ISO22000 Certification - Potential problems to avoid
As ISO22000 Certification audits are beginning to occur I thought it may be a good idea to pool our collective experiences, problems and helpful observations.
I am starting this from the perspective of the (despised - I thank you Simon
- Not carrying out a full audit of ISO22000 before the external auditor arrives
- not having available the evidence to back up you validation of control measures
- Not distinguishing between PRP's and oPRP's
- Not correctly documenting oPRP's (cover all of the points identified in the standard (clause 7.5))
- not developing and TESTING the emergency response procedures/processes (as well as the withdrawal process)
- Not confirming the position of any external consultants with regards the Food Safety Team - If your consultant is not part of the team he cannot help during the audit
- Not covering allegens in the Hazard analysis (check note 3 of definition 3.3) - This is not likley to be a problem for primary producers but may be for resturants, hotels or Transportation companies who have limited experience with this.
- Not being familiar with your specifications and what is required by the standard, if you have an answer when the auditor asks "why is XXX not appropriate to this specification?" as long as it is reasonable most auditors will accept this, but to simply say it is not appropriate will normally not be acceptable and there will be many more questions!
- Not recording external communications - Remember that ALL external communications should be recorded and maintained (5.6.1 paragraph 6 last sentance) ie the telephone conversation with a supplier may need to be recorded somewhere; saving e mails; maintaining inspection records from authorities.
I Hope I have given eveyone some food for thought?
James
Hello Everyone,
I am starting this from the perspective of the (despised - I thank you Simon) auditor and have the following points that so far have caused auditees problems:
Keep posting great topics like this and we might just change our minds.
I'm sure this will become very useful over time so I've pinned it to the top of the ISO 22000 forum.
Thanks,
Simon
As you can see in a separate thread, there already exist a major split in opinion in as far as the interpretation OPRP and PRP are concern. While, its all very good taking extracts from the standard - but what exactly do these specifically mean or cover. You really need to go back to the draft standards to understand.
The issues that James had raised appear to reflect an unusual pattern only found probably in companies that had no experiences with system audits. Generally, if professionally guided, almost all would not have these sort of problems prior to an external audit (perhaps some in-house implemented systems may have some difficulties) but again, adequacy requirements in instance had been well served. You have all been duly warned
Hello Everyone,
As ISO22000 Certification audits are beginning to occur I thought it may be a good idea to pool our collective experiences, problems and helpful observations.
I am starting this from the perspective of the (despised - I thank you Simon) auditor and have the following points that so far have caused auditees problems: I appreciate that most of these may not be applicable to your organisation and I would be interested to hear other peoples experiences either auditor or auditee.
- Not carrying out a full audit of ISO22000 before the external auditor arrives
- not having available the evidence to back up you validation of control measures
- Not distinguishing between PRP's and oPRP's
- Not correctly documenting oPRP's (cover all of the points identified in the standard (clause 7.5))
- not developing and TESTING the emergency response procedures/processes (as well as the withdrawal process)
- Not confirming the position of any external consultants with regards the Food Safety Team - If your consultant is not part of the team he cannot help during the audit
- Not covering allegens in the Hazard analysis (check note 3 of definition 3.3) - This is not likley to be a problem for primary producers but may be for resturants, hotels or Transportation companies who have limited experience with this.
- Not being familiar with your specifications and what is required by the standard, if you have an answer when the auditor asks "why is XXX not appropriate to this specification?" as long as it is reasonable most auditors will accept this, but to simply say it is not appropriate will normally not be acceptable and there will be many more questions!
- Not recording external communications - Remember that ALL external communications should be recorded and maintained (5.6.1 paragraph 6 last sentance) ie the telephone conversation with a supplier may need to be recorded somewhere; saving e mails; maintaining inspection records from authorities.
I Hope I have given eveyone some food for thought?
James
Hello jamesgibb,
Reading all the comments about this topic, I can see similarity with the Risk Assessment technique, specifically the Microbiological Risk Assessment technique.
I would like to give my opinion on this.
So far, the pre implementation validation has been based on guides usually written by governmental and regulatory bodies or based on the best information and data source available.
Do the auditor expect that the food industries to have human and technological resources to carry out mathematical models and statistics, epidemiologic studies, a numerical estimate of probability of harm to consumers, a quantified expression of acceptable risks ( e.g. 1 hazardous portion/10 million portions)…and all that stuff ?
