillance 1 announced
or unannounced audit
1.5. ISO 22000 terms & definitions
ISO 22000:2005 listed 17 definitions. There are now 45 definitions in ISO 22000:2018. An overview is provided:
ISO 22000:2018 ISO22000:2005
Clause no Comment
Term Description Clause
no
Acceptable level Level of a food safety hazard not to be exceeded in the end product provided by the organisation. 3.1 - New
Action criterion Measurable or observable specification for the monitoring of an OPRP. 3.2 - New
Audit Systematic, independent and documented process for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled. 3.3 -
New in ISO22000, used as per
ISO9001
Competence Ability to apply knowledge and skills to achieve intended results. 3.4 - New in ISO22000, used as per
ISO9001
Conformity Fulfilment of a requirement. 3.5 - New in ISO22000, used as per
ISO9001
Contamination Introduction or occurrence of a contaminant including food safety hazard in product or processing
environment. 3.6 - New
5
TD54 (V4)
ISO 22000:2018 ISO22000:2005
Clause no Comment
Term Description Clause
no
Continual
improvement Recurring activity to enhance performance. 3.7 -
New in ISO22000, used as per
ISO9001, slightly adapted
Control measure Action or activity that is essential to prevent a significant food safety hazard or reduce it to an acceptable
level. 3.8 3.7 Adapted
Correction Action to eliminate a detected nonconformity. 3.9 3.13 No changes
Corrective action Action to eliminate the cause of a nonconformity and to prevent recurrence. 3.10 3.14 Slightly adapted
Critical control
point
Step in the process at which control measure(s) is (are) applied to prevent or reduce a significant food
safety hazard to an acceptable level, and defined critical limit(s) and measurement enable the application
of corrections.
3.11 3.10 Adapted
Critical limit Measurable value which separates acceptability from unacceptability. 3.12 3.11 Slightly adapted
Documented
information
Information required to be controlled and maintained by an organisation and the medium on which it is
contained. 3.13 -
New in ISO22000, used as per
ISO9001
Effectiveness Extent to which planned activities are realised and planned results achieved. 3.14 - New in ISO22000, used as per
ISO9001
End product Product that will undergo no further processing or transformation by the organisation. 3.15 3.5 No changes
Feed
Single or multiple product(s), whether processed, semi-processed or raw, which is (are) intended to be
fed to food producing animals.
NOTE:
• Food is intended for consumption by humans and animals, and includes feed and animal food; • Feed is intended to be fed to food producing animals;
• Animal food is intended to be fed to non-food producing animals like pets.
3.16 - New
Flow diagram Schematic and systematic presentation of the sequence and interactions of steps in the process. 3.17 3.6 No changes
Food
Substance (ingredient), whether processed, semi-processed or raw, which is intended for consumption,
and includes drink, chewing gum and any substance which has been used in the manufacture,
preparation or treatment of “food” but does not include cosmetics or tobacco or substances (ingredients)
used only as drugs.
3.18 - New
Food, animal Single or multiple product(s), whether processed, semi-processed or raw, which is (are) intended to be
fed to non-food producing animals. 3.19 - New
Food chain Sequence of the stages in the production, processing, distribution, storage and handling of a food and
its ingredients, from primary production to consumption. 3.20 3.2 No changes
Food safety Assurance that food will not cause an adverse health effect for the consumer when it is prepared and/or
consumed in accordance with its intended use. 3.21 3.1 Slightly adapted
Food safety
hazard
Biological, chemical or physical agent in food with the potential to cause an adverse health effect.
Note 2: Food safety hazards include allergens and radiological substances.
3.22 3.3 Adapted
Interested party Person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or
activity. 3.23 -
New in ISO22000, used as per
ISO9001
Lot Defined quantity of a product produced and/or processed and/or packaged essentially under the same
conditions. 3.24 - New
6
TD54 (V4)
ISO 22000:2018 ISO22000:2005
Clause no Comment
Term Description Clause
no
Management
system
Set of interrelated or interacting elements of an organisation to establish food safety policies and
objectives and processes to achieve those objectives. 3.25 - New
Measurement Process to determine a value. 3.26 - New in ISO22000, used as per
ISO9001
Monitoring Determining the status of a system, a process or an activity. 3.27 3.12 Adapted
Nonconformity Non-fulfilment of a requirement. 3.28 - New in ISO22000, used as per ISO9001
Objective Result to be achieved. 3.29 - New in ISO22000, used as per ISO9001
OPRP Control measure or combination of control measures applied to prevent or reduce a significant food safety hazard to an acceptable level, and where action criterion and measurement or observation enable
effective control of the process and/or product.
3.30 3.9 Adapted
Organisation Person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives. 3.31 -
New in ISO22000, used as per
ISO9001
Outsource Make an arrangement where an external organisation performs part of an organisation’s function or
process. 3.32 -
New in ISO22000, used as per
ISO9001
Performance Measurable result. 3.33 - New in ISO22000, used as per
ISO9001
Policy Intentions and direction of an organisation as formally expressed by its top management. 3.34 3.4 No changes
PRP Basic conditions and activities that are necessary within the organisation and throughout the food chain
to maintain food safety. 3.35 3.8 Adapted
Process Set of interrelated or interacting activities which transforms inputs to outputs. 3.36 - New in ISO22000, used as per
ISO9001, but slightly adapted
Product Output that is a result of a process. 3.37 - New in ISO22000, used as per
ISO9001, but slightly adapted
Requirement Need or expectation that is stated, generally implied or obligatory. 3.38 - New in ISO22000, used as per
ISO9001
Risk Effect of uncertainty. 3.39 - New in ISO22000, used as per
ISO9001
Significant food
safety hazard
Food safety hazard identified through the hazard assessment, which needs to be controlled by control
measures. 3.40 - New
Top management Person or group of people who directs and controls an organisation at the highest level. 3.41 - New in ISO22000, used as per
ISO9001
Traceability Ability to follow the history, application, movement and location of an object through specified stage(s)
of production, processing and distribution. 3.42
New in ISO22000, used as per
ISO9001, but slightly adapted
Update Immediate and/or planned activity to ensure application of the most recent information. 3.43 3.17 No changes
Validation Obtaining evidence that a control measure (or combination of control measures), will be capable of effectively controlling the significant food safety hazard.
3.44 3.15 Slightly adapted
Verification Confirmation, through the provision of objective evidence, that specified requirements have been
fulfilled. 3.45 3.16 No changes
7
TD54 (V4)
1.6. ISO 22000 family of Standards The family of Standards include:
Because FSSC 22000 emphasises the concept that safe food can only be assured through a combined effort from all the
stakeholders in the food chain, technical Standards are developed for each sector in the food chain. The following Standards have
been developed:
1.7. ISO 22000 concepts
ISO 22000 acknowledges three concepts that embedded into the Standard.
