24 Aug 2017 FSSC 22000 4.1 – the game changer is unannounced audits!
In December 2016, FSSC 22000 launched version 4 of its international food safety and quality management system certification Scheme. Well known food safety expert, Linda Jackson of Food Focus, advises what will you have to do to comply.
This version introduced several new requirements, the most notable of all being unannounced audits. But that’s not all…
In the months after publication there were several developments that influenced the drafting of FSSC 22000 version 4.1. These have included:
- The publication of GFSI Benchmarking Requirements document version 7.0 in March 2017 and version 7.1 in May and the expected release of version 7.2
- The evaluation of FSSC 22000 version 4.1 against European Accreditation (EA) procedure EA-1/22 led by the Dutch Accreditation Council (RvA)
- Need for clarification and correction of the text of FSSC 22000 version 4.0 due to feedback received from industry, certification and accreditation bodies.
And so, on July 27, 2017, another press release indicating the release of a further update in this regard.
The FSSC 22000 scheme documents consist of :
- Part 0 – Definitions
- Part 1 – Scheme overview
- Part 2 – Requirements for certification
- Part 3 – Requirements for certification process
- Part 4 – Requirements for CBs
- Part 5 – Requirements for Abs
There are some changes to all the documents
Part 0 – Definitions
The addition of several new definitions (derived from GFSI BRv7.1) and some improvement in the text of several definitions including food, minor and major nonconformity and a new term “black out day” – interesting concept and more about it later.
Part 1 – Scheme overview
The following scopes are added: Transport and storage services, Catering, Retail and Several new reference documents were added: ISO/TS 22002-6 PRP’s for animal feed, ISO/TS 22002-2 for catering, BSI PAS 221– PRP’s for retail and NEN NTA 8059 – PRPs for transport and storage. This broadens the scope of the scheme and even makes way for the retailers to lead the way in certification – wonder when that will happen!
The good news is that distribution centres and other distribution companies can now join the party. The following examples would fit the new scope:
- Organisations specialised in transport and storage services (eg products are handled by organisation but legally owned by its customer)
- Product are legally owned by organisation and handled by own transport and/or storage facilities (eg packing / repacking activities without altering the product or its primary packaging)
- Transport & storage activities of certified manufacturing organisations do not need a separate certification unless required explicitly by its customer
Part 2 – Requirements for certification
Most of us are most interested in the changes in this section as this is what we actually have to DO!
The following additional requirements are added:
- Food defense
- Food fraud prevention
- Management of allergens
- Product labelling
- Environmental monitoring
The additional requirement for supervision of personnel has been removed as this has been deemed to be covered by ISO 22000 clause 6.2.2.
Get ready for TACCP
Food defense has gone from a PRP requirement only to a full-blown requirement commonly known as “TACCP”.
In order to comply you will have to have a documented and implemented threat assessment procedure that identifies potential threats, prioritises them and defines the controls to remove or mitigate them. A formal food defence plan is needed with all policies, procedures and records.
And there’s VACCP
The same applies for food fraud where you now require a documented and implemented vulnerability assessment procedure to identify potential vulnerabilities, prioritise them and put in place appropriate control measures to reduce or eliminate these identified vulnerabilities. This has often referred to as “VACCP”.
PRPs on steroids
Allergen management is now only applicable to certain scopes and must still include a documented allergen management plan that includes:
- a) risk assessment addressing potential allergen cross contamination;
- b) control measures to reduce or eliminate the risk of cross contamination;
- c) validation and verification of effective implementation.
The organisation shall ensure that an environmental monitoring program is in place to verify the effectiveness of cleaning and sanitation programs which shall meet the verification requirements as described in ISO 22000.
Again, a moot point as this was addressed in the PRP requirements but is now more stringent.
The new requirements come into effect on 1 January 2018. Happy new year!
Unannounced audits – you can run but you can’t hide!
In December 2016, FSSC 22000 has launched version 4 of its international food safety and quality management system certification Scheme. This version introduced several new requirements, the most notable of all being unannounced audits.
The bombshell was dropped and then a deathly silence until 27 July when version 4.1 was issued. A major contributor to the need for this further update was the need for clarification and correction of the text of FSSC 22000 version 4.0 due to feedback received from industry, certification and accreditation bodies.
The questions being HOW, WHEN, WHERE??
The good news – the WHEN
The Certification Body is now required to ensure that for each certified organisation has at least one unannounced audit after the initial certification audit and within each three-year period thereafter.
This will be conducted within 12 months after the (re)certification decision or within 12 months after the last day of the previous announced surveillance audit.
For all the newbies out there, neither the initial certification audit (stage 1 and stage 2) nor the re-certification audit can be replaced by an unannounced audit – whew!
Also, you can agree blackout days for legitimate business reasons. These blackout days may be agreed in advance between the certification body and the certified organisation to avoid periods of extreme inconvenience during which the client would find it difficult to participate fully and/or there is no production such as seasonal products.
The bad news – THE HOW
The certification body sets the date of the unannounced audit – not to you obviously. The site shall not be notified in advance, of the date of the unannounced audit. The unannounced audit takes place during operational working hours including night shifts.
The unannounced audit will be a full surveillance audit during which the auditor must spend at least 50% of his/her time in production area (shop floor) assessing the implementation of the applicable CCPs, PRPs and OPRPs.
The fun and games must start with an inspection of the production facilities commencing within one hour after the auditor has arrived on site. In case of multiple buildings at the site, the auditor will, based on the risks, decide which buildings/facilities shall be inspected in which order.
The auditor must audit the organisation operating on a representative number of product lines covered by the scope of certification.
More bad news – The fine print
The Certification Body decides which of the scheduled surveillance audits will be chosen for the unannounced audit. If you refuse to participate in the unannounced audit, the certificate shall be suspended immediately and the Certification Body will withdraw the certificate, if the unannounced audit is not conducted within a six-month timeframe.
If access is denied to the auditor you will be liable for all costs.
For some reason, head offices controlling certain functions pertinent to certification separate to the site, will not be audited during the unannounced audit but are audited in an announced manner.
Your secondary sites (off-site activities) and off-site storage, warehouses and distribution facilities are also audited during the unannounced audit.
The really good news
The Certification Body is expected to operate discretely in case of emergencies (eg fire, major catastrophic event, another audit in progress – just imagine!)
The ball is in your court to some extent in that you can voluntary choose to replace all surveillance audits by unannounced annual surveillance audits. So, come on then, I dare you!
This will only become operational 1 January 2018.
Make sure you write a procedure for handling unannounced audits and practice it just like a mock recall. Train your people just like you would for dawn raids under the Competition Act. The better prepared you are the easier this will be.
The conclusion
The truth will set you free. Unannounced audits will surely give us a far more realistic appraisal of our food safety management systems. We all suffer from the pre-audit, clean-up frenzy. This process will remove the window dressing.
For those companies who vehemently protest that they don’t participate in such dubious activities and are ready for an audit every day, I guess you will finally get to find out. Ready or not, here they come!