In 1906, President Theodore Roosevelt signed legislation that created the agency with legal authority to seize goods in interstate commerce that were adulterated, contained additives injurious to health, or contained filthy, decomposed or putrid substances. Thirty-two years later, Roosevelt’s cousin Franklin signed the Food, Drug and Cosmetic Act, which significantly strengthened the Food and Drug Administration’s powers.

The FDA’s authority and commitment to ensuring a safe food supply have continued to increase over the years. The year 1971 saw the enactment of regulations to ensure the safety of canned low-acid foods following the Bon Vivant vichyssoise soup botulism outbreak. Regulations governing acidified foods followed. Finally we saw the enactment in 2011 of the Food Safety Modernization Act, which had bipartisan support.

The USDA’s commitment to food safety has also evolved over the years. Concerns about the safety of seafood, meat and poultry and juices in the 1980s and ‘90s led to regulations mandating that processors of these products in the United States and those exporting to this country adopt the Hazard Analysis, Critical Control Points system to ensure the safety of these products. FSMA basically dotted the i’s and crossed the t’s in that it mandated HACCP or HACCP-based systems for all products, or as the regulation states “establish preventive controls” to ensure safety. Perhaps the catalyst for the HACCP-related activity was the 1985 report from the National Academy of Sciences that concluded:

“HACCP provides a more specific and critical approach to the control of microbiological hazards than is achievable by traditional inspection and quality control.”

And that:

“Testing of finished products was not an effective means of protecting the consumer and assuring the foods were free of microorganisms of public health significance.”

In other words, a committee of members from academia, industry and government was looking to see a process control-based approach to food safety similar to what NASA had adopted for the space program 25 years earlier with input from the U.S. Army laboratories and Pillsbury. There are times when we learn from our past experiences.

So, the committee, which evolved into the National Advisory Committee for Microbiological Criteria for Foods (NACMCF), recommended that HACCP be adopted as a means for controlling microbiological hazards in foods. HACCP was being used at this time by a few companies, one of which was Pillsbury, but it was not yet an industry standard.

HACCP had a ways to go before it evolved into the systematic approach to food safety we have today. Early HACCP plans were large and unwieldy. Many had 10, 15 or 20 critical control points, which meant they were prone to having lots of deviations. By definition, every time there is a deviation at a critical control point, the product is potentially unsafe. This means that the product in question needs to be identified, isolated, placed on hold and evaluated to determine whether it is indeed unsafe. During this period, programs that were essential but not necessarily items which determined whether a product would be safe became critical control points—issues such as product identification, hand-washing, equipment cleaning and others. These were issues that eventually were identified as prerequisite programs to food safety and formed the basis of HACCP’s evolution into a HACCP-based food safety management system.

The seafood HACCP regulation

In the late 1980s there was a real concern in the United States that seafood posed a significant health risk. The National Marine Fisheries Service, with prodding from the Government Accounting Office, began looking into the industry and whether additional regulations were needed. Surveys indicated that the situation was not as bad as many thought, but they did show that the industry needed to improve and that establishing regulations that mandated the development and implementation of HACCP were needed. The preamble to the Seafood HACCP regulation, “Procedures for the Safe and Sanitary Processing and Importing of Fish and Fishery Products,” states:

“…It (the seafood industry) has not yet succeeded in developing a culture throughout the seafood industry in which processors assume an operative role in controlling sanitation in their plants.”

The regulation not only mandates the adoption of a HACCP program, but also the development of sanitation and other programs to support HACCP. These prerequisite programs are grouped into six categories:

  1. SSOP
  2. GMPs
  3. Product identification
  4. Traceability and recalls
  5. Preventive maintenance
  6. Education and training

The regulation also includes the following statement:

“Sanitation, especially those issues related to cleaning and sanitizing and routine maintenance aimed at assuring safe operation of equipment should now be included in the prerequisite program and not be considered to be CCPs.”

The regulation specifically calls for each seafood processor to develop and implement programs to monitor and maintain the following:

  • Safety of water
  • Condition and cleanliness of food contact surfaces
  • Prevention of cross-contamination
  • Hand-washing, hand sanitizing and toilets
  • Protection from adulteration
  • Proper storage and use of toxic compounds
  • Employee health
  • Pest control

In 123.11 (b), the regulation mandates that these issues be monitored as follows:

“Each processor shall monitor the conditions and practices during processing with sufficient frequency to ensure, at a minimum, conformance with those conditions specified in Part 110 of this chapter…”

So the seafood HACCP regulation not only established prerequisite programs, but also mandated that they be monitored to ensure conformance to expectations.