Process approach
It is important to understand and manage interrelated processes as a coherent system to enhance effectiveness and efficiency in achieving
required results. Processes and their interactions should therefore be defined and managed. This will enable execution of food safety policy and
strategic direction of the organisation.
Food safety management systems - requirements for any organisation in the food chain
Pre-requisite programmes
Food safety management systems - requirements for bodies providing audit and certificationof food safety management systems
Food safety management systems - guidance on the application of ISO 22000
ISO/TS22002-1 Food manufacturing
ISO/TS22002-2 Catering operations
ISO/TS22002-3 Farming operations
ISO/TS22002-4 Food packaging manufacturing
ISO/TS22002-5 Transport & Storage
ISO/TS22002-6 Production of animal feed
ISO 22000
Process
approach
PDCA-
cycle
Risk-based
thinking
ISO/TS22004
ISO/TS22003
ISO/TS22002-x
8
TD54 (V4)
Plan-do-check-Act cycle
The PDCA cycle can be applied to all processes and to the food safety management system itself. It should be applied with an overall
focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.
Establish the objectives of the system and its processes and the resources required to deliver results in accordancewith customer requirements and the organisations' policies, and identify and address risks and opportunities.
Implement what was planned.
Monitor and (where relevant) measure processes and the resulting products and services, analyse and evaluateinformation and data from monitoring, measuring and verification activities, and report the results.
Take actions to improve performance, as necessary.Act
Plan
Check
Do
9
TD54 (V4)
Risk-based thinking
Within the ISO 22000 context, there are two levels of risk:
1.8. FSMS principles
Food safety relates to the presence of food safety hazards at the time of consumption. These hazards can however occur at any stage of the food
chain and therefore, controls throughout the food chain is essential. Food safety can only be ensured through the combined efforts of all the parties
in the food chain. Key elements required are outlined in the diagram:
Organi-
sational
risk
Operational risk
Clause 6 -Planning
(risks & opportunities)
•Addressing risks establishes a basis for increasingthe effectiveness of the food safety managementsystem, achieving improved results andpreventing negative effects.
Clause 8 -Hazard analysis
•The steps of the hazard analysis can be consideredas necessary measures to prevent or reducehazards to acceptable levels to ensure safe food atthe time of consumption.
Interactive communication
System management
PRPs
Hazard analysis & critical control point (HACCP)
principles
10
TD54 (V4)
1.9. Management principles
ISO 22000 is based on 7 management principles which are common to ISO management system standards. These principles are fundamental rules or beliefs for an organisation, with the aim of
continually improvement performance over the long term through customer focus and addressing the needs of all other stakeholders. These principles are aimed to guide the organisation towards
improved performance. The management principles should be woven through the entire management system and should be applied consistently throughout the organisation. These are:
Principle 1: Customer focus
• Understand the needs of existing and future customers
• Align organisational objectives with customer needs and expectations
• Meet customer requirements
• Measure customer satisfaction
• Manage customer relationships
• Aim to exceed customer expectations
Principle 2: Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the
quality objectives of the organisation.
Principle 1:
Customer focus
Principle 2:
Leadership
Principle 3:
Engagement of people
Principle 4:
Process approach
Principle 5:
Improvement
Principle 6:
Evidence-based decision making
Principle 7:
Relationship management
The primary focus of quality management
is to meet customer requirements and to
strive to exceed customer expectations
11
TD54 (V4)
• Establish a vision and direction for the organisation
• Set challenging goals
• Model organisational values
• Establish trust
• Equip and empower employees
• Recognize employee contributions
There is a difference between management and leadership:
Aspect Manager Leader
1 Managers manage things, leaders lead
people
• Management is structural
• Management put emphasis on systems, tools, structures & functions in an organisation.
• Leadership is personal
• Leaders emphasise its people & their personalities & behaviours.
2 Managers divide things to get things done
leaders unite people to get things done
• Management is a process that consists of many steps to attain a certain goal
• Managers assign people.
• Leadership is a practice that involves influencing people to unite and take those steps to attains such goals
• Leaders align people.
3 Managers motivate, leaders inspire
• Managers use motivation
• They influence or force people to do the things they are supposed
to do, whether they like it or not, using a reward system
• Managers influence people from the outside.
• Leaders use inspiration – they influence or inspire people to do
the things they love to do using voluntarism.
• They practice self-leadership
• Leaders influence people from the inside.
4 Managers are reactive; while leaders are
proactive Managers innovate by adapting to change. Leaders innovate by creating change.
5 Managers minimise risks, leaders take
risks
• Managers are more focused on stability
• Managers are cautious.
• Leaders are more focused on creating a great change
• Leaders are curious.
6 Managers are timely, leaders are timeless
• Managers are more concerned about efficiency
• They follow deadlines & achievement of several short-term goals
• Managers must win a series of battles.
• Leaders are more concerned about integrity.
• They follow a goal
• Leaders must win the whole war.
7 Managers control; leaders serve • Managers take authority – they act as bosses
• Management is based on power and sharpness.
• Leaders take duty – they act as servants
• Leadership is based on humility and gentleness.
8 Managers transform a business; leaders
transform people Management is more concerned about the success of a business.
Leadership is more concerned about the success of the people inside
and out of the business.
9 Managers have sub-ordinates; leaders
have peers
Management ensures that every person in the organisation is well-
placed according to his position and authority.
Leadership ensures that every person enjoys equal treatment
regardless of his position or authority.
Every leader can be a manager;
but not every manager can be a
leader…
12
TD54 (V4)
Aspect Manager Leader
10 Managers administer people; leaders
empower them
Managers oversee their subordinates to see to it that they are doing
their jobs the way they want to be done or according to the
organisational blueprint.
Leaders develop their followers personally, trust them, and let them
work independently.
11 Managers hire and fire employees;
leaders welcome and keep friends Management is more about keeping the business alive. Leadership is more about keeping the relationships alive.
12 Managers do what is right, leaders do the
right thing Managers do the things that are generally acceptable or status quo.
Leaders do things based on his belief or convictions and they may
challenge or break what is generally acceptable.
13 Managers fulfil expectations; leaders
make a surprise
Managers give due punishment, while leaders can forgive and forget.
Managers give due credit or rewards to their subordinates.
Leaders give grace (rewards beyond what people deserve) to their
followers.
14 Managers focus on measurable things;
leaders focus on immeasurable things Managers are transactional and economical. Leaders are spiritual or immaterial.
15 Managers are specific; leaders are holistic Managers are more detailed persons. Leaders are more inclined to the big picture.
16 Managers rely on intelligence; leaders
rely on pure will
Management comes from the brain, probability, logic and common
sense.
Leadership comes from the heart, soul possibility, hope, faith and
love.
17 Managers explain, leaders prove Managers give more knowledge and choices. Leaders give more experiences and realisations.
18 Managers plan, leaders create a vision Managers are strategic, tactical and technical. They show the direction and are more focused on creating steps and procedures.
