This is the part 2 of an article about the new ISO 22000:2018, which was published in June 2018. If you have not yet read the first article, please check it out here. In the present article, changes to clauses 4–7 are discussed. Part 3 will discuss clauses 8–10.
Clause 4 – Context of the Organization
This clause is nearly all new and is mainly focused in defining how organizations shall establish the Food Safety Management System (FSMS) scope. For that, according to the standard, there are three things organizations must do/know (Figure 1).
From these items, the one that is the most straightforward for food safety practitioners is the definition of requirements. For that, organizations must first determine who the interested parties are and then gather their requirements regarding food safety.
To identify the interested parties, it is essential to consider all the participants that have an impact on food safety, whether internal or external components of the organization. For example, employees, management, and owners can be considered internal interested parties; suppliers, society, government, customers, and consumers are examples of external interested parties.
The new approach where organizations must understand their context and how those issues are relevant to their purpose and ability to achieve the FSMS results may pose a challenge to organizations, not only in defining it but also in how to audit it. One option would be to seek advice from people that have other ISO management systems implemented (or have experience in implementing it) since this approach is common to all ISO management system that have adopted the High Level (e.g., ISO 9001 or 14001).
Finally, the organization must define the FSMS boundaries so that the scope may specify the products and services, processes, and production sites included in the FSMS. In the 2005 version, services were not included in what the scope should specify. The scope must also consider the context of the organization and the needs and expectations of the interested parties, so that the FSMS will be established in an objective and consistent way to the reality of the company.
Clause 5 – Leadership
In this clause, the new standard presents a list of actions that top management should do to demonstrate its commitment towards the FSMS. The role of top management with respect to the FSMS is reinforced in the new version, since not only commitment (2005 version) but also leadership shall be demonstrated.
Regarding policy, there are no major differences when compared with the last version, although it includes an interesting reference to the importance of communicating policy with interested parties.
Clause 5.3 presents details on which responsibilities and authorities top management shall assign and introduces the idea that the responsibility of top management is not limited to assigning and communicating responsibilities and authorities, but also ensuring that they are understood. Besides defining what the food safety team leader shall be responsible for (that was also present in the 2005 version), it also clarifies other responsibilities and authorities that top management shall define (e.g., reporting on the FSMS performance, ensuring that the FSMS conforms to requirements). It also encourages sharing more responsibility over the entire organization to achieve the effectiveness of the FSMS, designating persons with defined responsibility and authority to initiate and document actions(s).
Clause 6 – Planning
In clause 6.1, the concepts of risks and opportunities are introduced as something that the organization must determine, considering relevant issues (internal or external) and requirements from the interested parties. Then the organization must plan, not only actions to address these risks and opportunities, but also how to integrate, implement, and evaluate the effectiveness of these actions.
The responsibility for establishing objectives and retaining documented information on them is set on clause 6.2. There is a higher emphasis on the importance of objectives than in the last version. Objectives shall be consistent and measurable, take into account the requirements, and be monitored, verifiable, communicated, and updated.
When planning how to achieve objectives, the steps shown in Figure 2 should be taken in consideration.
Clause 7 – Support
Clause 7 presents requirements regarding several supporting activities like resource management, people competence and awareness, communication and documented information management.
Resources in clause (7.1) are divided into:
• People (7.1.2),
• Infrastructure (7.1.3),
• Work environment (7.1.4),
• Externally developed elements of the FSMS (7.1.5),
• Control of externally provided process, products or services (7.1.6)
Resources can be approached by the prism of external or internal resources. Clause 7.1.3 and 7.1.4 manage internal resources, and clause 7.1.5 and clause 7.1.6 manage external resources. People (clause 7.1.2) can be either internal or external. Internal people are addressed in clause 7.2 (Competence) and 7.3 (Awareness), mainly to imply that the organization determines and ensures the competence and awareness (e.g., policy, objectives) of relevant persons. When assistance from external people is needed (e.g., experts), the organization shall retain documented information (e.g., contracts defining competencies). Retaining relevant information is also mandatory when the organization opts to:
• develop elements of the FSMS externally – guaranteeing that they are applicable, adapted, and updated
• use external providers of processes, products, and services – guaranteeing communication, evaluation, and monitoring
When comparing clause 7.4 (communication) with clause 5.6 in the 2005 version, the new version adds that the organization shall not only ensure that the requirements for effective communication are understood but also determines the details shown in Figure 3.
In terms of managing documentation, there is a different approach in the new version. Instead of dividing the clause into control of documents and control of records, it is presented as creating, updating, and controling documented information. Another significant change is the fact that a formal written procedure to control documents and records is no longer mandatory. This seems to be in line with the guidelines of ISO 9001:2015, promoting a more process-focused management system than document-based. This new version gives a focus on protection of confidentiality and integrity of documented information, reflecting the increasing importance of these issues to organizations and to society as a whole. In a note, it is explained that control of access to documented information may imply defining different permissions (view only or view and change).
Stay tuned for Part 3, which will round out the updates to this important regulation.
Nuno F. Soares, Ph.D., is an author, consultant, and trainer in food safety. He has over 20 years experience in food industry as quality and plant manager. He is the author of “ISO 22000:2018 Explained in 25 diagrams.”