This is not to say that other organizations were sitting on their hands. The Codex Food Hygiene document that was issued in 1997 included basic prerequisite programs for food safety. The Codex Food Hygiene document served as the primary reference for the PAS 220 (Publicly Available Standard) issued by the British Standard Institute and eventually evolved into ISO Technical Standard TS-22002-1.


Evolving elements of food safety

While the seafood HACCP regulation created a systems approach to managing food safety, there were other activities and incidents that helped expand the concept of a food safety management system. In 1997 both the NACMCF and the Codex Food Hygiene document redefined the seven principles of HACCP, and the versions were harmonized except for slight differences in language. What they did was to switch principles six and seven, so that recordkeeping is now the last principle. This makes perfect sense in that records are required for every step in the process. What this meant was that the world now was on the same page when it came to HACCP. As part of the systems approach, these two documents also introduced the five preliminary steps to HACCP. (See table below.)

preliminary steps to HACCP

The Codex Food Hygiene document emphasizes the importance of the multidisciplinary food safety team:

“The food operation should assure that the appropriate product-specific knowledge and expertise is available for the development of an effective HACCP plan. Optimally, this may be accomplished by assembling a multidisciplinary team. Where such expertise is not available on site, expert advice should be obtained from other sources, such as trade and industry associations, independent experts, regulatory authorities, HACCP literature and HACCP guidance (including sector-specific HACCP guides).”

In addition, a number of high-profile foodborne incidents not only helped drive the establishment of regulations, but also raised the bar for ensuring food safety. These included the Jack in the Box incident, Odwalla’s E. coli 0157:H7 outbreak and a mad cow disease scare in Europe.

It is up to a company’s HACCP or food safety team to develop, document, implement and maintain the food safety management system. Plans developed by the company teams are the best route to go since they understand the product, processes and plant operations better than anyone. The team members have been and are there each and every day, and they understand and know where the problem issues are.

This greater focus on food safety had another result: a greater emphasis by processors—especially among multinational corporations of all types—on ensuring the safety of their products and protecting consumers. Manufacturers, fast food chains, retailers and others began demanding that suppliers must develop and implement food safety management systems if they wished to sell to them. They not only expected that food safety systems be adopted, but they also wanted some way to confirm that this was actually the case. This helped create a whole new industry in the food safety auditing business. But how was this verification to be done? What standards were these outfits being held to? I personally observed plants with food safety certificates that stated that the standard against which the company had been audited was the Codex Food Hygiene document. This is definitely not an auditable standard. So what was to be done?

The food safety audit

With the enactment of regulations in the United States, the European Union and elsewhere in the world, plus the establishment of the Codex Food Hygiene document that put the world on the same page when it came to HACCP and the importance of prerequisite programs, the food safety audit came into being. Many firms around the world had been doing audits that focused on GMPs, but the 1990s and the early years of the 2000s saw the development and introduction of many food safety audit schemes by different consulting firms and by food, beverage and ingredient manufacturers themselves, as a tool to ensure quality and safety of what they were buying from their suppliers. This was a significant development, but it did put a great deal of pressure on suppliers and other providers. Why? There was no standard for what was expected. Many processors were now being subjected to multiple audits every year—sometimes 20 or more.

There were several movements to address this issue around the world. The most prominent was the launch of the Global Food Safety Initiative in 2000. 

Cor Groenveld, market development director for FSSC 22000, says the GFSI was established because global retailers and manufacturers wanted to standardize the many food safety standards and certification schemes. Their motto was “certified once, accepted everywhere” to reduce multiple audits and their costs and also to drive improvement toward food safety in the whole supply chain.

“Therefore, they developed a benchmark and recognition model with minimal requirements for food safety certification schemes. Today there are 11 recognized schemes and three schemes with technical equivalence.”