Leaders are deeper, broader and more focused on the ultimate things.
They show the destination and are more focused on objectives and
goals.
19 Managers expect result; leaders expect
growth Management is more about getting things done.
Leadership is more about getting the people, who get things done,
grow.
20 Managers can resign and retire, leaders
consider their job as a lifetime mission.
Management is a temporary job – its existence depends on the life of a
business, organisation or occupation. Leadership is a permanent job – its existence depends on one’s life.
Use the cards provided by the facilitator to distinguish between leaders and managers. 1
13
TD54 (V4)
Principle 3: Engagement of people
An interesting fact from a study performed in the US indicates that staff may not be engaged at all:
• Ensure that people’s abilities are used and valued
• Make people accountable
• Enable participation in continual improvement
• Evaluate individual performance
• Enable learning and knowledge sharing
• Enable open discussion of problems, constraints
This requires:
• Training in the skills necessary to carry out the additional responsibilities.
• Access to information on which decisions can be made.
• Initiative and confidence on the part of the employee to take on greater responsibility.
A good reference on employee engagement can be found at http://www.snacknation.com/blog/employee-
engagement-ideas/ for “59 employee engagement ideas you need to know about”.
It is essential for the organisation that all
people are competent,
empowered and engaged
in delivering value.
Competent, empowered
and engaged people
throughout the
organisation enhance its
capability to create
value.
45 % are NOT
engaged
26 % are
ACTIVELY
DISENGAGED
29 % of the
workforce is
ENGAGED
http://www.snacknation.com/blog/employee-engagement-ideas/http://www.snacknation.com/blog/employee-engagement-ideas/
14
TD54 (V4)
Principle 4: Process approach
• Manage activities as processes
• Measure the capability of activities
• Identify links between activities
• Prioritise improvement opportunities
• Deploy resources effectively
There are various processes in an organisation.
By identifying and controlling the inputs, providing adequate resources and applying suitable control methods, the desired output should be
achieved.
Value chains are activities that are directly linked to customer value. Integration of the value chain is essential to ensure
that the organisation’s desired outcomes can be reached. Each silo can impoverish the result by not delivering exactly
what the next silo in the chain requires.
An organisation is often seen in a functional view and processes are defined as functions – e.g. sales, marketing,
manufacturing, distribution, operations, systems, finance, legal, etc. However – business processes are streams of activities that flow across functional boundaries. This is
often why business processes are fragmented, functional silos. If organisations wish to remain competitive, they need to reduce the complexities resulting from widely dispersed
and often disparate business processes.
Staff should be given the opportunity to study their work in the context of the larger business process that their function supports. The methodology used to identify, derive
or create business processes will vary with the organisation’s size, industry and culture.
Organisations should move their view from functions to processes as indicated in the diagram:
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as
interrelated processes that function as a
coherent system.
A process is any activity that transforms inputs into
outputs using resources and being subject to specific
controls
Process
Inputs, e.g.
materials
Resources, e.g.
equipment, staff
Outputs, e.g.
product, service, waste
Controls, eg measure-
ments, methods,
environment
There is little
chance of success
for a relay team
suffering from Silo
mentality
15
TD54 (V4)
Functional designs are:
Process designs are:
From this...
To this...
Inbound Logistics Quality HR Engineering Maintenance Distribution
Design Make Deliver
There is an urgent need to
transform people’s perception
of their role in the organisation,
because the simple fact is that
individual high performing
managers or even departments
do not by themselves create a
highly successful organisation.
16
TD54 (V4)
Principle 5: Improvement
• Improve organizational performance and capabilities
• Align improvement activities to objectives & expectations
• Empower people to make improvements
• Measure improvement consistently
• Celebrate improvements
Principle 6: Evidence-based decision making
Ensure the accessibility of accurate and reliable data
Use appropriate methods to analyse data
Make decisions based on analysis
Balance data analysis with practical experience.
Principle 7: Relationship management
• Identify and select suppliers to manage costs, optimise resources, and create value
• Establish relationships considering both the short and long term with all interested parties
• Share expertise, resources, information, and plans with partners
• Collaborate on improvement and development activities
Successful organi-
sations have an
ongoing focus on
improvement.
Decisions based on the analysis
and evaluation of data and information are more likely to
produce desired results.
For sustained success, organisations manage their relationships with
interested parties, such as suppliers.
17
TD54 (V4)
2.1 Understanding the organisation and its context
This is a new requirement (clause 4.1):
The company should determine internal and external issues relevant to its purpose and those that could affect is ability to achieve the intended results of the food safety management system.
Such information can include:
Module 2 Key changes to the ISO 22000 Standard – clause 4:
Context of the organisation
The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its food safety management system.
The organisation shall identify, review and update information related to these external and internal issues.
NOTE 1: Issues can include positive and negative factors or conditions for consideration.
NOTE 2: Understanding the context can be facilitated by considering external and internal issues, including but not limited to legal, technological, competitive, market, cultural, social, economic
environments, cybersecurity and food fraud, food defence and intentional contamination, knowledge and performance of the organisation, whether international, national, regional or local.
Internal
•Corporate culture
•Governance
•Organisational structure
•Technologies
•Information systems & decision-making processes (both formal & informal)
•Intentional contamination
External
•Cultural
•Social
•Political
•Legal
•Regulatory
•Financial
•Technological
•Economic & competitive environment at international, national, regional or local level
•Food fraud, food defence, intentional contamination
18
TD54 (V4)
2.2 Understanding the needs & expectations of interested parties
This is a new requirement (clause 4.2):
Interested party Needs & expectations
Customers and/or
consumers
Employees
Shareholders/owners
Suppliers & partners
Government, society and
non-government
organisations
2.3 Determining the scope of the food safety management system
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
4.1
The organisation shall define the scope of
the food safety management system. The
scope shall specify the products or product
categories, processes and production sites that are addressed by the food safety
management system.
4.3
The organisation shall determine the boundaries and applicability of the FSMS to establish its scope. The scope
shall specify the products and services, processes and production site(s) that are included in the FSMS. The scope shall
include activities, processes, products or services that can have an influence on the food safety of its end
products.
When determining this scope, the organisation shall consider: a) The external and internal issues referred to in 4.1;
b) The requirements referred to in 4.2.
The scope shall be available and maintained as documented information.
To ensure that the organisation has the ability to
consistently provide products and services that meet
applicable statutory, regulatory and customer
requirements with regard to food safety, the organisation
shall determine:
a) The interested parties that are relevant to the FSMS;
b) The relevant requirements of the interested parties
of the FSMS.
The organisation shall identify, review and update
information related to the interested parties and their
requirements.
Provide examples of needs and expectations of the listed interested parties.
2
19
TD54 (V4)
2.4 Food safety management system
ISO9001:2008 ISO 22000:2018
Clause Description Clause Description
4.1 The organisation shall establish, document, implement and
maintain an effective FSMS and update it when necessary
in accordance with the requirements of this International
Standard.