I really appreciate the answer
Regarding post implementation validation, I think that the industry can do something. We can check if the objectives intended are achieved by our control measures. How? By making a random sampling of the raw, intermediate or end product for example.
So, considering PDCA as
Plan= set the objectives intended ( set by government or regulatory bodies)
Do= set the control measures to achieve those objectives
Check= check that the objectives are achieved ( e.g. sampling )
Act = act according to the results of the checks
I think that this Deming model is still valid.
And my second question to you is regarding the ISO 22000 lead auditor training you have taken. I did contact with almost all the CB asking for a FSMS auditor course and none of them are running one, nor even from IRCA. Could you tell what kind of traininig is that that you have taken, a transition one ( from a quality management auditor to a FSMS auditor ) or an specific one ? Who is offering that training and where ?
And the last thing, could anyone tell what does ' BTW ' and ' w/o' stand for ?
Thank you in advance
Regards
Esther
Hello jamesgibb,
Reading all the comments about this topic, I can see similarity with the Risk Assessment technique, specifically the Microbiological Risk Assessment technique.
I would like to give my opinion on this.
So far, the pre implementation validation has been based on guides usually written by governmental and regulatory bodies or based on the best information and data source available.
Do the auditor expect that the food industries to have human and technological resources to carry out mathematical models and statistics, epidemiologic studies, a numerical estimate of probability of harm to consumers, a quantified expression of acceptable risks ( e.g. 1 hazardous portion/10 million portions)…and all that stuff ?
I really appreciate the answer
Regarding post implementation validation, I think that the industry can do something. We can check if the objectives intended are achieved by our control measures. How? By making a random sampling of the raw, intermediate or end product for example.
So, considering PDCA as
Plan= set the objectives intended ( set by government or regulatory bodies)
Do= set the control measures to achieve those objectives
Check= check that the objectives are achieved ( e.g. sampling )
Act = act according to the results of the checks
I think that this Deming model is still valid.
And my second question to you is regarding the ISO 22000 lead auditor training you have taken. I did contact with almost all the CB asking for a FSMS auditor course and none of them are running one, nor even from IRCA. Could you tell what kind of traininig is that that you have taken, a transition one ( from a quality management auditor to a FSMS auditor ) or an specific one ? Who is offering that training and where ?
And the last thing, could anyone tell what does ' BTW ' and ' w/o' stand for ?
Thank you in advance
Regards
Esther
hi everyone
still there charles?
I heard from a guy at www.imsm.com in the UK there is three certified iso22000 auditors
bibi
I can see this micro. chat is a bit off-topic however I couldn't resist a comment. Yr query regarding mic.risk assesst. (MRA) addresses a huge and multi-sided subject. I am not a directly using ISO person but in my HACCP / BRC audited experiences, any available 'official compliance' data such as for the production / destination / product type has invariably been the auditor's choice reference position. I suspect a conceptual discussion regarding MRA would have been similar to talking about Extra-terrrestrial Objects although specific location is maybe relevant. However this pragmatic approach can still be ok (from a producer's point of view anyway) where the standards contain some degree of microbiological enlightenment, other times it can be a nightmare. As an example IMO of the 'good' end, I suggest the ready-to-eat food standards in the UK;
http://www.hpa.org.u...uides_micro.pdf
probably better not to comment the other end.
As in point8 of opening post, I have found that auditors have flexibility where you can validate to an existing 'reasonable' range of possibilities ( in some cases I did most gratefully feel this was simply due to their lack of knowledge of the subject - not unexpected perhaps given the scope involved).
Apologies for off-topic.
Rgds / Charles.
edit - first line refers to two post back, sorry for slow fingers
Hello jamesgibb,
Do the auditor expect that the food industries to have human and technological resources to carry out mathematical models and statistics, epidemiologic studies, a numerical estimate of probability of harm to consumers, a quantified expression of acceptable risks ( e.g. 1 hazardous portion/10 million portions)…and all that stuff ?
I really appreciate the answer
Regarding post implementation validation, I think that the industry can do something. We can check if the objectives intended are achieved by our control measures. How? By making a random sampling of the raw, intermediate or end product for example.
So, considering PDCA as
Plan= set the objectives intended ( set by government or regulatory bodies)
Do= set the control measures to achieve those objectives
Check= check that the objectives are achieved ( e.g. sampling )
Act = act according to the results of the checks
I think that this Deming model is still valid.
