ISO 22000:

TRANSITION FROM
VERSION 2005 TO 2018
O P E R AT I O N S T R A I N I N G F E B R U A RY 2 0 , 2 0 1 9

P R E S E N T E D B Y M I K E G OV R O, DAV I D VA N L E U V E N &
ELIZABETH RACHWITZ
ISO 22000:2005 TO ISO22000:2018
CLAUSE 0.1 GENERAL

Benefits of the FSMS, reference to PDCA (Plan Do Check Act) and clarification
in verbal forms (shall, should, may, can) have been included

Definitions:
Shall – indicates a requirement
Should – indicates a recommendation
May – indicates a permission
Can- indicates a possibility or a capability
CLAUSE 0.2 FSMS PRINCIPLES

Key elements moved from the Introduction section (2005) to a separate

subsection. Principles common to ISO Management system standards have been
included.
 CLAUSE 0.3 PROCESS APPROACH

Process approach, PDCA cycle

and risk-based thinking
(including relationship with
HACCP) explanations included

0.3.2 Plan-Do-Check-Act cycle

 CLAUSE 0.3 PROCESS APPROACH

Plan: establish objectives of system and its processes, provide resources needed to
deliver results, and identify and address risks and opportunities

Do: implement what was planned

Check: monitor and (where relevant) measure processes and resulting products and
services, analyze and evaluate information and data from monitoring, measuring and
verification activities, and report the results

Act: take actions to improve performance, as necessary

CLAUSE 0.3 PROCESS APPROACH

The standard clarifies the Plan-Do-Check-Act cycle, by having two separate

cycles in the standard working together: one covering Organizational Planning
and Control (the management system) and one covering Operational Planning
and Control (the principles of HACCP).
ILLUSTRATION OF THE PLAN-DO-CHECK-
ACT CYCLE AT THE TWO LEVELS
0.3.3 RISK-BASED THINKING
0.3.3.1 GENERAL

Risk-based thinking is essential for achieving an effective FSMS.

Risk-based thinking is addressed on two levels, organizational (0.3.3.2) and

operational (0.3.3.3), which is consistent with the process approach described in
0.3.2.
- notice how this pairs with the PDCA Cycle diagram
0.3.3.2 ORGANIZATIONAL RISK
MANAGEMENT
Risk is the effect of uncertainty, and any such uncertainty can have positive or
negative effects.

In the context of organizational risk management, a positive deviation arising

from a risk can provide an opportunity, but not all positive effects of risk result
in opportunities.

To conform to this document’s requirements, an organization plans and

implements actions to address organizational risks (6.1). Addressing risks
establishes a basis for increasing effectiveness of the FSMS, achieving improved
results and preventing negative effects.
 0.3.3.3 HAZARD ANALYSIS — OPERATIONAL
PROCESSES
The concept of risk-based thinking based on the HACCP principles at the
operational level is implicit in this document.

The subsequent steps in HACCP can be considered as the necessary measures to

prevent hazards or reduce hazards to acceptable levels to ensure food is safe at
the time of consumption (Clause 8).

Decisions taken in the application of HACCP should be based on science, free

from bias and documented. The documentation should include any key
assumptions in the decision-making process.
CLAUSE 0.4 RELATIONSHIP WITH OTHER
MANAGEMENT SYSTEM STANDARDS

This revision of the standard has been developed within the ISO high level
structure (HLS). The objective of the HLS is to improve alignment between ISO
management system standards (ISO 22000, ISO 9001 and ISO 14001).

Enables an organization to use the process approach, coupled with the PDCA
cycle and risk-based thinking, to align or integrate its FSMS approach with the
requirements of other management systems and supporting standards.
FSMS - REQUIREMENTS FOR ANY
ORGANIZATION IN THE FOOD CHAIN
CLAUSE 1 SCOPE
General requirements are the same, but wording has clarified or eliminated
redundant terms (e.g. suppliers & customers are now all included under interested
parties)

This document specifies requirements for a FSMS to enable an organization that is

directly or indirectly involved in the food chain:
a) to plan, implement, operate, maintain and update a FSMS providing products and
services that are safe, in accordance with their intended use;
b) to demonstrate compliance with applicable statutory and regulatory food safety
requirements;
CLAUSE 1 SCOPE (CONT.)
c) to evaluate and assess mutually agreed customer food safety
requirements and to demonstrate conformity with them;
d) to effectively communicate food safety issues to interested parties within
the food chain;
e) to ensure that the organization conforms to its stated food safety policy;
f) to demonstrate conformity to relevant interested parties;
g) to seek certification or registration of its FSMS by an external organization, or
make a self-assessment or self-declaration of
conformity to this document.