4.4 The organisation shall establish, implement, maintain, update and continually improve a FSMS,
including the processes needed and their interactions, in accordance with the requirements of this
document.
An example is provided-
Customer/ client R&D processSourcing process
Procurement process
Receiving process
Manufacturing process
Dispatch & delivery
processes
Marketing & sales processes
Value chain processes
Finance process QC & QA process Engineering process HR processRegulatory & legal
processes
Data management & communication
processes
Support processes
20
TD54 (V4)
3.1 Leadership & commitment
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.1
Management commitment
Top management shall provide evidence of its
commitment to the development &
implementation of the FSMS & continually
improving its effectiveness by
a) Showing food safety is supported by the business objectives of the organisation
b) Communicating to the organisation the
importance of meeting the requirements of
this International Standard, any statutory
& regulatory requirements, as well as
customer requirements relating to food
safety
c) Establish the food safety policy
d) Conducting management reviews and
e) Ensuring the availability of resources.
5.1
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the FSMS:
a) Ensuring that the food safety policy and the objectives of the FSMS are established and are compatible
with the strategic direction of the organisation;
b) Ensuring the integration of the FSMS requirements into the organisation’s business processes;
c) Ensuring that the resources needed for the FSMS are available;
d) Communicating the importance of effective food safety management and of conforming to the FSMS
requirements, applicable statutory and regulatory requirements, and mutually agreed customer requirements
related to food safety;
e) Ensuring that the FSMS is evaluated and maintained to achieve its intended results;
f) Directing and supporting persons to contribute to the effectiveness of the FSMS;
g) Promoting continual improvement; h) Supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
NOTE: Reference to “business” in this document can be interpreted broadly to mean those activities that
are core to the purposes of the organisation’s existence.
Module 3 Key changes to the ISO 22000 Standard –
clause 5: Leadership
Identify how management can demonstrate leadership and commitment to the FSMS in practical ways.
3
21
TD54 (V4)
3.2 Policy
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.2
Top management shall ensure that
the food safety policy
a) Is appropriate to role of the
organisation in the food chain b) Conforms with both statutory
and regulatory requirements and
with mutually agreed food safety
requirements of customers;
c) Is communicated, implemented
& maintained at all levels of the
organisation
d) Is reviewed for continuing
suitability e) Adequately addresses
communication, and
f) Is supported by measurable
objectives.
5.2.1 &
5.2.2
5.2.1 Establishing the food safety policy
Top management shall establish, implement and maintain a food safety policy that:
a) Is appropriate to the purpose and context of the organisation;
b) Provides a framework for setting and reviewing the objectives of the FSMS;
c) Includes a commitment to satisfy applicable food safety requirements including statutory and regulatory requirements
and mutually agreed customer requirements related to food safety;
d) Addresses internal and external communication;
e) Includes a commitment to continual improvement of the FSMS;
f) Addresses the need to ensure competencies related to food safety.
5.2.2 Communicating the food safety policy
The food safety policy shall:
a) Be available and maintained as documented information;
b) Be communicated, understood and applied at all levels within the organisation;
c) Be available to relevant interested parties as appropriate.
22
TD54 (V4)
3.3 Organisational roles, responsibilities & authorities
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.4 &
5.5
5.5.1 Responsibility & authority
Top management shall ensure that responsibilities & authorities are defined & communicated within the organisation to ensure the
effective operation and maintenance of the FSMS.
5.5.2 Food safety team leader
Top management shall appoint a food safety team leader, who,
irrespective of other responsibilities, shall have responsibility &
authority
a) To manage a food safety team and organise its work
b) To ensure relevant training & education of the food safety team members
c) To ensure that the FSMS is established, implemented, maintained
& updated and,
d) To report to the organisation’s top management on the
effectiveness & suitability of the FSMS.
5.4 All personnel shall have responsibility to report problems with the
FSMS to identified person(s). Designated personnel shall have defined
responsibility and authority to initiate and record actions.
5.3
5.3.1 Top management shall ensure that the responsibilities and authorities for relevant roles
are assigned, communicated and understood within the organisation.
Top management shall assign the responsibility and authority for:
a) Ensuring that the FSMS conforms to the requirements of this document; b) Reporting on the performance of the FSMS to top management;
c) Appointing the food safety team and the food safety team leader;
d) Designating persons with defined responsibility and authority to initiate and
document action(s).
5.3.2 The food safety team leader shall be responsible for:
a) Ensuring the FSMS is established, implemented, maintained and updated;
b) Managing and organising the work of the food safety team;
c) Ensuring relevant training and competencies for the food safety team (7.2);
d) Reporting to top management on the effectiveness and suitability of the FSMS.
All persons shall have the responsibility to report problem(s) with regards to the FSMS to identified
person(s).
23
TD54 (V4)
4.1 Actions to address risks and opportunities
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.4.2
Top management
shall ensure that
a) Planning of the
FSMS is carried out in order to
meet the re-
quirements gi-
ven in 4.1, as
well as the
objectives of
the organi-
sation that
support food safety, and
b) The integrity of
the FSMS is
maintained
when changes
to the FSMS are
planned &
implemented.
6.1
6.1.1 When planning for the FSMS, the organisation shall consider the issues referred to in 4.1 and the requirements referred
to in 4.2 and 4.3 and determine the risks and opportunities that need to be addressed to:
a) Give assurance that the FSMS can achieve its intended result(s);
b) Enhance desirable effects;
c) Prevent, or reduce, undesired effects;
d) Achieve continual improvement.
NOTE: In the context of this document, the concept of risks and opportunities is limited to events and their consequences relating
to the performance and effectiveness of the FSMS. Public authorities are responsible for addressing public health risks. Organisations are required to manage food safety hazards (3.22) and the requirements related to this process are laid down in
clause 8.
6.1.2 The organisation shall plan:
a) Actions to address these risks and opportunities;
b) How to:
1) Integrate and implement the actions into its FSMS processes;
2) Evaluate the effectiveness of these actions.
6.1.3 The actions taken by the organisation to address risks and opportunities shall be proportionate to:
a) The impact on food safety requirements;
b) The conformity of food products and services to customers;
c) Requirements of interested parties in the food chain.
NOTE 1: Actions to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity,
eliminating the risk source, changing the likelihood or consequences, sharing the risk, or accepting the presence of risk by
informed decision.
NOTE 2: Opportunities can lead to the adoption of new practices (modification of products or processes), using new technology
and other desirable and viable possibilities to address the food safety needs of the organisation or its customers.
Module 4 Key changes to the ISO 22000 Standard –
clause 6: Planning
24
TD54 (V4)
ISO 22000 requires that the organisation must understand its context and determine risks and opportunities as a basis for planning of the food safety management
system. In essence, the food safety management system is a preventive tool. Risk is defined as the effect of uncertainty. An uncertainty can have positive or
negative effects. The Standard requires that the organisation plans and implements actions that will address risks and opportunities.