And my second question to you is regarding the ISO 22000 lead auditor training you have taken. I did contact with almost all the CB asking for a FSMS auditor course and none of them are running one, nor even from IRCA. Could you tell what kind of traininig is that that you have taken, a transition one ( from a quality management auditor to a FSMS auditor ) or an specific one ? Who is offering that training and where ?
Thank you in advance
Regards
Esther
Ester,
In answer to point 1 above the Pre-implementation validation depends upon what control measures you have in place, if you have a tetrapak process for example the manufacturer should already have validated the control measures and it is mainly up to you to check that the way you are using the equipment is in line with the manufacturers rules. Other control measures that are typical throughout the industry (such as temperatures for storage and cooking) are well validated and simple reference to previous studies will again be acceptable. The issue with pre-implementation validation is where you are using non-standard or a combination of non-standard control measures. how can you be sure they will work before you spend money and resources implementing them?
Post implementaion Validation is aimed at re-checking the control measures prior to putting in any changes to control measures so again it is pre-implementation of the change
This concept of feasability studies is a new principle in ISO22000 and has not been included in any previous ISO9000 or 14000 standard, therefore the Deeming model appears to be ineffective.
Regarding the Deeming Model there is a seperate topic already on this, have you voted in the poll?
From what you are saying it do you mean that the Validation step itself completes the full PDCA cycle at the Planning stage of the overall system or do you mean that the "Plan" stage also includeds "Checking", in which case surely the PCDCA approach is the correct one for ISO22000?
Regarding the IRCA training course, I attended the 3 day Lead Auditor transition training course in KL in November, I found the course to be pretty limited in terms of ISO22000, we barely discussed Validation, oPrP's or the difference between corrections and corrective action. IMO the IRCA training spent too long discussing the IRCA rules, the deeming model (Which I feel is inappropriate) and the development of quality standards. I would try to find either the 5 day course or a course simply dealing with the standard and not auditing. We are developing a 2 day training course simply on ISO22000 (what the standard means) for IRCA approval later this year.
If you are interested in this 3 day transition course and you have sufficient numbers (minimum of 7) we can arrange the IRCA course in Spain for you
James
Hello CharlesIs the last line a trick question? Anyway I'll bite - probably 'by the way' and 'without' respectively.
I can see this micro. chat is a bit off-topic however I couldn't resist a comment. Yr query regarding mic.risk assesst. (MRA) addresses a huge and multi-sided subject. I am not a directly using ISO person but in my HACCP / BRC audited experiences, any available 'official compliance' data such as for the production / destination / product type has invariably been the auditor's choice reference position. I suspect a conceptual discussion regarding MRA would have been similar to talking about Extra-terrrestrial Objects although specific location is maybe relevant. However this pragmatic approach can still be ok (from a producer's point of view anyway) where the standards contain some degree of microbiological enlightenment, other times it can be a nightmare. As an example IMO of the 'good' end, I suggest the ready-to-eat food standards in the UK;
http://www.hpa.org.u...uides_micro.pdf
probably better not to comment the other end.
As in point8 of opening post, I have found that auditors have flexibility where you can validate to an existing 'reasonable' range of possibilities ( in some cases I did most gratefully feel this was simply due to their lack of knowledge of the subject - not unexpected perhaps given the scope involved).
Apologies for off-topic.
Rgds / Charles.
No, it was not a trick question. This is the way for me to deal with this new language, the english.The use of those abbreviations sometimes is hard for me. So, once more time I say Thank you for replying.
Regards
Esther
edit - first line refers to two post back, sorry for slow fingers
Hello jamesgibb,
I would like to give my opinion on this.
So far, the pre implementation validation has been based on guides usually written by governmental and regulatory bodies or based on the best information and data source available.
Do the auditor expect that the food industries to have human and technological resources to carry out mathematical models and statistics, epidemiologic studies, a numerical estimate of probability of harm to consumers, a quantified expression of acceptable risks ( e.g. 1 hazardous portion/10 million portions)…and all that stuff ?
I really appreciate the answer
Thank you in advance
Regards
Esther
Esther,
another example of pre-implementation validation is the use of the SDF, the SDF is a forum where representatives from Consultancies, CB's and end users can all discuss control measures etc...
granted you may not get the best advice but normally someone can point you in the right direction.
as a third party auditor I would find it hard to argue with a robust discussion of a control measure like the metal detection thread being part of the validation process
James
I am lacking a source of guidance, someone competent tipped me on checking out this forum.
