Article:
Integrating ISO 9001 and ISO 22000
HACCP is a systematic process that prevents food safety incidents by building food safety controls into the food manufacturing process. Since the development of HACCP in the late 1950s, HACCP has continuously evolved to improve the system’s effectiveness. ISO 22000:2005 is the latest step in this evolution. This standard defines all of the requirements of a state of the art food-safety-management system and is fully compatible with ISO 9001:2000.
ISO 22000 and ISO 9001 provide mechanisms for food processors wishing to make their food safety and quality management systems more robust. These standards ensure the development of a management system that uses both a systems and a process approach.
HACCP is the internationally recognized food safety system to ensure the production of safe food. Over the last 50 years, HACCP evolved from three principles to five preliminary steps and seven principles that are supported by prerequisite programs (Table 1). During this time, the basic concept of HACCP has remained unchanged. Food safety cannot be inspected into the product. Food safety must be built into the product.
In 1989, the United States National Advisory Committee on Microbiological Criteria for Foods (NACMCF) published HACCP guidelines in the United States. These guidelines became the U.S. de-facto HACCP standard. In addition, these guidelines were revised in 1993 and 1997. The Codex Alimentarius Commission (Codex) published HACCP guidelines as an annex to the Basic Text on Food Hygiene. This Codex standard became the de-facto international HACCP standard. Both of these documents are equivalent and written in guidance format. The standards assist food processors to implement a HACCP program.
As consumers around the world demanded safer food, HACCP requirements were incorporated into the regulations that govern food processing and into customer purchasing requirements. As a result, customer sanitation audits were expanded to address HACCP requirements.
Food Safety audits are expensive and time consuming for both the customer and the supplier. There has been a movement to require suppliers to obtain third party certification of the quality and food-safety-management systems. Examples of third party audits and certifications include:
- Food Marketing Institute and SQF program
- Food Products Association and FPA-Safe Food Audit
- British Retail Consortium and the BRC Global Standard
- CIES - The Food Business Forum and the Global Food Safety initiative
Table 1: Highlights in the development of food-safety-management systems
| 1959 | Pillsbury develops HACCP for the manned space program. HACCP consists of three principles. |
| 1971 | The Pillsbury Company presents the concept of HACCP to the US food processing industry |
| 1974 | HACCP principles incorporated into the United States Low Acid Canned Food Regulations |
| 1985 | The United States National Academies of Sciences publishes “An evaluation of the role of microbiological criteria for foods and food ingredients” and recommends the incorporation of HACCP into food processing regulations |
| 1989 | Publication of the seven principles of HACCP by the United States NCMCF |
| 1992 | United States NACMCF revises HACCP to include the five preliminary steps and the prerequisite programs |
| 1993 | Codex Alimentarius publishes HACCP guidelines |
| 1993 | Codex Alimentarius Commission incorporates HACCP concepts into the Recommended International Code of Hygienic Practice for Low-Acid and Acidified Low-Acid Canned Foods |
| 1995 | The United States Food and Drug Administration issues Seafood HACCP rule |
| 1996 | The United States Department of Agriculture issues the pathogen reduction and HACCP rule for meat and poultry |
| 1997 | Codex Alimentarius Commission and United States NACMCF revise HACCP guidelines |
| 1998 | Food and Agriculture Organization and the World Health Organization publish guidance for regulatory assessment of HACCP |
| 1990s | Australia, Ireland, the Netherlands, Germany, Denmark and the United States develop national HACCP standards. Private organizations develop HACCP standards. Third party certifications of HACCP programs are established. |
| 2002 | The United States Food and Drug Administration issues the Juice HACCP rule |
| 2005 | Publication of ISO 22000 – Food Safety management system - requirements |
| 2006 | The European Union issues mandatory HACCP legislation requiring food processors to implement HACCP |
Source: ISO, 2005
International Standards
International food standards are critical to facilitate global trade. The standards provide a common definition for products and processes. This reduces misinterpretation of customer requirements across national and language borders.
