ISO 9001 Quality Manuals

The requirements of ISO 22000 prescribe a comprehensive systematic way to producing a HACCP system that would be of great benefit to any organisation. Prerequisite programmes to control the introduction of food safety hazards through the work environment, preventing product contamination and controlling hazard levels in the product and product environment are required when implementing an ISO 22000 compliant HACCP system. ISO 22000 clause 7.2.3 states that construction and lay-out of buildings/premises, workspace, employee facilities; supplies of utilities, waste disposal, adequate equipment, management of purchased materials, storage and transport, prevention of cross contamination, sanitation, pest control and personnel hygiene should be taken into consideration when establishing prerequisite programmes.

The first step in developing an ISO 22000 compliant HACCP system is to establish a food safety team multi-disciplinary knowledge and experience. The food safety team are required to carry out a number of preliminary steps in order to carry out the hazard analysis. The first step for the team in implementing an ISO 2000 compliant HACCP system is to describe the product characteristics (Clause 7.3.3) including raw materials, ingredients, product contact materials and end product including its intended use (Clause 7.3.4).

Next the food safety team should construct flow diagram and conduct on site confirmation of the flow diagram (Clause 7.3.5.1 Flow diagrams. Next the food safety team describe each process step and the existing control measures applied at each step as required by ISO 22000 clause 7.3.5.2. This is the last step required prior to hazard analysis.

The food safety team now conduct a hazard analysis, as per the requirements of ISO 22000 clause 7.4.2, to identify all the food safety hazards that are reasonably likely to occur. In conducting the hazard analysis the food safety team are required to assess each hazard identified (Clause 7.4.3), consider and select control measures (Clause 7.4.4) required to achieve the acceptable level of hazard. Each control measure needs to be reviewed by the food safety team with respect to its effectiveness against the identified food safety hazards and then categorized as to whether they need to be operational prerequisite programmes or included in the HACCP plan. The food safety team need to review each control measure and its effectiveness to decide if the control measure is to be part of the HACCP plan or to be controlled by operational prerequisite programmes. ISO 22000 clause 7.5 requires the food safety team to establish and document operational prerequisite programmes including the food safety hazard to be controlled, the control measure, the monitoring procedures, corrections and corrective actions to be taken if out of control, the responsibilities and authorities and the records to be completed.

The next step of implementing an ISO 22000 compliant system requires the food safety team to establish the HACCP plan. ISO 22000 clause 7.6 uses the same principles of HACCP implementation as CODEX, clause 7.6.2 requires identification of critical control points, clause 7.6.3 requires the food safety team to determine critical limits for critical control point, clause 7.6.4 requires monitoring of critical control points, clause 7.6.5 requires actions when critical limits are exceeded and clause 7.8 requires verification planning. The HACCP plan documents the food safety hazard to be controlled at the critical control point, the control measure, the monitoring procedures, critical limits the records to be used, the corrections and corrective actions to be taken if out of control, and responsibilities and authorities.

Clause 8.2 describes the requirement for validation of operational PRP and HACCP plan control measures and combinations. ISO 22000 has further specific documentation requirements are prescribed in clause 4.2 which requires that documents and records required by the food safety management system to be controlled.

ISO 22000 has further requirement with regards to implementing a HACCP system in that clause 7.7 prescribes the need for updating of  product characteristics, intended use, flow diagrams, process steps, control measures after the operational PRP(s) and/or the HACCP plan have been established. After updating the preliminary information the food safety team should then decide if the HACCP plan and/or prerequisite programmes documents need to be amended. When verification results do not indicate conformity ISO 22000 requires the food safety team to review of the conclusions of the hazard analysis, operational PRPs and the HACCP plan as per clause 8.4.2.

The last requirement is that the food safety team are to evaluate the food safety management system at planned intervals and then consider the need to review the hazard analysis, operational prerequisite programmes and the HACCP plan as described in ISO 22000 Clause 8.5.2 Updating the food safety management system.

ISO 22000 states that an organisation requires the documents necessary to ensure the effective development, implementation and updating of the food safety management system.

There are specific references in the standard where it prescribes that the food safety management system will need to have documents. The following is a list of the documents required:

