As ISO22000 Certification audits are beginning to occur I thought it may be a good idea to pool our collective experiences, problems and helpful observations.
I am starting this from the perspective of the (despised - I thank you Simon ) auditor and have the following points that so far have caused auditees problems:
I appreciate that most of these may not be applicable to your organisation and I would be interested to hear other peoples experiences either auditor or auditee.
- Not carrying out a full audit of ISO22000 before the external auditor arrives
- not having available the evidence to back up you validation of control measures
- Not distinguishing between PRP's and oPRP's
- Not correctly documenting oPRP's (cover all of the points identified in the standard (clause 7.5))
- not developing and TESTING the emergency response procedures/processes (as well as the withdrawal process)
- Not confirming the position of any external consultants with regards the Food Safety Team - If your consultant is not part of the team he cannot help during the audit
- Not covering allegens in the Hazard analysis (check note 3 of definition 3.3) - This is not likley to be a problem for primary producers but may be for resturants, hotels or Transportation companies who have limited experience with this.
- Not being familiar with your specifications and what is required by the standard, if you have an answer when the auditor asks "why is XXX not appropriate to this specification?" as long as it is reasonable most auditors will accept this, but to simply say it is not appropriate will normally not be acceptable and there will be many more questions!
- Not recording external communications - Remember that ALL external communications should be recorded and maintained (5.6.1 paragraph 6 last sentance) ie the telephone conversation with a supplier may need to be recorded somewhere; saving e mails; maintaining inspection records from authorities.
I Hope I have given eveyone some food for thought?
Reading all the comments about this topic, I can see similarity with the Risk Assessment technique, specifically the Microbiological Risk Assessment technique.
I would like to give my opinion on this.
So far, the pre implementation validation has been based on guides usually written by governmental and regulatory bodies or based on the best information and data source available.
Do the auditor expect that the food industries to have human and technological resources to carry out mathematical models and statistics, epidemiologic studies, a numerical estimate of probability of harm to consumers, a quantified expression of acceptable risks ( e.g. 1 hazardous portion/10 million portions)…and all that stuff ?
I really appreciate the answer
Regarding post implementation validation, I think that the industry can do something. We can check if the objectives intended are achieved by our control measures. How? By making a random sampling of the raw, intermediate or end product for example.
So, considering PDCA as
Plan= set the objectives intended ( set by government or regulatory bodies)
Do= set the control measures to achieve those objectives
Check= check that the objectives are achieved ( e.g. sampling )
Act = act according to the results of the checks
I think that this Deming model is still valid.
And my second question to you is regarding the ISO 22000 lead auditor training you have taken. I did contact with almost all the CB asking for a FSMS
auditor course and none of them are running one, nor even from IRCA. Could you tell what kind of traininig is that that you have taken, a transition one ( from a quality management
auditor to a FSMS
auditor ) or an specific one ? Who is offering that training and where ?
And the last thing, could anyone tell what does ' BTW ' and ' w/o' stand for ?
Thank you in advance