International standards for food products are developed by two standard organizations. Codex publishes international standards that can be used to develop national laws and regulations. These standards typically have a long time frame between reviews.
The International Organization for Standardization (ISO) develops standards that are driven by marketplace needs. The ISO standards describe the state of the art for products, services, process, materials and systems, and conformity assessment. As a result, the standards are developed in a relatively short time frame. In addition, the standards are required to be reviewed every five years. As part of the review process, a recommendation must be made to renew, revise or withdraw the standard. This process ensures the standard does not become a technical barrier to trade.
In 2001, Working Group 8 of ISO Technical Committee 34 undertook a project to define the requirements for a food-safety-management system. The standard has the following characteristics:
- Focus only on a food-safety-management system (quality management systems are addressed in ISO 9001).
- Usable by all organizations in the food chain.
- Combine the recognized food safety system elements as defined by Codex.
- Provide an auditable standard that can be used as part of third party certification. (The standard can also be used by a food processor to develop a food-safety-management system.)
- Allow food safety control to be achieved through either the HACCP plan or through operational prerequisite programs.
- Ensure that the process used to control food safety is validated, verified, implemented, monitored and managed.
In September, 2005, ISO published ISO 22000 (Food safety management systems -- Requirements for any organization in the food chain).
ISO 22000 Structure
ISO 22000 is written as a management system standard. As a result the standard addresses the following elements:
- Policy
- Planning
- Implementation and operations
- Performance assessment
- Improvement
- Management review
Table 2 shows the structure of ISO 22000.
Table 2: ISO 22000 Structure
| Element | Description |
|---|---|
| 4 | Food-safety-management system |
| 4.1 | General requirements |
| 4.2 | Documentation requirements
|
| 5 | Management responsibility |
| 5.1 | Management commitment |
| 5.2 | Food safety policy |
| 5.3 | Food-safety-management system planning |
| 5.4 | Responsibility and authority |
| 5.5 | Food safety team leader |
| 5.6 | Communications
|
| 5.7 | Emergency preparedness and response |
| 5.8 | Management review
|
| 6 | Resource management |
| 6.1 | Provision of resources |
| 6.2 | Human resources
|
| 6.3 | Infrastructure |
| 6.4 | Work environment |
| 7 | Planning and realization of safe products |
| 7.1 | General |
| 7.2 | Prerequisite programs |
| 7.3 | Preliminary steps to enable hazard analysis
|
| 7.4 | Hazard analysis
|
| 7.5 | Establishing the operational prerequisite programs |
| 7.6 | Establishing the HACCP plan
|
| 7.7 | Updating of the preliminary information and documents specifying the prerequisite programs and the HACCP plan |
| 7.8 | Verification planning |
| 7.9 | Traceability system |
| 7.10 | Control of nonconformity
|
| 8 | Validation, verification and improvement of the food-safety-management system |
| 8.1 | General |
| 8.2 | Validation of control measure combinations |
| 8.3 | Control of monitoring and measuring |
| 8.4 | Food-safety-management system verification
|
| 8.5 | Improvement
|
Source: ISO, 2005
The ISO 22000 framework focuses on three major issues
- Incorporates Codex HACCP.
- Strengthen the linkage of prerequisite programs (PRPs) to the food-safety-management system.
- Defines management activities to ensure a vibrant management system.
ISO 22000 incorporates the five preliminary steps and the seven principles of Codex HACCP (Table 3). Thus, any organization that is certified to ISO 22000 has met all of the requirements of Codex HACCP.