Now specifically includes animal food (food for animals not producing food for
human consumption.)
FSMS - REQUIREMENTS FOR ANY
ORGANIZATION IN THE FOOD CHAIN
CLAUSE 2 NORMATIVE REFERENCES
Reference has been eliminated
FSMS - REQUIREMENTS FOR ANY
ORGANIZATION IN THE FOOD CHAIN
CLAUSE 3 TERMS AND DEFINITIONS
Reference to ISO and IEC terminology databases has been included. Number of
definitions has been increased from 17 to 45. The term Significant food
safety hazard has been included and linked to the definition of control
measures. "Elimination" of significant food safety hazards has been removed,
leaving only reduction or prevention. Definitions of CCP's and OPRP's have
been enhanced with additional elements and linked to significant food safety
hazards. Clarification between validation, verification and monitoring
included. Food, Feed and animal food terms have also been included.
CLAUSE 3 TERMS AND DEFINITIONS
(CONT.)
Acceptable level: a control measure is effective if it is able to keep the relevant
hazard under the acceptable level in the end product.

Contamination is now used for a broader purpose (i.e. now includes effects of
food fraud).

Harm is replaced by adverse health effect - adds consistency with definition

of food safety hazard (where “adverse health effect” is used).

The use of assurance highlights relationship between consumer and food

product, based on the assurance of safety.
CLAUSE 3 TERMS AND DEFINITIONS
(CONT.)
Outsource: An external organization is outside the scope of the FSMS,
although the outsourced function or process is within the scope.

6.1.1 states “public authorities are responsible for addressing public health risks.
Organizations are required to manage food safety hazards.”
- The term risk is used at the management system level only, which is the outer PDCA
cycle to manage the organizational risk.
- In the inner PDCA cycle, the operational planning, and control ensuring control of
process, the term hazard is used. Control is based on hazard analysis, CCP and oPRP.
CLAUSE 3 TERMS AND DEFINITIONS
(CONT.)

A Control Measure should prevent and/or reduce (eliminate has been

removed as it is not realistic) significant food safety hazards. Control Measures
are managed within the hazard control plan (CCP or oPRP).

Section 3.11 has clarified aspects of the Critical Control Point CCP.

Section 3.12 requires a Critical Limit MUST be measurable value. (If it is only
observable that must be an oPRP).
CLAUSE 3 TERMS AND DEFINITIONS
(CONT.)
Monitoring: determining the status of a system, a process or an activity
- Monitoring is applied during an activity, provides info for action within a specified time frame

Validation: obtaining evidence that a control measure/combination of

control measures will be capable of effectively controlling significant food
safety hazard.
- Validation is applied prior to an activity, provides info about capability to deliver intended results

Verification: confirmation, through the provision of objective evidence,

that specified requirements have been fulfilled
- Verification is applied after an activity and provides info for confirmation of conformity
4.0 CONTEXT OF THE
O R G A N I Z AT I O N
4.1 UNDERSTANDING THE ORGANIZATION &
ITS CONTEXT
2005 Reference: New section title, New Clause

Requirements to determine the external and internal issues relevant to the

organization's purpose and ability to achieve intended results, have been
included; as well as the review and update of the information.
4.1 UNDERSTANDING THE ORGANIZATION &
ITS CONTEXT (CONT.)
What internal and external issues impact the organization? – this exercise helps integrate
the FSMS with aspects of the business. Tools such as SWOT or CANVAS may be used by
the organization to answer this question, or they may just have a list. The information
obtained here is the first building block in developing the organization’s scope.

IF organization has done this exercise for another ISO standard, how did they update for
FSSC?

Info must be reviewed & updated (during periodic event, such as Management Review)

Top Management Example Questions: Who determined this information, and how? When
would you revise/update this information? How did you document this information,
including changes to it?
4.2 UNDERSTANDING THE NEEDS &
EXPECTATIONS OF INTERESTED PARTIES
2005 Reference: New Clause

Requirements to determine the needs and expectations of interested parties

have been included, as well as the review and update of the information
4.2 UNDERSTANDING NEEDS & EXPECTATIONS
OF INTERESTED PARTIES (CONT.)
The organization should identify all internal and external participants (Interested
Parties) that have an impact on their Food Safety Management System, and what
their Requirements are regarding food safety. The information obtained here is
the second building block in developing the organization’s scope.

IF organization has already done this exercise for another ISO standard, how did
they update for FSSC?

Information must be documented, reviewed and updated (during a periodic

event, such as Management Review)
4.3 DETERMINING THE SCOPE OF THE FSMS

2005 Reference: Requirements for scope definition already included in 4.1, however further
requirements have been added

The term services has been added to the scope definition requirement, as well as
activities..... that can have an influence on the food safety of the end products
of the organization.

Link to requirements defined in 4.1 and 4.2 has been added when determining the
scope.
- The organization’s documented information from 4.1 and 4.2 should provide the raw
material for them to develop their Scope = the boundaries of their FSMS.
4.3 DETERMINING SCOPE OF THE FSMS (CONT.)
The scope:
- Shall specify products and services, processes and production site(s) included in the FSMS.
- Shall include activities, processes, products or services that can have an influence on the
food safety of its end products.
- Shall be documented.
- Is NOT just what is shown on the organization’s certificate or in the FRS!