In the context of ISO 22000, risks and opportunities are focused on events and their consequences relating to the performance and effectiveness of the food
safety management system. A formal methodology for risk assessment was not provided by ISO 22000. ISO31000 (Risk management – principles & guidelines)
and ISO31010 (Risk management – risk assessment techniques) can be used as guidance.
4.1.1 Why is managing risk important?
When an organisation adopts a risk-based approach, it becomes proactive rather than reactive, preventing or reducing undesired effects and promoting continual improvement. Risk is embedded in
all processes and activities of an organisation. Risk must be understood and mitigated to achieve the objectives of the FSMS.
4.1.2 What should be done?
The Standard requires that an organisation must be able to demonstrate that risk-based thinking was applied:
4.1.3 Risk management process
The risk management process should be an integral part of management that is embedded in the culture and practices of the organisation and tailored to the business processes of the organisation.
In this section, 3 steps of risk management will be discussed, as outlined in the diagram:
Effect of uncertainty OR a deviation from the
expected (positive or negative)
Identify risks and opportunities -depending on the context of the
organisation.
Analyse and prioritise risks and opportunities. What is acceptable and what is not?
Plan actions to address risks. How can risk be avoided, eliminated or
mitigated?
Implement the plan by taking the necessary
actions.
Check the effectiveness of the actions. Does it work? Audit the approach, learn from experience &
improve
25
TD54 (V4)
Establish the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Com
munic
ation &
consultation
Monitoring &
revie
w
Risk assessment
1
2
3
2.1
2.2
2.3
26
TD54 (V4)
• Step 1: Establish the context
The organisation must understand both the external and internal context as a basis for the development of the risk assessment. The following steps are required:
Identify the relevant stakeholders that are involved in or impacted by the organisation.
Identify internal and/or external environmental factors that may influence the way in which risk will be managed.
The following considerations may be important:
• Step 2: Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
Various models and techniques may be used for risk assessment. The organisation should adapt a model and work with that model. Risk assessment is an iterative (repetitive) process that must
respond to change.
• Step 2.1: Risk identification
The organisation should identify the sources of risk, areas of impacts, events (including changes in circumstances) and their causes and potential consequences. A comprehensive list of risks must
be generated that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. When an opportunity is not pursued, this may also be a risk! Typical considerations
during risk identification are listed:
What could happen: What might go wrong, or what might prevent the achievement of the relevant objectives? What events or occurrences could threaten the intended outcomes?
How could it happen: Is the risk likely to occur at all or happen again? If so, what could cause the risk event to recur or contribute to it happening again?
Where could it happen: Is the risk likely to occur anywhere? Or is it a risk that is dependent on a location, physical area or activity?
Why might it happen: Which factors would need to be present for the risk to happen or occur again? Understanding why a risk might occur or be repeated is important if the risk must be
managed.
External context
•Social & cultural, political, legal, regulatory, financial, technological, economic,natural & competitive environment (international, national, regional/local),
•Key drivers & trends having an impact on the objectives of the organisation
•Relationships with, perceptions & values of external stakeholders.
Internal context
•Governance, organisational structure, roles & accountabilities,
•Policies, objectives & strategies to achieve these
•Capabilities, understood in terms of resources & knowledge (e.g. capital, time, people, processes,systems & technologies)
•Relationships with & perceptions & values of internal stakeholders and organisational culture
•IT systems, information flows & decision making processes,
•Standards, guidelines & models adopted by the organisation
•Form and extent of contractual relationships
27
TD54 (V4)
What might be the impact: If the risk were to occur, what impact or consequences would, or might this have? Will the impact be felt only in certain areas/departments, or will it impact the
entire organisation? Areas of impact to consider include: human impact, financial consequences, compromises to legal or contract compliance, adverse impact on brand and reputation for
failure to meet or achieve strategic objectives.
Who does or can influence the food safety management system or changes to it? How much is within the organisation’s control or influence? Make sure that those who control,
and influence are at least informed, if not actively involved.
• Step 2.2: Risk analysis
Risk analysis evaluates the likelihood and severity of the consequences of risk. Existing controls should be determined to
mitigate the impact of the current risk. Controls may be strong or weak and can include aspects such as legislation, policies and procedures, staff training, segregation of duties, personal protective
measures and equipment and structural or physical barriers. The effectiveness of controls should further be considered.
The assessment of likelihood and consequence is mostly subjective but can be supported by data or information that is available within the organisation, audits, inspections, personal experience,
corporate knowledge, knowledge of previous events, data generated by surveys and other internal and external information.
Assess the likelihood
An example of a model that can be used for assessing the likelihood of a risk is provided:
Score Description
A Almost certain Highly likely to happen, possibly frequently
B Likely Will probably happen, but not a persistent issue
C Possible May happen occasionally and in foreseeable future
D Unlikely Not expected to happen, but is a possibility
E Rare Very unlikely this will ever happen (only in exceptional circumstances)
Controls do not always require something special.
Often, controls are already present as a natural part of the
management of an issue or area or it can be embedded into
normal management practices.
28
TD54 (V4)
Assess the severity of the consequence
An example of the model that can be used for assessing the consequence is provided:
Score Generic impact
description
Area of impact – description of consequence
Supply chain Human Brand reputation Finance Compliance
5 Extreme
Event or circumstance
with potentially
disastrous impact on
business or significant material adversely
impacted in a key area
• Huge loss in raw material
and/or final products
• Irreparable impact on
relationship with
suppliers and/or cus-
tomers
• Serious harm or death
• Loss of significant number of
people
• Staff/employee industrial
action
• Loss of significant number of
key staff impacting on skills,
knowledge & expertise
• Long-term damage to
reputation
• Sustained negative
media attention
• Brand or image
nationally or
internationally affected
• Recall
• Huge financial loss
• Significant budget
overrun with no capacity
to adjust within existing
budget or resources
• May attract adverse
findings from external
regulators or auditors
• Serious breach of contract
or legislation
• Significant prosecution &
fines likely
• Potential for litigation
including class actions
• Suspension of certificate
4 Major
Critical event or
circumstance that can
be endured with proper management
• Significant loss in raw
material and/or final
products
• Serious long-term
damage to supplier
and/or customer
relationships
• Serious harm and/or recall
• Threat of industrial action
• Loss of some key staff
resulting in skills, knowledge &
expertise deficits
• Sustained damage to
brand, image or
reputation nationally or
internationally
• Adverse national or
local media coverage
• Major financial loss
• Requires significant
adjustment to approved
or funded projects/
programmes
• Major breach of contract,
regulatory or statutory
requirements
• Expected to attract
regulatory attention
• Investigation, prosecution
and/or major fine possible
3 Moderate
Significant event or
circumstance that can
be managed under normal circumstances
• Significant loss or
reduction of raw material
or final product
• Significant but short-term
damage to supplier
and/or customer relation-
ships
• Potential recall
• Severe staff morale issues or
increase in workforce
absenteeism
• Short-term loss of skills,
knowledge & expertise
• Employee dissatisfaction
• Significant but short-
term damage to
reputation
• Stakeholder concerns
• Sustained or prominent
local media coverage
• Significant financial loss
• Impact may be reduced
by reallocating resources
• Significant breach of
contract, regulatory or
statutory requirements
• Potential for regulatory
action or suspension of
certificate
2 Minor
Event with consequences that
can be readily
absorbed but requires
management effort to minimise the impact
Moderate reduction in raw
material and/or final products
• Health implications
• Potential for liability claims
• Some loss of staff members
with tolerable loss
• Dialogue required with
industrial groups
• Some short-term
negative media
coverage
• Concerns raised by
stakeholders
• Some financial loss
• Requires monitoring &
possible corrective action
within existing resources
• Minor non-compliances or
breaches of contract,
regulatory or statutory
requirements
• May result in infringement
notice
1 Insignificant
Some loss, but not
material; existing controls and
procedures should be
able to cope with
event or circumstance
Minor reduction in raw material
and/or final product
• Complaint without minor
health implication
• Negligible skills or knowledge
loss
• Dialogue with industrial
groups may be required
Minor damage to brand,
image or reputation
Unlikely to impact on the
budget
Unlikely to result in adverse
regulatory response or action
29
TD54 (V4)
Rate the risk level
A model (risk matrix) can be developed to combine likelihood and consequence level of risks to determine the significance of the risk.