Table 3: Comparison of Codex HACCP requirements with the elements of ISO 22000
| Codex HACCP | ISO 22000 | ||
|---|---|---|---|
| Step | Description | Element | Description |
| Preliminary Step 1 | Assemble the HACCP team | 7.3.2 | Food safety team |
| Preliminary Step 2 | Describe the product | 7.3.3 | Product characteristics |
| Preliminary Step 3 | Identify intended use of the product | 7.3.4 | Intended use |
| Preliminary Step 4 | Construct a flow diagram | 7.3.5.1 | Flow diagram |
| Preliminary Step 5 | Conduct an on-site verification of the flow diagram | 7.3.5.1 | Flow diagram |
| Principle 1 | Conduct a hazard analysis | 7.4 | Hazard analysis |
| Principle 2 | Determine Critical Control Points (CCPs) | 7.6.2 | Identification of critical control points (CCPs) |
| Principle 3 | Establish critical limits for CCPs | 7.6.3 | Determination of critical limits for critical control points |
| Principle 4 | Establish a monitoring system for CCPs | 7.6.4 | System for monitoring critical control points |
| Principle 5 | Establish corrective actions | 7.6.5 | Actions when monitoring results exceed critical limits |
| Principle 6 | Establish verification procedures | 7.8 | Verification planning |
| Principle 7 | Establish documentation and record keeping | 4.2 | Documentation requirements |
Adapted: ISO, 2005
ISO 22000 clarifies the role of prerequisite programs in the food-safety-management system. The prerequisite programs support and ensure the effectiveness of the HACCP plan. Food safety professionals do not agree on a standard list of prerequisite programs. However, all of the prerequisite programs have four things in common:
- They address indirect food safety issues
- They cover general programs related to food safety
- They can be applied to multiple production lines
- Momentary failure to meet a prerequisite program seldom results in a food safety hazard.
The critical aspect is that frequent and/or sustained breakdown of a prerequisite program may result in a food safety hazard. From a management-standards perspective, prerequisite programs cover a wide variety of elements of the food-safety-management system including facilities, training, and good manufacturing practices. As a result, the prerequisite programs must be properly designed, implemented, verified, and/or monitored for continued effectiveness. However, many of the prerequisite programs do not lend themselves to the traditional form of validation, verification, and monitoring. The PRPs describe the environment that allows a food-safety-management system to function properly.
ISO 22000 defines the management activities needed to achieve a food-safety-management system. The standard requires the documentation of a quality policy with measurable objectives. Examples of measurable objectives could include objectives to reduce the amount of foreign matter complaints by 20% or improve third-party audit scores by 10%.
Management review ensures the continued effectiveness of the food-safety-management system. The review goes beyond verifying the efficiency of the management system. Management review provides top management with a system to exchange new ideas regarding food safety and generates open discussion and evaluation of the food-safety-management system. The output of management review should provide the data for planning performance improvements of the food-safety-management system, and performance objectives for products and processes. In addition, management review generates recommendations for improvement in the structure of the food-safety-management system, allocation of resources, mitigation of plans for identified risks, and strategic planning for future needs of the organization with respect to food safety requirements.
The responsibilities of the food safety team leader go beyond managing the food safety team. The team leader is responsible for ensuring the relevant training and education of the food safety team members and for ensuring that the food-safety-management system is established, implemented, maintained and updated. This individual reports to top management on the effectiveness and suitability of the food-safety-management system regardless of other assigned duties.
Integrating Quality Management Systems and Food Safety Management Systems
The scope of ISO 22000 is food safety, while the scope of ISO 9001 is food quality. ISO 22000 can be used in two ways:
- It can be used as a stand alone standard for an organization that wants to develop a state of the art food-safety-management system.
- It can be used with ISO 9001 to develop a management system that addresses both food safety and quality issues.
There are several major differences between ISO 22000 and ISO 9001.
- ISO 22000 does not permit exclusions of any element.
- ISO 9001 is a general standard that can be applied to any organization. ISO 22000 is a sector specific standard that describes a specific process to develop a food-safety-management system.
- ISO 22000 assumes that the organization developed the product concept and subsequent manufacturing process.
- ISO 22000 assumes that the organization has selected suppliers and the suppliers are capable of meeting quality requirements.