I think ISO22k is a mess now from where I come from. Everybody (CBs) is pushing for it, not many can fully understand to implement or audit it.
But as it is, from where I come from, CB's are always right, and they believe that they are, which is very annoying as these CBs have all the QMS auditors but no FSMS auditors.
I have always thought that ISO22k requires much more technical knowledge than HACCP, especially on oPRP, validation, and analysis of verification activities, then spiced up a bit with some requirements from ISO9k.
But some QMS auditors who have been through the big hu-ha conversion course claimed that they understand it all (sort of like claiming supremency), that, "ISO22000 is ISO9000 plus HACCP".
And I am extremely annoyed when I expressed my concern on not being able to fully understand it, all the QMS ppl would say "oh, don't worry about the addition of mgt review and things like communication". While I am actually worrying about clause 7.4 and clause 8.2.
I have the impression, they are not worrying because they do not understand the clauses and its requirement.
And I would get some consultant or even CB saying, "I would pair a QMS consultant and HACCP consultant and, wa-lah, we will get ISO22000".
Therefore, I would truely like to understand, whether I have got my concept right ot wrong.
Also would like to understand, are the ISO characteristics on "process base", on "communcation", on "monitoring on verification activites" something that a food safety person would not be able to comprehend?
For some one who is food safety and HACCP based, are these management system based clauses THAT difficult to pick up?
Do we need to draw out the business flow and the connection between each sector of the organization (as required in ISO9k), if we are documenting for only ISO22000? Because I have not spotted anything on this requirement in the std.
I hope that someone would be able to shed some light onto this matter.
Thanks.
I believe not ALL CBs misbehave themselves beyond their highly regarded professional ethics and a matter of fact, I do know a number of CBs in your country that do not behave in this manner but admittedly its the smaller CBs that appear to have more dignity in conducting their businesses...but you are dead right about some CBs using their high offices and good names to "legalize" QMS Auditors.But as it is, from where I come from, CB's are always right, and they believe that they are, which is very annoying as these CBs have all the QMS auditors but no FSMS auditors.
Do we need to draw out the business flow and the connection between each sector of the organization (as required in ISO9k), if we are documenting for only ISO22000? Because I have not spotted anything on this requirement in the std.
Its an FSMS, therefore the appropriate provisions and clauses that directly and indirctly addresses food safety matters as spelt out within the ISO 9K standards MUST be integrated into the ISO 22K Quality Management Manual.
Thanks for the advice, guessed it was a bit rash for me to comment unfavourably on the CBs and QMS ppl (
But the emergence (like a bug) of this standard is causing much uncertainties, and it is rather frustrating to dive into the pond when the ripples have barely subsided...everybody have their own views and interpretations.
Cheers,
as a third party auditor I would find it hard to argue with a robust discussion of a control measure like the metal detection thread being part of the validation process
James
Dear James,
The metal detection thread does mean the "metal sample" that is used to run through detector to see if it is working??
In this case, won't it be verification?
I have come acrossed ppl who would send the end samples for microbiological tests to validate the temperature control, IMO it is verification, not validation. But if this has been carried out over the years, could we agree that it is indeed a validation through historical data, but then it would validating the operational limit, which may not be the critical limit.
And imagine a line that has products of various shapes and sizes, with various control parameters, the cost of validation through relevant tests (if there is no literature or technical articles available) would be very high.
Cheers,
Ester,
In answer to point 1 above the Pre-implementation validation depends upon what control measures you have in place, if you have a tetrapak process for example the manufacturer should already have validated the control measures and it is mainly up to you to check that the way you are using the equipment is in line with the manufacturers rules. Other control measures that are typical throughout the industry (such as temperatures for storage and cooking) are well validated and simple reference to previous studies will again be acceptable. The issue with pre-implementation validation is where you are using non-standard or a combination of non-standard control measures. how can you be sure they will work before you spend money and resources implementing them?
Post implementaion Validation is aimed at re-checking the control measures prior to putting in any changes to control measures so again it is pre-implementation of the change
This concept of feasability studies is a new principle in ISO22000 and has not been included in any previous ISO9000 or 14000 standard, therefore the Deeming model appears to be ineffective.
Regarding the Deeming Model there is a seperate topic already on this, have you voted in the poll?