Consequence
Likelihood
1 2 3 4 5
Insignificant Minor Moderate Major Extreme
A Almost certain (frequent) M M H E E
B Likely (probable) L M H H E
C Possible (occasional) L M M H H
D Unlikely (uncommon) L L M M H
E Rare (remote) L L L L M
• Step 2.3: Risk evaluation
The purpose of risk evaluation is to assist with decision making as to whether a risk should be treated and the priority for the treatment. Whether a risk is acceptable or unacceptable depends on
the risk appetite. The following model can be used:
Risk Action
Extreme Immediate attention & response needed, risk assessment & management plan must be prepared
High Risk to be given appropriate attention & demonstrably managed
Medium Determine whether current controls are adequate or if further action or treatment is needed, monitor and review locally, e.g. through regular business practices or local area
meetings
Low Manage by routine procedures, report to local managers, monitor & review locally as necessary
30
TD54 (V4)
• Step 3: Risk treatment
Risk treatment involves the selection of one or more options for modifying risks and subsequent implementation of the treatment option. Treatment options not applied to the source or root cause
of a risk are likely to be ineffective and promote a false belief within the organisation that the risk is controlled.
It could be decided that specific treatment is necessary or that the risk can be adequately treated with standard management procedures and activities where it is embedded into the daily practices
or processes. It is advisable to modify existing standard practices to ensure control.
A risk may be acceptable or tolerable in the following circumstances:
No treatment is available
Treatment costs are prohibitive (especially relevant to lower ranked risks)
The level of risk is low and does not warrant using resources to treat it
The opportunities involved significantly outweigh the threats.
The organisation must determine what the goal is in treating the risk – whether it is to avoid it completely, reduce the likelihood or
consequence, transfer the risk (to someone else such as an insurer or contractor) or accept the level of risk. The type of risk treatment
chosen will depend on the nature of the risk and the tolerance for that risk.
If the goal is to reduce the likelihood or possibility of the risk, it could require modifying the approach to the activity by identifying
the causes of the threat and the links between the threat and its impact. If it is not possible to change the approach of the project or
activity, it may be possible to take other intervening actions that will mitigate the event from occurring or reduce the likelihood of the threat.
If the goal is to reduce the consequence or impact of the risk, contingency plans might be required to respond to a threatening event if it occurs. This planning may be performed in
combination with other controls, e.g. even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the
event actually occurs.
If the goal is to share the risk, involving another party such as an insurer or contactor may help. Risk can be shared contractually, by agreement and in a variety of ways that meet all
parties’ needs. Sharing the risk does not remove the obligations of the organisation if something unexpected happens.
If the goal is to eliminate or avoid the risk altogether, the options are limited to changing the project, choosing alternative approaches or processes to render the risk irrelevant or
abandoning the activity. It is not often that a risk can be completely eliminated, and balance is an important part of the risk assessment exercise.
If a decision is made to accept or tolerate the risk, thought should be given to contingency planning to deal with and reduce the consequences, should they arise.
Treatment options
Avoid risk by not starting or continuing an
activity
Take or increase risk to pursue an opportunity
Remove the risk source Change the likelihood
Change the consequence
Share the risk, e.g. through insurance,
contracts, financing
Retain the risk by informed decision (accept
the risk)
Actively treat the risk
31
TD54 (V4)
Once the treatment options have been identified, a risk treatment plan must be prepared that should include:
The reasons for selection of treatment options, including expected benefits to be gained
Those who are accountable for approving the plan
Those who are responsible for implementing the plan
Proposed actions
Resource requirements including contingencies
Performance measures and constraints
Reporting and monitoring requirements and
Timing and schedule.
Treatment plans should clearly identify the priority order in which individual risk treatments should be implemented and should be integrated with
the management processes of the organisation. They should be discussed with appropriate stakeholders. Monitoring must be an integral part of the
risk treatment plan to give assurance that the measures remain effective.
Once any options requiring authorisation for resourcing, funding or other actions have been approved, treatments should be implemented by those identified as having the responsibility to do so.
Finally, monitoring and review is part of the risk management process and responsibilities for these should be clearly defined.
4.1.4 Risk-based thinking…in conclusion
• Is not something new
• Is something that is done by organisations already
• Is an ongoing process
• Ensures greater knowledge of risks and improves
preparedness
• Increases the probability of reaching objectives
• Reduces the probability of negative results
• Makes prevention a habit
• Risk-based thinking is not restricted to management
– it must become an integral part of the
organisational culture
The following template can be used for to summarise risks in the business:
Risk description Existing
controls Impact score
Likelihood
score Level of risk
Additional controls
(treatment) required
Responsibility (for
additional controls)
Due date (for additional
controls)
32
TD54 (V4)
4.2 Objectives of the food safety management system and planning to achieve them
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.2
Top management
shall ensure that
the food safety
policy is sup-
ported by mea-
surable objec-tives.
6.2
6.2 Objectives of the food safety management system and planning to achieve them
6.2.1 The organisation shall establish objectives for the FSMS at relevant functions and levels.
The objectives of the FSMS shall:
a) Be consistent with the food safety policy;
b) Be measurable (if practicable);
c) Take into account applicable food safety requirements including statutory, regulatory and customer requirements;
d) Be monitored and verified;
e) Be communicated;
f) Be maintained and updated as appropriate.
The organisation shall retain documented information on the objectives for the FSMS.