1 Food Safety Policy
2 Food Safety Objectives
3 Identification and Control of Outsourced Processes
4 Document control
5 Record control
6 Documents that specify how prerequisite programme activities are managed
7 Information required to conduct the hazard analysis
8 Descriptions of raw materials to the extent needed to conduct the hazard analysis
9 Descriptions of Ingredients to the extent needed to conduct the hazard analysis
10 Descriptions of product-contact materials to the extent needed to conduct the hazard analysis
11 The characteristics of end products
12 Descriptions of the intended use to the extent needed to conduct the hazard analysis
13 Descriptions of the reasonably expected handling of the end product to the extent needed to conduct the hazard analysis
14 Descriptions of any possible unintended but reasonably expected mishandling and misuse of the end product to the extent needed to conduct the hazard analysis
15 Descriptions of the methodology and parameters used for the categorization of control measures as belonging to the HACCP plan or Operational prerequisite programmes
16 The food safety hazard or hazards to be controlled by each operational prerequisite programme
17 The food safety hazard or hazards to be controlled by each operational prerequisite programme
18 The control measures used by each operational prerequisite programme
19 The monitoring procedures used in each operational prerequisite programme
20 The corrections and corrective actions for each operational prerequisite programme
21 The responsibilities and authorities for each operational prerequisite programme
22 Records for each operational prerequisite programme
23 The HACCP plan and identified critical control points (CCPs)
24 The food safety hazards to be controlled at each critical control point
25 The control measures used at each critical control point
26 The monitoring procedures used at each critical control point
27 The critical limits applied at each critical control point
28 The rationale for the chosen critical limits
29 The corrections and corrective action to be taken if critical limits are exceeded for each critical control point
30 The responsibilities and authorities for each aspect of the critical control point
31 Critical control point monitoring records
32 Procedures for the handling of potentially unsafe products, including the controls, methods and authorization levels.
33 Procedures for withdrawing products including notification to relevant interested parties, handling of withdrawn products as well as affected products in stock and the sequence of actions to be taken.
34 Procedure for Corrections including the identification and assessment of affected end products
35 Records of the review of corrections carried out
36 Procedure for Corrective Action that specifies the appropriate actions to identify and eliminate the cause of detected nonconformities, to prevent recurrence, and to bring the process or system back into control after nonconformity is encountered.
37 The corrective action procedure must include a review of non-conformances including customer complaints
38 The corrective action procedure must include a review of trends in monitoring results that may indicate development towards loss of control
39 The corrective action procedure must include a review to determine the causes of non-conformances
40 The corrective action procedure must include an evaluation of the need for action to ensure that nonconformities do not recur
41 The corrective action procedure must include a how the actions needed are determined
42 The corrective action procedure must include a how the actions needed are implemented
43 Records of corrective actions
44 Records of the review of corrective actions taken to ensure that they are effective
45 Procedure for Internal Auditing including responsibilities and requirements for planning and conducting audits, for reporting results and maintaining records.
46 Internal Audit records
47 External documents relevant for the food safety activities including statutory, regulatory and customer requirements.

The extent of the food safety management system documentation will differ from one organization to another depending on the size and complexity of the operation and the competence of personnel.

ISO 22000 was first published by the International Organisation for Standardisation (ISO) in September 2005 and hence is known as ISO 22000:2005. ISO 22000 is an internationally recognised standard for Food Safety Management System requirements for organisations throughout the food chain.

Although initially ISO 22000 can be a little confusing, there is little doubt it is one of the most useful standards developed by ISO. ISO 22000 specifies the requirements for a food safety management system and is applicable to all organisations in the food chain regardless of their size.

The aim of ISO 22000 is to harmonize on a global level the requirements for food safety management for businesses within the food chain and is particularly intended for organisations that seek a more focused and integrated food safety management system than is normally required by law.
 
In order to comply with ISO 22000 an organisation needs to:

• Plan, implement, operate, maintain and update its food safety management system
• Demonstrate compliance with applicable statutory and regulatory food safety requirements
• Evaluate, assess and conform customer requirements related to food safety
• Effectively communicate food safety issues to its suppliers, customers and relevant interested parties in the food chain
• Conforms to its stated food safety policy
• Demonstrate such conformity to relevant interested parties

ISO states there are four key elements to ISO 22000:

• HACCP principles
• Prerequisite programmes
• Communication
• System management

HACCP principles
ISO 22000 includes the Hazard Analysis and Critical Control Point (HACCP) system principles and application steps developed by the Codex Alimentarius Commission. Hazard analysis is fundamental to an effective food safety management system. ISO 22000 requires that all hazards that may be reasonably expected to occur in the food chain, including hazards that may be associated with the type of process and facilities used, to be identified and subject to hazard assessment.

Prerequisite programmes
ISO 22000 requires the combination of a HACCP plan with Prerequisite programmes (PRPs). Prerequisite programmes are the basic conditions and activities that are necessary to maintain a hygienic environment.

PRPs vary throughout the position in the food chain and are sometimes referred to as “Good Practices” such as Good Manufacturing Practice (GMP) and Good Hygienic Practice (GHP). Operational prerequisite programmes are implemented to control specific hazards in the process or product. During hazard assessment, the food safety team determine if hazards are to be controlled by PRP(s), operational PRP(s) or the HACCP plan.

Communication
Communication along the food chain is required to ensure that all food safety hazards are identified and adequately controlled at each step. The standard views communication with customers and suppliers about identified hazards and control measures as an important part in delivering safe food products to the final consumer. Communication can take a variety of forms including:

• Labelling such as end product labels which inform the consumer of hazards such as if the product contains an allergen.
• Specifications with details of any hazard present and prescribed control measures

System management
ISO 22000 requires that food safety systems are established, operated and updated within a structured management system. ISO 22000 integrates existing HACCP and ISO 9001 systems so that a system compliant with ISO 9001 can be adapted to ISO 22000.

We add a fifth element to this which is Compliance:

It is essential that any organisation and its food safety management system complies with relevant customer, statutory and regulatory requirements.