Exclusions are rare as, even if processes, sites, etc. may not be directly managed by the
organization, they still must be controlled. Example: an outside warehouse managed and
manned by a 3rd party. The organization would still be expected to ensure this location is
meeting their FSMS requirements, as it has influence on the food safety of the
organization’s end products.
4.4 FOOD SAFETY MANAGEMENT SYSTEM
2005 Reference: Already existing in 4.1 but more extensive than in the new version. "The
organization shall establish, document, implement and maintain an effective food safety
management system and update it when necessary in accordance with the requirements of this
International Standard". Control of outsourced processes has been moved to clause 7.1

General requirements related to the food safety management system, have been
resumed in a single general clause. The word document has been removed
giving an open decision how to manage the FSMS .

The organization shall establish, implement, maintain, update and

continually improve a FSMS, including the processes needed and their
interactions, in accordance with the requirements of this document.
Real Example #1 of how Context of the Organization (ISO 9001:2015 surveillance) section was written up:

The site’s SWOT Analysis (January 2019) includes a column for strength, weakness, opportunity and threat
questions, and additional columns for the departments/areas impacted by each S, W, O and T, such as
Manufacturing, Shipping, Sales, Customer Service and Accounting. An example of how the above works is
the question “Where do you lack resources?” (a weakness) is answered “manpower” by both
Manufacturing and Shipping. The Management Team revised their analysis in their Quality Management
Team (QMT) meeting in early 2019 to include Suppliers as an area potentially impacted by the site’s S, W, O
and T determinations.

The CLIENT NAME Relevant Interested Party Analysis (01/10/18) was also reviewed at that time and found
to still be accurate.

The Quality Systems Manager is in charge of the QMS. The Management Team has identified the processes
needed for the QMS, including Quality Plan (12/11/17) and Quality Process/Relationships (12/11/17).

The Management Team has determined the top three risks to be addressed: 1) resource allocation to
improve throughput and reduce overtime, 2) focus on downtime/set-up time, and 3) safety, and
determined actions to address these risks; however, they have not documented the effectiveness of those
actions (see minor non-conformance raised in section I-9.3.2e).
Real Example #2 of how Context of the Organization section was written up for 1st time ISO 9001:2015
transition (an extra wordy one!):

The objective of this process is to ensure management has fully considered, discussed and addressed all
aspects of the context of the organization, with this determination used to continuously improve the quality
management system. This process was considered effective and met the intent of the standard.

The Context of Organization (Rev 0, 11/27/17), Interested Parties, SWOT and Scope of the Management
System were developed by the Management Team. The General Manager, Production Manager and
Controller, all members of top management interviewed to ensure management commitment to the ISO
9001:2015 transition and implementation, were able to talk to the SWOT and Interested Parties, giving
examples that applied to their specific area/department and to the overall site.

Site management determined external and internal issues relevant to its purpose using SWOT Analysis (Rev 2,
03/09/18), with detailed strengths, weaknesses, opportunities and threats. Examples of strengths included
GFSI certification for direct food contact, people, reputation and ‘the answer is yes”. Examples of weakness
included quality product (R&A), yield and on time delivery (OTD). Opportunities included sales and volume
growth, continual training and development of employees. Threat examples included competitor pricing
strategies, and paper supply logistics. Each item on the list was scored for likelihood (scale 1-5) and severity
(scale 1-5); when those scores was multiplied, it provided a Risk Priority Number (RPN).

…continued on next slide (I said it was wordy!)…

…continued from previous slide…

The team also developed Relevant Interested Parties (Rev 0, 10/18/17), which included such groups as customers,
suppliers, employees and managers/supervisors. The team looked at the requirements of each party and the
Management System Processes in place to address each of these requirements.

Top management decided to address all opportunities and threats. Actions to improve (reduce the RPN) are
discussed and documented in Management Review and in Continual Improvement Teams, if created. All are
included in the Action Plan list. Interviews of the GM and Sales Manager included how they plan to increase
volume and grow sales, both deemed opportunities and threats. Interviews of the Production Manager included
discussion on Yield, a weakness tied to numerous opportunities and threats. In addition, the GM was able to
show improvements in their key quality objectives when compared to the same time last year, which he
attributed to the Continual Improvement Teams and the training program the site has put in place for employees.

Site management determined the Scope of the QMS included all production and service activities that take place
at the local address and the outside warehouse.

The site uses the flow diagrams in Context of Organization and Process Mapping for CLIENT NAME, most recently
reviewed for accuracy on 04/28/18, to document their QMS processes, including inputs and outputs, the
sequence of steps, criteria and method, resources needed, and responsibility and authority.

Management Team members interviewed for this process: TG, TT, SW, DH and A
5.0 LEADERSHIP
5.1 LEADERSHIP & COMMITMENT
2005 Reference: Partially covered by clause 5.1 & 7.4.3

Responsibilities of top management have been extended, including demonstrable

leadership and supporting other relevant management roles.

Strengthens emphasis on leadership and management commitment.

Top Management Example Questions: How did you establish (and update, if
already established) site’s FSMS objectives? How do you communicate these
objectives to your employees? How do you ensure adequate resources are given
to the FSMS? Examples? What are your current/recent FSMS continual
improvement projects?
5.2 POLICY

2005 Reference: Partially covered by 5.2

The organization shall establish, implement, maintain, update and continually

improve a FSMS, including the processes needed and their interactions, in
accordance with the requirements of this document.

