30+ years ago food safety became a world-wide issue for a myriad of reasons, particularly the growing export trade in food. That led to the adoption of HACCP (Hazard Analysis of Critical Control Points) based on guidelines published by Codex Alimentarius. HACCP is a risk assessment of potential food safety issues, determining critical control points (CCPs) based on a relatively simplistic decision tree, and dealing with them.
This became problematic for companies wishing to achieve certification to meet customer or export requirements because there was no actual Standard. The result was auditors and certification bodies (CBs) auditing based, largely, on their opinion rather than documented requirements. That’s why TQCSI developed the TQCSI HACCP Code, which is one of only a handful of codes in the world to have been registered by an accreditation body (JAS-ANZ in the case of the TQCSI HACCP Code). Our Code is transparent to our clients and auditors alike, documenting the actual requirements for certification.
Overwhelming pressure led to ISO publishing an international Standard in 2005 after a prolonged consultation period - ISO 22000 for food safety management systems. Many interpreted ISO 22000 as simply ‘ISO 9001 and HACCP’, which was true in many respects, but in reality was much more. ISO 22000 introduced a more sophisticated (and confusing) risk assessment process, encouraging the use of a decision tree published in the 2005 version of ISO 22004 (Guidance on ISO 22000).
ISO 22000 also introduced requirements for pre-requisite programmes (PRPs) and operational pre-requisite programs (OPRPs). Those terms were very European-centric and not commonly used in many parts of the world, including Asia. Consequently, many companies had difficulty understanding their requirements and, moreover, very many auditors and CBs were just as ignorant. Many still are!
ISO 22000:2018, published in June is a very good upgrade, now embracing the higher-level structure of management systems standards, resolving much of the duplication and confusion of the previous version, and better defining OPRPs, PRPs and their controls. However, the most significant change has been the risk assessment of food safety hazards to determine whether they should be treated as a CCP or an OPRP based on a number of criteria, now needing to be determined by the client rather than any using any particular published decision tree. In theory, the new requirement makes perfect sense and gives businesses flexibility in meeting their food safety management system requirements. However, it is terribly difficult for most SMEs to deal with.
Implementing ISO 22000:2018
As the range and complexity of food safety issues increase over time, so do our food safety requirements, including those to meet ISO 22000 certification requirements. For example, do the risks and opportunities requirements of ISO 22000 mean companies should implement a Food Defence Plan and a Food Fraud Vulnerability Plan?
Knowledgeable draftees of ISO standards, large companies with food safety scientists and CBs with food safety specialist auditors, have the wherewithal to deal with the increasingly complicated requirements but not many SMEs do. So the real challenge now is for SMEs to develop and implement a hazard analysis and categorisation methodology that meets the requirements of ISO 22000 but is still practical and understandable. The food safety management systems consultancy, JLB has recently developed a Hazard Control Plan which meets these requirements and is being rolled out to their clients. Other reputable consultancies will surely follow but many SMEs (and consultants without experience) will struggle unless they seek assistance.
Food safety auditors will now need to step up and understand the new requirements as well! CBs are expected to ensure the competency of their auditors and so we at TQCSI require our auditors to undergo training, examination and regular witnessing in the new Standard. But, as history teaches us, it will take some years before the majority of CBs and auditors embrace the new requirements of ISO 22000:2018, and even longer for most SMEs!