From what you are saying it do you mean that the Validation step itself completes the full PDCA cycle at the Planning stage of the overall system or do you mean that the "Plan" stage also includeds "Checking", in which case surely the PCDCA approach is the correct one for ISO22000?
Regarding the IRCA training course, I attended the 3 day Lead Auditor transition training course in KL in November, I found the course to be pretty limited in terms of ISO22000, we barely discussed Validation, oPrP's or the difference between corrections and corrective action. IMO the IRCA training spent too long discussing the IRCA rules, the deeming model (Which I feel is inappropriate) and the development of quality standards. I would try to find either the 5 day course or a course simply dealing with the standard and not auditing. We are developing a 2 day training course simply on ISO22000 (what the standard means) for IRCA approval later this year.
If you are interested in this 3 day transition course and you have sufficient numbers (minimum of 7) we can arrange the IRCA course in Spain for you
James
Hello JAmes
First, sorry for the delay and thank you for your answer.
Yes, I think that the validation step can complete the PDCA cycle. If things are going wrong, I mean, you are not achiving the intended objectives, then you must think:
1. What I am doing wrong on my process ?
2. If you are doing things exactly as you are asked to do ( goverment regulations, scientific studies...) then you shoud thing, for example, if the characteistics of your raw material are similar than the one used on the studies.
3. MAybe, your pre-implementation has not been based on the best and reliable studies. This is a very important thing on MRA analysis.
ALso thank you for your offer regarding the training course. I will wait a bit, maybe to the launch of the ISO 22003.
Regards
Esther
If you are looking at the current ISO 22000 standard to interpret the requirements, my suggestion to you is to throw that ISO 22000 away for the time being and take a closer look at the draft DIS Standards first.
I also agree with you that ISO 22K is a serious piece of FSMS and I am not at all surprised to hear so many people are having difficulties in putting it all together. I suspect that this predicament was largely due to the problem of CBs, Consultants and Food Auditors of not continually up-dating themselves or are of QMS background (remember the engineer-food auditor)
In UK for example (can someone please correct me if I am wrong) at point of writing, I was advised that no organization in UK has yet achieved ISO 22000. Don't get me wrong. Its not a case of qualifications but rather organizations in UK are so comfortable with BRC that there do not see a need to look at ISO 22K. To the CBs, The Consultants and the Food Auditors - there is no urgency to change as business is focused on BRC or IFS and not ISO 22K..............but the difference in opinion (again I was advised) is completely different over on the other side i.e. Denmark, Cyprus, Turkey etc
So you see - it may take some time to get all to gel in.
Regards
Charles Chew
Hi Wai Ling,
In UK for example (can someone please correct me if I am wrong) at point of writing, I was advised that no organization in UK has yet achieved ISO 22000. Don't get me wrong. Its not a case of qualifications but rather organizations in UK are so comfortable with BRC that there do not see a need to look at ISO 22K. To the CBs, The Consultants and the Food Auditors - there is no urgency to change as business is focused on BRC or IFS and not ISO 22K..............but the difference in opinion (again I was advised) is completely different over on the other side i.e. Denmark, Cyprus, Turkey etc
Hi Charles,
Sorry for the late reply. I don't know of any organisations in the UK with ISO 22000 yet and as mentioned previously I agree it will be difficult for 22k to make an impact when BRC has been so successful. To keep updated on organisations that have achieved ISO 22000 thoughout the world I have set up a new topic here:
Companies that have Achieved ISO 22000
If you hear anything please post.
Cheers,
Simon
Dear Charles,If you are looking at the current ISO 22000 standard to interpret the requirements, my suggestion to you is to throw that ISO 22000 away for the time being and take a closer look at the draft DIS Standards first.
Thanks for the advice, will try to find the drafts and study through it. Hopefully, I will be able to see light at the end of the tunnel.
Cheers.
Having taken a company to ISO 22000 under the UKAS Pilot Certification Scheme, it was a tremendous achievement and trust me, the drafts were a big help in shaping the QMS Manual.
I am sure you will find the drafts completely different but it should lead you to a better understanding of the standard itself.
I am sure you will find the drafts completely different but it should lead you to a better understanding of the standard itself.
Dear Charles,
Having a swell of a time looking for the drafts. Do you happen to have any links??
Cheers,
I only have the hard copies and is not sure whether they are still on sale by ISO. Perhaps someone from the forum might have a link but is certainly not possible to post it as these are copyrighted.
Good luck!