The word "document” was deleted.

5.2 POLICY (CONT.)
The organization’s Food Safety Policy must:
- include a commitment to satisfy applicable food safety requirements (statutory,
regulatory, mutually agreed customer requirements related to food safety)
- address internal and external communication
- include a commitment to continual improvement of the FSMS
- address the need to ensure competencies related to food safety
- be part of documented information (document control)

Top management must facilitate understanding of the Food Safety Policy by

their employees. It is no longer enough that employees know where the policy is
hung in the plant.
5.3 ORGANIZATIONAL ROLES,
RESPONSIBILITIES & AUTHORITIES
2005 Reference: Partially covered by 5.4, 5.5 and 7.3.2

Responsibilities and authorities for relevant roles shall also be

understood, not only defined and communicated (new requirement).

Additional requirements have been assigned to top management, related

to the assignation of specific responsibilities and authorities within the
FSMS.
5.3 ORGANIZATIONAL ROLES,
RESPONSIBILITIES & AUTHORITIES (CONT.)
It should be evident that top management assigned the responsibility and
authority for all aspects of the FSMS.

Responsibilities of the Food Safety Team Leader are included here.

How has top management alerted all personnel that they should report FSMS
problems? Who should they report these problems to?
6.0 PLANNING
6.1 ACTIONS TO ADDRESS RISKS &
OPPORTUNITIES
2005 Reference: New section title, New clause

New requirements added related to determining risks and opportunities, actions

to address them and their planning .

Important Note added (6.1.1) to clarify the concept of risks and

opportunities in the context of the standard (events and their consequences
relating to performance & effectiveness of the FSMS)
6.1 ACTIONS TO ADDRESS RISKS &
OPPORTUNITIES (CONT.)
This new section requires organizations to determine, consider, and where
necessary, take action to address any risks that may impact (positively or
negatively) the ability of the management system to deliver its intended results.

There should be evidence the organization used information determined in

sections 4.1, 4.2 and 4.3 to develop risks and opportunities to be addressed.
6.1 ACTIONS TO ADDRESS RISKS &
OPPORTUNITIES (CONT.)
How did they decide which to address? Not all items stemming from their work
in 4.1 – 4.3 need to be addressed at the same time. It is up to the organization
to determine which they address and timeframe.

The organization should be able to provide how they have/will evaluate

effectiveness of actions taken to address these risks and opportunities (this is an
input to Management Review, see 9.3.2c8)
6.2 OBJECTIVES OF THE FSMS AND
PLANNING TO ACHIEVE THEM
2005 Reference: Partially covered by 5.3

Additional specific requirements for the definition of objectives have been incorporated
(SMART), as well as requirements related to the planning to achieve them.

New requirement: Food safety, statutory, regulatory and customer requirements

shall be taken into account when defining objectives.

Are objectives SMART? Specific – Measurable – Achievable – Relevant – Time Based?

6.2 OBJECTIVES OF THE FSMS AND
PLANNING TO ACHIEVE THEM (CONT.)
This section strengthens focus on FSMS objectives as drivers for improvement.

How did organization take into account applicable food safety requirements
(statutory, regulatory and customer) when planning objectives?

This section ties to section 9.1.1 Monitoring, measurement, analysis and

evaluation.
6.3 PLANNING OF CHANGES

2005 Reference: Partially covered by 5.3

The general requirement in clause 5.3 (v2005) has been extended to include
additional considerations when planning and carrying out changes within the
FSMS

How has organization ensured integrity of FSMS is maintained when a change is

required (to process, product, personnel, equipment, regulation, raw material,
etc.)? Ask for real-life examples.
7.0 SUPPORT
7.1.1 GENERAL

2005 Reference: New section title, Partially covered by clause 6.1

Consideration of capability & constraints of existing resources as well

as the need for external resources in the determination of resources needed,
has been added as a requirement

Is a part of top management’s planning/budget used for FSMS maintenance and

continual improvement?
7.1.2 PEOPLE

2005 Reference: Partially covered by 6.2, 6.2.2.

Separated as a sub-clause under resources. Requirements applicable to external

experts have been included under this sub-clause.

Definition of competency in the agreement/contracts with external experts has

been added.

Does/did the organization use an external expert to help install/maintain their

FSMS? If so, ask to see documented evidence of an agreement/contract defining
the competency, responsibility and authority of that expert.
7.1.3 INFRASTRUCTURE

2005 Reference: Partially covered by clause 6.3

Wording has been changed slightly and a note added with examples of
infrastructure (land, vessels, buildings and associated utilities; equipment,
including hardware and software; transportation; information and communication
technology).
7.1.4 WORK ENVIRONMENT

2005 Reference: Partially covered by clause 6.4

Wording has been changed slightly and a note added giving examples of
human and physical factors comprising a suitable environment (social;
psychological; physical).
7.1.5. EXTERNALLY DEVELOPED ELEMENTS
OF THE FSMS
2005 Reference: Partially covered by 1

Specific requirements applicable to externally developed elements have been

introduced under this clause

If the organization used an external resource to assist in developing parts or the

whole of their FSMS, how did the organization ensure these elements were
applicable, adapted to their processes, and remain current?
7.1.6 CONTROL OF EXTERNALLY PROVIDED
PROCESSES, PRODUCTS OR SERVICES
2005 Reference: Partially covered by 4.1

Version 2005 required the definition and documentation of the control of

outsourced processes, however under version 2018 the requirements have been
extended to also providers of products and services. Requirements have also
been enhanced and made more specific.