- ISO 22000 assumes that both a verification plan and a control plan have been established that will meet customer requirements.
- ISO 22000 assumes that existing processes have been validated with respect to meeting quality requirements.
Table 4 compares ISO 9001 and ISO 22000. The word “equivalent” is used when there are differences between the wording of the standard and the intent is identical. Some of the elements are in different locations in both standards. In addition, food safety requirements are both a customer and a regulatory issue. ISO 22000 has numerous references requiring the organization to meet all food safety statutory, regulatory and customer requirements. This table is not an official comparison but serves as a guide to allow the reader to develop an understanding of how to use both standards in parallel to develop effective management systems. In addition, it should be noted that differences exist between the element numbers of ISO 9001 and ISO 22000.
Table 4: Comparison of ISO 9001 and ISO 22000
| ISO 9001 | ISO 22000 | Notes | ||
|---|---|---|---|---|
| 4.1 | General requirements | 4.1 | General requirements | Equivalent |
| 4.2 | Documentation requirements | 4.2 | Document requirements | Similar but not equivalent. ISO 22000 is more prescriptive on the types of documents needed to manage the food-safety-management system (FSMS). These requirements are in alignment with the current practice of HACCP. |
| 4.2.1 | General | 4.2.1 | General | ISO 22000 does not require the development of a FSMS manual. |
| 4.2.2 | Quality manual | A food safety manual is not required by ISO 22000 | ||
| 4.2.3 | Control of documents | 4.2.2 | Control of documents | Identical requirements |
| 4.2.4 | Control of records | 4.2.3 | Control of records | Identical requirements |
| 5.1 | Management commitment | 5.1 | Management commitment | ISO 22000 element 5.2 addresses a food safety policy |
| 5.2 | Customer focus | Equivalent requirement in ISO 22000 is element 5.1(b) | ||
| 5.3 | Quality policy | 5.2 | Food Safety policy | ISO 22000 requires that the food safety policy be supported by measurable objectives rather than being used as a framework for establishing objectives. The food safety policy must state a commitment to meeting regulatory and statutory requirements. In addition, the policy must make a commitment to both external and internal communications. |
| 5.4 | Planning | 5.3 | Quality management system planning | See below |
| 5.4.1 | Quality objectives | Equivalent – Addressed in ISO 22000 element 5.3 | ||
| 5.4.2 | Quality management system planning | 5.3 | Quality management system planning | Identical requirements |
| 5.5 | Responsibilities authority and communications | 5.4 | Responsibility and authority | See below |
| 5.5.1 | Responsibility and authority | 5.4 | Responsibility and authority | ISO 22000 has added requirements - personnel with responsibilities to report food safety problems report must do this function to identified individuals. In addition, designated individuals shall have responsibility and authority to initiate and record actions. |
| 5.5.2 | Management representative | 5.5 | Food safety team leader | ISO 22000 requires the food safety team leader to manage the work of the food safety team and ensure that the team members have relevant education and training. There is no requirement for the team leader to promote customer requirements through the organization. |
| 5.6.1 | External communications | ISO 9001 element 7.2.3 is a similar requirement in that it addresses customer communications. ISO 22000 requires that issues concerning food safety are communicated throughout the food chain. In addition, 22000 requires that statutory, regulatory, and customer food safety requirements are available. The requirement also defines responsibilities and authorizes for external communication | ||
| 5.5.3 | Internal communication | 5.6.2 | Internal communications | ISO 22000 has further defined the communication needs to ensure the effectiveness of the FSMS. The standard has requirements that internal communication shall be used for updating the FSMS and relevant information generated during this process be included in management review |
| 5.7 | Emergency preparedness | There are no specific parallel requirements in ISO 9001. ISO 22000 requires a system to manage situations and accidents that impact food safety | ||