6.2.2 When planning how to achieve its objectives for the FSMS, the organisation shall determine:
a) What will be done;
b) What resources will be required;
c) Who will be responsible;
d) When it will be completed;
e) How the results will be evaluated.
A food safety management system must be designed within the context of the organisation. The diagram identifies how different aspects fit together:
33
TD54 (V4)
FSMS
Measurable objectives
Food safety policy
Strategic direction of the
organisation
Internal & external issues Needs & expectations of
interested parties Risks & opportunities
34
TD54 (V4)
It is important to ensure that objectives are set in a balanced manner – as required by the Standard, at relevant FUNCTIONS, LEVELS
and PROCESSES. To explain the balanced approach to measurable objectives, information from Drs Kaplan and Norton is provided:
An outline of the balanced scorecard concept is provided:
Financial Customer
Learning & growth Internal Business Processes
Many things are measurable.
That does not make them key
to organisational success “The balanced scorecard retains traditional financial measures. But financial measures tell the story of past events, an adequate story for industrial age companies for which investments in long-term capabilities and customer relationships were not critical for
success. These financial measures are inadequate, however, for guiding and evaluating the journey that information age
companies must make to create future value through investment in customers, suppliers, employees, processes, technology and
innovation.”
Drs Kaplan & Norton
Provide examples of food safety objectives in each category. 4
FINANCIAL
To succeed financially, how should we appear to our shareholders?
CUSTOMER
To achieve our vision, how should we appear
to our customers?
LEARNING & GROWTH
To achieve our vision, how will we sustain our ability to change
& improve?
INTERNAL BUSINESS
PROCESSES
To satisfy our shareholders and customers, what
business processes must we excel at?
35
TD54 (V4)
The following table could be useful to summarise the objectives:
Objective Actions to be taken Resources required Responsibility Due date Evaluation method
1
2
4.3 Planning of changes
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.3
Top management shall ensure that
a) planning of the food safety management system is carried out to meet
requirements given in 4.1 as well as the objectives of the organization that
support food safety, and
b) the integrity of the food safety management system is maintained when
changes to the food safety management system are planned and
implemented.
6.3
When the organisation determines the need for changes to the FSMS, including personnel changes, the changes shall be carried out and communicated in a
planned manner. The organisation shall consider:
a) the purpose of the changes and their potential consequences;
b) the continued integrity of the FSMS;
c) the availability of resources to effectively implement the changes;
d) the allocation or re-allocation of responsibilities and authorities.
Change management is addressed in the following clauses:
Clause 6.3: FSMS changes and personnel changes to be performed and communicated in a timely manner.
Clause 7.4.3: Specific changes (a-m), timely communication of changes to the FS team to ensure updating of the system.
Clause 7.5.3: Version control when document changes are made.
Clause 8.1: Control of planned changes to operations and review of the consequences of unintended changes.
Clause 8.5.3: Re-validation when control measures (OPRPs/CCPs) change.
Clause 8.7: Authorisation, documentation and re-validation, before implementation of changes related to monitoring and
measuring equipment.
Clause 9.2: Consideration of changes in the FSMS when reviewing the internal audit programme and vice versa.
Clause 9.3.2: Including changes in external and internal issues and changes in the organisation and its context in management review.
Clause 10.1: Make changes to the FSMS after nonconformity and corrective actions where necessary.
Prior to making a change: consider
unintended consequences After the change: monitor the change to
determine its effectiveness & identify any
additional problems that might be created
36
TD54 (V4)
Changes can cause chaos if they are not carefully planned. The following considerations are required:
Consequences of the change
Likelihood of the consequence
Impact on customers
Impact on interested parties
Impact on food safety objectives
Effectiveness of processes that are part of the FSMS
Forum Frequency Persons responsible for providing information and
participating/attending Topics/changes covered
Which forums can be used in an organisation to ensure that the integrity of the system can be maintained when changes are planned and implemented? 5
37
TD54 (V4)
5.1 Resources
5.1.1 General
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.1
The organization shall provide adequate resources
for the establishment, implementation,
maintenance and updating of the food safety
management system.
7.1.1
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance, update and continual improvement of the FSMS.
The organisation shall consider:
a) The capability of, and any constraints on, existing internal resources;
b) The need for external resources.
5.1.2 People
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.2.1
The food safety team and the other personnel carrying out activities having
an impact on food safety shall be competent and shall have appropriate
education, training, skills and experience.
Where the assistance of external experts is required for the development,
implementation, operation or assessment of the food safety management
system, records of agreement or contracts defining the responsibility and authority of external experts shall be available.
7.1.2
The organisation shall ensure that persons necessary to operate and maintain an
effective FSMS (see 7.2).
Where the assistance of external experts is used for the development, implementation,
operation or assessment of the FSMS, evidence of agreement or contracts defining the
competency, responsibility and authority of external experts shall be retained as
documented information.
Module 5 Key changes to the ISO 22000 Standard –
clause 7: Support
38
TD54 (V4)
5.1.3 Infrastructure
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.3
The organization shall provide the
resources for the establishment and
maintenance of the infrastructure needed
to implement the requirements of this
International Standard.
7.1.3
The organisation shall provide the resources for the determination, establishment and maintenance of the infrastructure
necessary to achieve conformity with the requirements of the FSMS.
NOTE: Infrastructure can include:
• Land, vessels, buildings and associated utilities; • Equipment, including hardware and software;
• Transportation;
• Information and communication technology.
5.1.4 Work environment
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.4
The organization shall provide the
resources for the establishment,
management and maintenance of
the work environment needed to
implement the requirements of
this International Standard.
7.1.4
The organisation shall determine, provide and maintain the resources for the establishment, management and maintenance of
the work environment necessary to achieve conformity with the requirements of the FSMS.
NOTE: A suitable environment can be a combination of human and physical factors such as:
a) social (e.g. non-discriminatory, calm, non-confrontational);
b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);
c) physical (e.g. temperature, heat, humidity, light, air flow, hygiene, noise).
These factors can differ substantially depending on the products and services provided.
5.1.5 Externally developed elements of the food safety management system
This is a new requirement (clause 7.1.5):
When an organisation establishes, maintains, updates and continually improves its FSMS by using externally developed elements of a FSMS, including PRPs, the hazard analysis and hazard
control plan (see 8.5.4), the organisation shall ensure that the provided elements are:
a) Developed in conformance with requirements of this document;
b) Applicable to the sites, processes and products of the organisation;
c) Specifically adapted to the processes and products of the organisation by the food safety team;
d) Implemented, maintained and updated as required by this document; and
e) Retained as documented information.
39
TD54 (V4)
5.1.6 Control of externally provided processes, products or services
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
4.1
7.2.3 f
Where an organization chooses to outsource any process that may affect end
product conformity, the organization shall ensure control over such processes.
Control of such outsourced processes shall be identified and documented within
the food safety management system.