Requirements for evaluation , selection, monitoring of performance/ re-

evaluation of external providers have been added as well as requirements
for adequate communication. Performance of external providers has
also been added as an input for Management Review.
7.1.6 CONTROL OF EXTERNALLY PROVIDED
PROCESSES, PRODUCTS, SERVICES (CONT.)
This clause introduces the need to control the suppliers of processes, products
and services (including outsourced processes) and to ensure adequate
communication of relevant requirements in order to ensure FSMS requirements
are met. Relevant documented evidence of this monitoring must be retained.

Performance of external suppliers is an input to Management Review, see

9.3.2c7.

Examples of externally provided processes, products or services include raw

material suppliers, transportation, outsourced services, warehousing/distribution,
janitorial services, contractors, temporary labor services, etc.
 7.2 COMPETENCE
2005 Reference: Partially covered by clauses 6.2.1, 6.2.2, 7.3.2

Food safety team competence has been included under this clause, scope of
necessary competence includes now also specifically external providers.

Requirement for personnel responsible of the operation of the hazard control plan
has been changed from trained to competent.

Awareness requirements have been moved to clause 7.3.

Requirements related to personnel understanding of effective communication has

been moved to clause 7.4
 7.2 COMPETENCE (CONT.)
Organization must determine required competencies for anyone who impacts the FSMS
- Food Safety Team members
- Personnel responsible for operation of the Hazard Control Plan
- Personnel responsible for performing tasks related to CCPs oPRP and PRP. External providers
are specifically mentioned!
- Subcontractors
- ALL personnel, as they are responsible for reporting issues with the FSMS

How does the auditor determine a person is competent? Use challenge questions. What
are some food safety specific issues that would make you stop your line? What changes to your
organization would warrant revising the Hazard Control Plan? How would you know if a raw
material supplier had to get a component from another location?
7.3 AWARENESS

2005 Reference: Partially covered by 6.2.2

Awareness requirements previously mentioned in clause 6.2.2 e) have been

moved to clause 7.3 and extended with specific awareness related to the
food safety policy, objectives (relevant to their tasks), improved safety
performance and implications of non-conforming with the FSMS
requirements.
7.3 AWARENESS (CONT.)
Does the person you’re interviewing understand their impact (positive and
negative) on the organization’s FSMS?

Potential auditor questions:

- Does your site have a Food Safety Policy? What is your understanding of it?
- How can you personally impact Food Safety? (job and person)
- Who would you talk to if you had a concern with Food Safety? (then ask that
person what they would do with this information)
- How does your management alert you re Food Safety concerns (such as
chemical control, cleaning, audit results, Food Defense, etc.)?
7.4.1 COMMUNICATION - GENERAL

2005 Reference: Partially covered by 6.2.2

Additional requirements regarding the scope of the internal and external

communications have been added. Understanding of effective communication
requirements have been included under this clause.

There has to be a clear decision on whether, what and how to communicate.

7.4.2 EXTERNAL COMMUNICATION

2005 Reference: Partially covered by 5.6.1

Additional requirements have been added in regards to the external

communication related to customers/consumers.

The term suppliers has been changed to external provider.

The issues that need to be communicated are now to be defined in a previous

step (clause 7.4.1) by the organization, thus they are not longer restricted only
to issues concerning food safety, but all communication relevant to the FSMS.
7.4.3 INTERNAL COMMUNICATION

2005 Reference: Was 5.6.2, with existing requirements maintained

Personnel qualification has been changed to competencies.

The organization should be able to show how information from internal

communication to/with the Food Safety Team can be tied back to updating of the
FSMS (see 4.4 and 10.3) AND is used as an input to Management Review (see
9.3.2c1)
7.5.1 DOCUMENTED INFORMATION -
GENERAL
2005 Reference: Partially covered by 4.2.1, 5.6.1

Requirement for documented information required by statutory,

regulatory authorities and customers has been added.

Documented statements of the food safety policy and objectives are no

longer mentioned separately under this clause, however the requirements for
this documents are stated under 5.2.2. and 6.2.1
7.5.1 DOCUMENTED INFORMATION –
GENERAL (CONT.)

The term documented information relates to both how to operate a process

(procedure, work instruction, etc.) and evidence of the results achieved
(completed record).

A documented Food Safety Manual is no longer required.

7.5.2 CREATING AND UPDATING

2005 Reference: Partially covered by 4.2.2

Requirement made applicable to all types of documented information (including

records).