| 5.6 | Management review | 5.8 | Management review | There are slight differences between the two standards. ISO 22000 require that an analysis of verification activities be conducted. In addition, ISO 22000 has a requirement for review of emergency situations, accidents, and withdrawals. The output of 22000 includes a review of the food safety policy and related objectives |
| 6 | Resource management | 6 | Resource management | ISO 22000 is based on Codex HACCP or the world’s definition for HACCP. Codex HACCP uses the term prerequisite programs. Prerequisite programs are any activity that is needed for the food safety system that is not part of the five preliminary steps of HACCP or the seven principles of HACCP. These parts of HACCP are covered in ISO 22000 elements 4.2. 7.3, 7.4, 7.6, 7.7, and 7.8). The prerequisite programs create the environment so that the organization can produce safe food. |
| 6.1 | Provision of resources | 6.1 | Provision of resources | Equivalent |
| 6.2.1 | General | 6.2.1 | General | ISO 22000 has record requirements for external experts used to develop the food-safety-management system |
| 6.2.2 | Competence awareness and training | 6.2.2 | Competence awareness and training | ISO 22000 has two additional requirements. Individuals responsible for monitoring, corrections and corrective actions are trained. Food safety requirements is communicated to individuals that can impact food safety |
| 6.3 | Infrastructure | 6.3 | Infrastructure | Specific requirements for infrastructure and work environment are defined in detail in ISO 22000 element 7.2. These requirements are presented in more detail. |
| 6.3 | Work environment | 6.4 | Work environment | |
| 7 | Product realization | 7 | Planning and realization of safe products | There are major differences between ISO 22000 and ISO 9001 in elements 7 and 8. ISO 22000 is a very specific process that is based on the twelve steps of Codex HACCP (Table 1). In the planning stage, ISO 22000 requires hazard analysis to be conducted on all hazards likely to occur in the food product. Hazard analysis has the same root origins as Failure Mode and Effect Analysis (FMEA). No exclusions of elements are permitted by ISO 22000. ISO 9001 defines a generic quality management system. There is no specific requirement for a risk analysis to be conducted during the planning stage. Under certain specified conditions, exclusions are permitted in element 7. Both standards achieve product realization by validating, verifying and monitoring processes. |
| 8 | Measurement analysis and improvement | 8 | Validation, verification and improvement of the food-safety-management system | |
| 7.1 | Planning of product realization | 7.1 | General | The two standards are equivalent in their requirements. ISO 22000 element 7.1 is a general requirement while ISO 9001 element 7.1 contains specific requirements. The specific requirements contained in ISO 9001 element 7.1 are addressed throughout element 7 of ISO 22000. Verification planning is addressed in ISO 22000 element 7.5. This element is more specific than ISO 9001 element 7.1 |
| 7.2 | Customer related process | ISO 22000 assumes that the organization has developed a product and a process to manufacture the product. In addition ISO 22000 assumes that the organization has selected the suppliers for the product and developed a system to assess the capability of the suppliers to provide adequate products. ISO 22000 requires communication with suppliers and customers with regard to food safety issues (element 5.6.1), knowledge of the raw products with regard to food safety issues (element 7.3.3.1) knowledge of the characteristics of the end product with regard to food safety issues (element 7.3.3.2) and the intended use of the end product (element 7.3.4). | ||
| 7.3 | Design and development | |||
| 7.4 | Purchasing | |||
| 7.2 | Prerequisite programs | Prerequisite programs are given special attention in ISO 22000, because these programs must be implemented, managed and verified. ISO 22000 is more specific than the requirements in ISO 9001 elements 6.3 and 6.4 | ||
| 7.3 | Preliminary steps to enable hazard analysis | These are the elements that contain the five preliminary steps and seven principles of Codex HACCP | ||
| 7.4 | Hazard analysis | |||
| 7.6 | Establishing the HACCP plan | |||