The organization shall consider the following when establishing these
programmes:
management of purchased materials (e.g. raw materials, ingredients, chemicals
and packaging), supplies (e.g. water, air, steam and ice), disposals (e.g. waste and sewage) and handling of products (e.g. storage and transportation);
7.1.6
The organisation shall:
a) Establish and apply criteria for the evaluation, selection, monitoring of
performance, and re-evaluation of external providers of processes,
products and/or services; b) Ensure adequate communication of requirements to the external
provider(s);
c) Ensure that externally provided processes, products or services do not
adversely affect the organisation’s ability to consistently meet the
requirements of the FSMS;
d) Retain documented information of these activities and any necessary
actions as a result of the evaluations and re-evaluations.
5.2 Competence
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.2.2 &
7.3.2
6.2.2 The organization shall
a) identify the necessary competencies for personnel whose activities have an impact
on food safety,
b) provide training or take other action to ensure personnel have the necessary
competencies, c) ensure that personnel responsible for monitoring, corrections and corrective
actions of the food safety management system are trained,
d) evaluate the implementation and the effectiveness of a), b) and c),
e) ensure that the personnel are aware of the relevance and importance of their
individual activities in contributing to food safety,
f) ensure that the requirement for effective communication (see 5.6) is understood
by all personnel whose activities have an impact on food safety, and
g) maintain appropriate records of training and actions described in b) and c).
7.3.2 A food safety team shall be appointed.
The food safety team shall have a combination of multi-disciplinary knowledge and
experience in developing and implementing the food safety management system. This
includes, but need not be limited to, the organisation’s products, processes, equipment
and food safety hazards within the scope of the food safety management system.
Records shall be maintained that demonstrate that the food safety team has the
required knowledge and experience.
7.2
The organisation shall:
a) Determine the necessary competence of person(s), including external
providers, doing work under its control that affects its food safety
performance and effectiveness of the FSMS;
b) Ensure that these persons, including the food safety team and those
responsible for the operation of the hazard control plan, are competent
on the basis of appropriate education, training and/or experience. c) Ensure that the food safety team has a combination of multi-disciplinary
knowledge and experience in developing and implementing the FSMS,
including, but not limited to the organisation’s products, processes,
equipment and food safety hazards within the scope of the FSMS;
d) Where applicable, take actions to acquire the necessary competence, and
evaluate the effectiveness of the actions taken;
e) Retain appropriate documented information as evidence of competence.
NOTE: Applicable actions can include, for example, the provision of
training to, the mentoring of, or the re-assignment of currently employed persons; or the hiring or contracting of competent persons.
40
TD54 (V4)
5.3 Awareness
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
6.2.2
The organization shall
a) identify the necessary competencies for personnel whose activities have an impact on food safety,
b) provide training or take other action to ensure personnel have the necessary competencies, c) ensure that personnel responsible for monitoring, corrections and corrective actions of the food safety
management system are trained,
d) evaluate the implementation and the effectiveness of a), b) and c),
e) ensure that the personnel are aware of the relevance and importance of their individual activities in
contributing to food safety,
f) ensure that the requirement for effective communication (see 5.6) is understood by all personnel
whose activities have an impact on food safety, and
g) maintain appropriate records of training and actions described in b) and c).
7.3
The organisation shall ensure that all relevant persons
doing work under the organisation’s control shall be
aware of:
a) The food safety policy;
b) The objectives of the FSMS relevant to their
task(s);
c) Their individual contribution to the effectiveness of
the FSMS, including the benefits of improved
food safety performance;
d) The implications of not conforming with the
FSMS requirements.
The organisation should create a food safety culture to ensure that staff is aware of the importance of their individual activities in contributing to food safety. This means that
all staff:
Handle food in such a way that they would consume it themselves
Do the right things even when nobody is watching
Influence others to do the right things
Make no compromises with regards to food safety.
5.4 Communication
The purpose of communication is to ensure that the necessary interactions occur and that staff within the
food chain and inside the organisation have information relevant to their role. There are four important
considerations when it comes to communication, highlighted in the diagram. The introductory section of
this requirement is new (clause 7.4.1):
The organisation shall determine the internal and external communications relevant to the FSMS, including:
a) On what it will communicate;
b) When to communicate; c) With whom to communicate;
d) How to communicate;
e) Who communicates.
The organisation shall ensure that the requirement for effective communication is understood by all persons whose activities have an impact on food safety.
Timeous information Targeted agenda Forums (levels, within functions,
cross-functional)
Method (notice boards, newsletters, intranet, meetings)
41
TD54 (V4)
5.4.1 External communication
ISO 22000:2005 ISO 22000:2018
Clause Description Clause Description
5.6.1
To ensure that sufficient information on issues concerning food safety is available
throughout the food chain, the organization shall establish, implement and maintain
effective arrangements for communicating with
a) Suppliers and contractors, b) Customers or consumers, in particular in relation to product information
(including instructions regarding intended use, specific storage requirements
and, as appropriate, shelf life), enquiries, contracts or order handling including
amendments, and customer feedback including customer complaints,
c) statutory and regulatory authorities, and
d) other organizations that have an impact on, or will be affected by, the
effectiveness or updating of the food safety management system.
Such communication shall provide information on food safety aspects of the organization's products that may be relevant to other organizations in the food
chain. This applies especially to known food safety hazards that need to be controlled
by other organizations in the food chain. Records of communications shall be
maintained.
Food safety requirements from statutory and regulatory authorities and customers
shall be available.
Designated personnel shall have defined responsibility and authority to
communicate externally any information concerning food safety. Information obtained through external communication shall be included as input to system
updating (see 8.5.2) and management review (see 5.8.2).
7.4.2
The organisation shall ensure that sufficient information is communicated externally
and is available for interested parties of the food chain. The organisation shall
establish, implement and maintain effective communications with:
a) External providers and contractors;
b) Customers and/or consumers, in relation to:
1) Product information related to food safety to enable the handling,
display, storage, preparation, distribution and use of the product within
the food chain or by the consumer;
2) Identified food safety hazards that need to be controlled by other
organisations in the food chain, and/or consumers;
3) Contractual arrangements, enquiries and orders, including their
amendments; 4) Customer and/or consumer feedback, including complaints;
c) Statutory and regulatory authorities;
d) Other organisations that have an impact on, or will be affected by, the
effectiveness or updating of the FSMS.
Designated persons shall have defined responsibility and authority for the external
communication of any information concerning food safety. Where relevant,
information obtained through external communication shall be included as input for
management review (see 9.3) and for updating the FSMS (see 4.4 & 10.2).
Evidence of external communication shall be retained as documented information.
The following table could be useful to summarise external communication:
Stakeholder Information/topics Source/forum/method of communication Frequency of communication Responsibility for communication
42
TD54 (V4)
5.4.2 Internal communication
ISO 22000:2005 ISO 22000:2018
Clause Description Clause