Requirements for identification, description and format

7.5.3 CONTROL OF DOCUMENTED INFORMATION

2005 Reference: Partially covered by 4.2.2, 4.2.3

Scope extended for all types of documented information

Organization must control changes to documents AND records.

Documented information of external origin determined by the organization to

be necessary for the planning and operation of the FSMS shall be identified,
as appropriate, and controlled.

A written procedure for controlling documents and records is no longer

required.
8 . 0 O P E R AT I O N
8.1 OPERATIONAL PLANNING AND CONTROL

2005 Reference: New title, Partially covered by 7.1a, 8.3, 8.5.2

The requirements originally included under 7.1 were extended to take into
consideration the implementation of actions defined to address risks
and opportunities (6.1).

Responsibility of the organization to take under control the planned &

unintended changes, as well as outsourced processes has been
added in this clause
8.1 OPERATIONAL PLANNING AND CONTROL
(CONT.)
Part of the PDCA Cycle

Includes the codex Alimentarius 7 principles/12 steps.

Includes reference to control of changes (6.3) and control of outsourced

processes (7.1.6).
8.1 OPERATIONAL PLANNING AND CONTROL
(CONT.)
How does the organization ensure food safe product is consistently realized
through each step in the process (each hand off)?

How do they control the actions put in place to address the risks and
opportunities determined in section 6.1 so they achieve planned outcome?

What process(es) do they have in place to control planned changes? How do

they learn from changes that unintendedly impact their FSMS?

How do they control outsourced processes – external design company,

transportation, warehousing, production competitor used for overflow orders,
etc. – to maintain food safe product to final customer?
8.2 PRE-REQUISITE PROGRAMS
2005 Reference: Partially covered by 7.2

Wording has been changed slightly and appropriateness of the PRP linked to the
context of the organization.

Reference to consider ("should") the applicable ISO/TS document (ISO-

22000:2018 audits only) in the definition of PRP has been added.

Supplier approval and product information/consumer awareness have

been included in the list of minimal PRPs needed by the organization. PRP's
Documented information shall now also specify their selection, applicable
monitoring and verification.
8.2 PRE-REQUISITE PROGRAMS (CONT.)

8.2.1 now requires PRPs are updated to prevent/reduce contamination risk. Did
results of verification activities show a PRP should be updated? Ask for
documented evidence of this planned change.

Section 8.2.3 includes items the organization should consider when establishing
PRPs.

Section 8.2.4 includes the minimum list the organization shall consider when
establishing PRPs:
- supplier approval and assurance added (8.2.4f) – was “management of purchased
materials”
- Product information/consumer awareness – new! (8.2.4k)
8.3 TRACEABILITY SYSTEM

2005 Reference: Partially covered by 7.9

Wording has been changed, minimum requirements when establishing a

traceability system have been added (including reworking).

Requirement for verification and testing of the effectiveness of the

traceability system has been added.

A note has been added regarding the reconciliation of quantities of end

products & ingredients.
8.3 TRACEABILITY SYSTEM (CONT.)

Now includes requirements for taking rework into account and ensuring
retention time of records related to the shelf life of the products.

Reconciliation of quantities of end products with the quantity of ingredients

should be considered. Is the organization tracking scrap?

The organization MUST verify and test the effectiveness of the

traceability system. If records show the system was not effective (did not
meet organization’s planned results), what did they do about this?
- Organization’s system shall be challenged with a trace exercise during the audit
8.4 EMERGENCY PREPAREDNESS AND
RESPONSE
2005 Reference: Partially covered by 5.7

Responsibility is still assigned to top management.

The word accidents has been changed to incidents.

A requirement for documented information regarding the management of these

situations has been included. Procedures to respond to these situations are still
required
8.4 EMERGENCY PREPAREDNESS AND
RESPONSE (CONT.)
Documented information shall be established and maintained to manage
situations and incidents that have occurred.

Documented information must be reviewed and, where necessary, updated after

the occurrence of any incident, emergency situation or test.

The organization should periodically test procedures, where practical. An annual

fire drill is not good enough. Was the test a success, or did it reveal an
unintended impact that requires a revision to procedures?
8.5.1 PRELIMINARY STEPS TO ENABLE
HAZARD ANALYSIS
2005 Reference: Partially covered by 7.3. Description of process steps and control measures
(7.3.5.2) has been replaced by Description of process and process environment, and the scope of
the requirements has been extended to include additional descriptions.Variations from expected
seasonal changes & shift patterns shall also be included.

Requirements related to the competence of the Food Safety Team have been
relocated to Clause 7.2 Competence.

General: Minimum relevant information to be considered when

conducting the Hazard Analysis has been added.
8.5.1 PRELIMINARY STEPS TO ENABLE
HAZARD ANALYSIS (CONT.)
Characteristics Raw Material: Source (e.g. animal, mineral or
vegetable) has been included in the list of characteristics of raw materials and
clarification given in regards to place of origin.

Characteristics end product: wording such as Methods of distribution

and delivery has been added.