| 7.5 | Establishing the operational prerequisite programs (PRPs) | Operational prerequisite programs are programs that can control the likelihood of introducing food safety hazards in a product. This requirement is not addressed in ISO 9001 | ||
| 7.7 | Updating of preliminary information and documents specifying the PRPs and the HACCP plan | This requirement is not addressed in ISO 9001. | ||
| 7.8 | Verification panning | See comments under ISO 9001 element 7.1 | ||
| 7.5.3 | Identification and traceability | 7.9 | Traceability system | Equivalent – ISO 22000 has specific requirements to identify materials from immediate suppliers and the initial distribution of end product. |
| 7.5.4 | Customer property | Not addressed in ISO 22000. | ||
| 7.5.5 | Preservation of product | Not specifically addressed in ISO 22000. The food safety control measures are activities that can be taken to eliminate or prevent a food safety hazard or reduce it to an acceptable level. They are identified in 7.4.3 | ||
| 8.1 | General | 8.1 | General | Equivalent |
| 7.6 | Control of monitoring and measuring devices | 8.3 | Control of monitoring and measuring | Equivalent |
| 8.2.1 | Customer satisfaction | Not addressed in 22000 | ||
| 8.2.2 | Internal audit | 8.4.1 | Internal audit | Equivalent |
| 8.3 | Control of nonconforming product | 7.10.3 | Handling of potentially unsafe product | ISO 9001 element 8.3 is equivalent to ISO 22000 element 7.10.3.1. In addition, 22000 has added requirements for evaluation of potentially unsafe products prior to release and the withdrawal of unsafe product from the marketplace. |
| 8.3 | Control of nonconforming product | 7.10.1 | Corrections
| Similar but not equivalent – a food safety hazard must be eliminated or reduced to an acceptable level before the product can be released. Concessions cannot be made if the product is potentially unsafe. |
| 8.4 | Analysis of data | 8.4.2 | Evaluation of individual verification results | Equivalent |
| 8.4.3 | Analysis of results of verification activities | |||
| 8.5.1 | Continual improvement | 8.5.1 | Continual improvement | ISO 22000 specifies how continual improvement is to be done. |
| 8.5.2 | Corrective action | 7.10.2 | Corrective actions | Equivalent – in addition ISO 22000 specifies the review of trends in monitoring results. |
| 8.5.3 | Preventative action | 8.5.2 | Updating the food-safety-management system | Similar but not equivalent - HACCP by its inherent design is a system to prevent food safety hazards. However, the ISO 22000 recognizes that new food hazards emerge and new technologies to control hazards are developed. Therefore, ISO 22000 uses a systems approach to prevent new hazards from occurring in the organizations process. |
Source ISO, 2005
In implementing both ISO 9001 and ISO 22000, food processors must determine the extent of integration between the two management systems. Options include:
- Development of two independent but parallel management systems
- Development of two separate systems that share common processes
- Development of a single fully integrated management system
The structure chosen depends on a number of factors including:
- The extent of corporate culture and politics that support integration of multiple management systems
- The extent of incorporating food-safety-management system requirements into the existing quality management system
- The level of competency needed to implement and maintain an integrated quality and food-safety-management system
- Any implications with regard to legal and regulatory concerns
Summary
ISO 22000 provides a number of advantages to food processors that would like to improve their food-safety-management system. The standard ensures that the food-safety-management system uses a systems approach to the management of food safety. In addition, the standard is fully compatible with an ISO 9001 based quality management system. ISO 22000 provides a better understanding of Codex HACCP. The auditable form allows a food processor to easily determine if there are deficiencies in an existing food-safety-management system.
References:
, 2000, ISO 9001:2000 Quality management systems - Requirements, International Organization for Standardization, Geneva, Switzerland
, 2005, ISO 22000:2005 Food safety management systems - Requirements for any organization in the food chain, International Organization for Standardization, Geneva, Switzerland
Author:
John G. Surak can be reached at jgsurak@yahoo.com and 1-864-506-2190.
 back to top
|
 |