GFSI has evolved over the years and has focused on establishing benchmarked schemes that focus on food safety and the essential prerequisite programs. There are four audit schemes that are currently approved for process-related food safety operations, plus others as alluded to above. The process-related audit schemes are:

  • FSSC 22000—Food Safety System Certification 22000
  • BRC Global Standard
  • IFT—International Featured Standards
  • SQF Food Safety Code

Another group that had designs on creating the end-all, be-all for audits was the National Food Processors Association. With input from food processor members, the group developed the NFPA-SAFE audit in 2003. This audit had a short life, however, and has vanished from the landscape of audit schemes.

The GFSI audit schemes have gained incredible traction around the world. Today it is an accepted element of doing business. There is an expectation if not a mandate by most buyers of foods, beverages, packaging and ingredients that their suppliers have an established GFSI audit scheme in place.

Although these audit schemes have been approved by the GFSI group, they are still privately owned schemes. There was a global demand for an auditable food safety standard that was filled by the International Organization for Standardization. In 2001, the Danish Standards group hosted the first of meetings aimed at developing an auditable food safety standard using ISO rules and guidance. The United States was an early participant in this process. 

The Danish Standards group remained the host during the development of the standard. There were one to two meetings per year in Copenhagen. The standard was developed using the ISO 9000 standard for quality and the Codex Food Hygiene document, although the committee examined food laws and regulations from around the world.

“ISO standards are developed as consensus standards,” says John Surak, principal, John Surak and Associates. “First the standard is developed by an ISO Working Group of food safety professionals from around the world. Once the working group develops a draft standard, it is circulated to the national standards agency. In the U.S. this is the American National Standards Institute. The standard is reviewed by a national delegation of quality professionals. These professionals will provide comments to further refine the standard. Once the development of the standard is completed, each country will vote on whether the ISO standard should be adopted. If two-thirds of the countries vote for adoption of the standard, the standard is adopted as an international standard.”

The standard, “ISO 22000: Food Safety Management Systems —Requirements for Any Organization in the Food Chain,” was first issued in 2005 and revised in 2018. It has garnered significant support since it was first issued. (The table below shows information ISO provided on how many organizations have currently adopted ISO 22000.)

Surak summarizes how ISO 22000 has evolved and where it is going.

“ISO 22000 was developed as an international food safety standard that uses the ISO rules for international consensus,” he says. “Thus, ISO 22000 provides an alternative for other GFSI recognized standards, such as SQF and BRC. These international standards are developed by private organizations. Over the years, ISO has developed additional standards that support the certification of food safety management systems. These added standards include standards for defining prerequisite programs and auditor competencies.”

Number of ISO 22000 certificates per regionClick to enlarge

Is everyone satisfied?

It has already been mentioned that meeting the requirements of one of the GFSI benchmarked audit schemes has become a mandate for doing business in the food industry. But has that requirement relieved the burdens of multiple audits? The answer is not yet. Food, beverage and ingredient processors acknowledge that they are still subjected to multiple audits, sometimes 10 or more. Most of these audits are conducted by customers using their own audit schemes and demands.

Why are buyers asking for or doing these additional audits? There are several reasons ranging from a lack of trust in audit findings to how the GFSI audit schemes are evolving to a buyer desire to retain a closer relationship with their suppliers. Many operations view supplier relationships as a partnership and feel that a regular presence in supplier operations is essential to maintaining this relationship.

“We use the GFSI audit schemes in conjunction with our own on-site assessment for what are judged as potentially high-risk suppliers,” says Warren Edde, manager, supply chain safety, J.R. Simplot. “It is our intent to verify whether the controls adequately eliminate or significantly reduce to an acceptable level the hazards of concern, especially where our suppliers have the last significant preventive control for these hazards. We focus on hazards and mitigation strategies that are specific to the types of foods we manufacture.”

One issue that does concern buyers is how the audit schemes have evolved, with some becoming checklists that do not provide the details that some buyers want to see. For example, an audit might address dozens of different elements, yet the auditor, when evaluating these points, may only be asked to rate the issues as fully compliant, partially compliant or noncompliant. Details are provided only when the point is not fully compliant. There are many companies, such as J.R. Simplot, that want and rely on the additional detail when evaluating a potential partner, so they do their own audit even though the company has passed a food safety audit.

The bottom line is that food safety audits will not be going away. They will remain an essential element—even a mandate—of doing business in the food industry for processors, ingredients manufacturers and packaging suppliers.