Flow Diagrams: Inputs and Outputs to be detailed in the flow diagrams have
been extended and the on-site verification requirements described separately
(8.5.1.5.2).
8.5.1 PRELIMINARY STEPS TO ENABLE
HAZARD ANALYSIS (CONT.)
8.5.1.4 Intended use: Groups of consumers/users, especially those known to be
especially vulnerable to specific food safety hazards, shall be identified (was
considered).

8.5.1.5.1 Preparation of the flow diagrams: c) has added processing aids,

packaging materials and utilities to be included in flow diagrams (as appropriate)

8.5.1.5.3 Descriptions of processes and process environment: the number of

issues the Food Safety Team must address when describing processes for the
hazard analysis has been greatly expanded.
8.5.1 PRELIMINARY STEPS TO ENABLE
HAZARD ANALYSIS (CONT.)
The number of issues that the food safety team must address when describing
processes for the hazards analysis was expanded to include:
8.5.2 HAZARD ANALYSIS

2005 Reference: Partially covered by 7.4

Hazard identification & acceptable levels: internal epidemiological/ scientific/

historical data shall also be used as an input in the identification of hazards, as well as
statutory/regulatory/customer requirements. Clarification Notes have been
added. Recommendation to consider hazards in sufficient detail has been added.
Requirement to use the pre-defined flow diagram has been added in alignment to
the Codex.

Hazard Assessment: The word elimination of food safety hazards has been
removed. Requirement to identify significant food safety hazards has been
included.
8.5.2 HAZARD ANALYSIS (CONT.)
Selection of control measures:
The word elimination (re food safety hazards) has been removed and the wording
significant food safety hazards has been added to scope of application of this
sub-clause.

Also clarification on control measures to be managed as OPRPs or as CCPs,

(replacement of the words HACCP plan. CCP and OPRP to be managed via a
Hazard Control Plan).

Inputs for conducting the assessment & categorization of control measures have
been extended to include feasibility of establishing measuring Critical Limits and
applicability of timely corrections. External requirements that can impact the choice
and strictness of control measures shall be documented.
8.5.2 HAZARD ANALYSIS (CONT.)

8.5.2.2.2 has strengthened identification of step(s) (e.g. receiving raw materials,

processing, distribution and delivery) at which each food safety hazard can be
present, be introduced, increase or persist.

When identifying hazards, the organization shall consider:

a) the stages preceding and following in the food chain;
b) all steps in the flow diagram;
c) the process equipment, utilities/services, process environment and persons.
8.5.3 VALIDATION

2005 Reference: Partially covered by 8.2 and 7.6

Wording has been changed to clarify that validation applies to both single
control measures and combinations of control measures.

Requirement to maintain the validation methodology and evidence of

capability has been added.
8.5.4 HAZARD CONTROL PLAN

2005 Reference: Partially covered by 7.5 and 7.6

The HACCP plan and OPRP document have been combined in a single
document called Hazard Control Plan. Requirements for both OPRP and
CCP (monitoring, critical limits/action criteria/ corrections/corrective actions)
have been combined under this clause (8.5.4)

Action Criteria definition has been included as a requirement for OPRP as

well as specific requirements to define them.
8.5.4 HAZARD CONTROL PLAN (CONT.)

The input of monitoring methods has been added as an additional option

next to monitoring devices.

For OPRPs, equivalent methods of verification of reliable measurements are

now permitted in place from calibration methods.

Requirements for actions to be taken are not only applicable for when critical
limits are not met but also when action criteria is not met.
8.5.4 HAZARD CONTROL PLAN (CONT.)

8.5.4.2 Determination of critical limits and action criteria contains a key change
to the standard.
- It clarifies the difference between CCPs and oPRPs
- Monitoring of a CCP is a measurable critical limit
- Monitoring of an oPRP is a measurable or observable action criteria
8.6 UPDATING INFORMATION SPECIFYING
THE PRP AND HAZARD CONTROL PLAN
2005 Reference: Partially covered by 7.7

Change in wording to substitute HACCP Plan & OPRP for Hazard Control Plan.

Additional information has been added in the outputs of the update process
8.7 CONTROL OF MONITORING & MEASURING

2005 Reference: Partially covered by 8.3

The scope of application of 8.7 has been clarified: methods and equipment
related to PRP and hazard control plan.

Frequency of calibration/verification has been modified to specified intervals

prior to use.

Requirements for validation of software used in monitoring and measuring

within the FSMS have been added, including documented information in
validation activities. updates and management of changes of the software.
8.8 VERIFICATION RELATED TO PRP AND
THE HAZARD CONTROL PLAN
2005 Reference: Partially covered by 7.8, 8.4.2

The activities to be covered by the verification activities have been extended:

effectiveness of PRPs has been added and Hazard Control Plan replaces
the terms HACCP Plan and oPRP.

Requirement for impartiality of person conducting the verification has

been added (not the same person that performs the monitoring).

Application of corrective actions has been included in case potentially

unsafe product is detected via the verification activities.
8.8 VERIFICATION RELATED TO PRP AND
THE HAZARD CONTROL PLAN (CONT.)

PRP verification not only confirms PRP was implemented but also that it is
effective.

Person performing verification activities can not be a person who is involved in

the monitoring of that PRP.
8.9 CONTROL OF PRODUCT AND PROCESS
NONCONFORMITIES
2005 Reference: Partially covered by 7.10

Corrections/ Corrective Actions: Actions to review the non-conformance

identified by regulatory inspections reports & consumer complaints have been
added. The term action criteria has been defined as a trigger of
corrections/Corrective Actions.

The wording "evaluating the need for action to ensure that non conformities do
not recur" has been replaced with determining & implementing actions to
ensure...
8.9 CONTROL OF PRODUCT AND PROCESS
NONCONFORMITIES (CONT.)
Handling of potentially unsafe products:
Requirement clarified for evaluating each lot of affected product.

Requirement added for not releasing product affected by failure to meet

critical limits at a CCP, leaving the evaluation for release only applicable to
products that fail to comply with the action criterion of an OPRP.

Requirement added to retain as documented information the results of the

evaluation of release.
8.9 CONTROL OF PRODUCT AND PROCESS
NONCONFORMITIES (CONT.)
An additional potential disposition of non-conforming product has been added
(redirected for other use) & requirement to retain documented information.

Withdrawal/Recall: Separation between withdrawal and recall has been

made, applicability for requirements under 8.9.5 is for both processes.
8.9 CONTROL OF PRODUCT AND PROCESS
NONCONFORMITIES (CONT.)
When nonconformity of a product is related to critical limits at CCPs that
product is potentially unsafe and shall not be released.

When nonconformity of a product is related to action criteria for oPRPs that

product may be released, provided the requirements of 8.9.2.3 are successfully
met.

Documented information must be retained!

9 . 0 P E R F O R M A N C E E V A L U AT I O N
9.1 MONITORING, MEASURING, ANALYSIS
AND EVALUATION

2005 Reference: New section title, Partially covered by 8.4.2 and 8.4.3

General: organization must determine what, when and how they will monitor and
measure, and who and when will these results be analyzed and evaluated. Results
must be retained as documented information.
9.2 INTERNAL AUDITS

2005 Reference: Partially covered by 8.4.1

Inputs for generating the audit program have been extended: changes in the
FSMS & results of monitoring and measurement shall be taken into
account to develop the audit program.

Requirement added to ensure that the results of the audit are reported to
the FS Team & relevant management.

Requirement added related to determining if the FSMS meets the intent of

the food safety policy & objectives as part of the internal audit process.
9.2 INTERNAL AUDITS (CONT.)

Importance of the Processes: these vary but may include management

review, corrective action, internal audit, actions to address risks and
opportunities, operational planning, and objectives.

Changes Affecting Organization: Unique situations could warrant additional

audits. High turnover - competence and awareness. Significant building/equipment
upgrades – food defense and visitor/contractor competence. Loss of major
customer – operational planning/control and control of product/process
nonconformities.
9.3 MANAGEMENT REVIEW

2005 Reference: Partially covered by 5.2, 5.8

MR Inputs: The structure and number of inputs for the management review have
been amended. Additional inputs have been included, and a number of inputs
grouped under a general input of information on the performance &
effectiveness of the FSMS.

MR Outputs have also been amended to include specific actions/decisions

related to continual improvement opportunities and the need for
updates & changes in the FSMS
9.3 MANAGEMENT REVIEW (CONT.)

Management Review should be about site management looking for trends (in
such functions as customer satisfaction, internal/external audits, internal/external
corrective action, etc.) NOT just a listing.

Did actions to address risks and opportunities (from section 6) achieve intended
results? If they did, how was it documented in MR minutes? If they did not, how
were actions updated and revised?
10.0 IMPROVEMENT
10.1 NON CONFORMITY AND CORRECTIVE
ACTION
2005 Reference: New section

New clause specifying requirements to deal with non-conformities within the

organization, including the requirement to determine if similar non
conformities could potentially occur (preventive actions)

Site management should not react to a customer’s complaint in a vacuum. They

should be looking at similar internal/external issues in other areas of the
organization and trends.
10.1 NON CONFORMITY AND CORRECTIVE
ACTION (CONT.)
Three types of evidence for you to review:
1) Does the action relate to the root cause?
2) Was the action actually implemented?
3) Was the action effective in preventing the recurrence of the problem?

How is site management reviewing the effectiveness of the corrective

action(s)? This is NOT a verification that the action was implemented (i.e.Yes,
training was completed on 01/01/19).
10.2 CONTINUAL IMPROVEMENT

2005 Reference: Partially covered by 8.1 , 8.5.1

Requirement extended to include the improvement of the suitability and

adequacy of the FSMS, not just the effectiveness.

What Opportunities for Improvement are site management working on? These
should come from Management Review inputs and outputs, including actions to
address risk, plans to achieve objectives, and/or address customer feedback.
10.3 UPDATE OF THE FSMS

2005 Reference: 8.5.2

Wording changes slightly according to new terms & titles

Did these Continual Improvements achieve the intended result(s)? If so, how did
site management update the FSMS (focus on section 9.1, 9.3)? If not, how has
management adjusted their planning (section 6)?
QUESTIONS?
QUIZ TIME!