Clause 5.6.1 Management Review General

Regular Management reviews should be conducted in order to assess the effectiveness of the Quality Management System and to continually improve. The management review should be a formal analysis and review of the quality policy, quality objectives and quality management system performance which generates plans for corrective action, preventative action or opportunities for improvement all of which should be documented in the management review minutes.

Clause 5.6.2 Management Review Input

The first item on the management review agenda really should be a review of the Quality Policy to confirm it is pertinent to the quality management system and organisation or if any changes are required. Similarly the Quality Objectives should be reviewed and updated as necessary. There should be a review of the Management Structure and any changes and confirmation that there is adequate quality management system resource.

The meeting should cover the minutes and follow-up actions from previous review meetings and confirm actions to improve the quality management system as a result of the review have been completed.

Findings of internal and external quality management system audits should be reviewed and outstanding non-conformances as a result of internal and external quality management system audits discussed. The Management Representative should conduct a trends analysis of the results of internal and external audits to present to the meeting. The management review team should also ensure that internal quality management system audits have been carried out as planned. Adverse trends such as an increased number of non-compliances should be identified and corrective action proposed. The results of third-party quality management system audits should be thoroughly scrutinised as these represent and independent view of the organisation.

The Quality Manager should present a trend analysis of Customer Complaints. This data should compare year on year performance especially when a product or service is seasonal. Volumes should be factored into the complaints analysis and so complaints should be presented taking this into consideration. Complaints are should also be categorise into critical and non-critical. Non-critical and total complaint analysis is useful for trends. Critical complaints should be closely analysed to determine if there is a common cause and if effective corrective action has been taken.

A standard format is to compare complaints per million units sold for each product. Industry standard complaint levels should be used for comparison. Again trends should be identified and if necessary plans for preventative action taken. Complaint analysis should also give an indication of opportunities for improvement of the quality management system. At this stage Safety incidents, recalls or withdrawals should also be reviewed. Corrective Action should have already been taken to deal with the causes of these incidents, the meeting should review the effectiveness of the quality management system in eliminating the cause of the incidents and also consider any common factor to the incidents in order to assess if preventative actions are required to improve the quality management system.

The meeting should review the quality management system Approved Supplier Register. A review of annual supplier performance should be presented normally by the Purchasing Manager. The report should include items such as percentage on time deliveries, percentage order completion, any non-conformances such as damaged deliveries or non-conforming products supplied plus any products rejected or accepted under concession. The report should also recognise exceptional supply performance and added value assistance received from suppliers as this should be factored into the quality management system when renegotiating contracts. Corrective Action plans should be formulated to deal with or change poor performing suppliers. Similarly to Customer Complaints, Supplier complaints should be analysed for trends.

The management review meeting should discuss quality management system process performance and confirm that the correct performance indicators are being monitored. Review and analysis of the quality management system Key Performance Indicator trends should be conducted to see if there is a visible improvement in performance. Sales levels should be one of the quality management system Key Performance Indicators as this will give an indication of company performance in the market place. Also the number and performance of new products successfully launched into the market place should be discussed. Again corrective action, preventative action and opportunities for improvement of the quality management system should be considered from the key performance indicator trend analysis.

The management review should cover the status of corrective and preventive action and compare numbers since the previous review and consider if the quality management system corrective and preventative actions are being completed in a timely fashion.

There should conduct a review of changes within the organisation and how this may have affected resource requirements including infrastructure, work environment, personnel and training requirements. At this stage proposed changes should be discussed and again quality management system resource requirements identified.

Review should also include Environmental performance and incidents,
and Health and Safety performance and accidents

Clause 5.6.3 Management Review Output

The Management Review outputs should include resource requirements corrective and preventative actions identified as a result of analysis of the quality management system review inputs, all of which should be clearly documented in the minutes.

There will also be opportunities for Improvement in quality management system effectiveness including product related customer requirements, change or elimination of non-productive elements, change or elimination of non-productive systems or procedures and supply of resource needed for improvement plans.

The results of the Management Review meetings should be documented in the minutes of the meeting and include a summary of all quality management system review inputs and outputs. The Management Representative should ensure the minutes of the Management Review meeting are distributed and effectively cascaded within the organisation.

Clause 4.1 requires an organization to establish, document, implement and maintain a quality management system and continually improve the quality management system effectiveness.

Clause 4.1 requires an organization to

- determine the processes needed for the quality management system
- determine the sequence and interaction of these processes
- determine criteria and methods needed to ensure that both the operation and control of these processes are effective
- ensure the availability of resources and information to support the operation and monitoring of these processes
- monitor, measure, and analyse the processes
- implement actions necessary to achieve planned results and continual improvement

Clause 4.1 requires an organization to manage the processes in accordance with the requirements of the ISO 9001: 2008 standard.

Clause 4.1 requires that when an organization outsources any process that can affect product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to must be defined within the quality management system.

Quality management system processes should include management activities, provision of resources, product realization, measurement, analysis and improvement.

An outsourced process is a process which the organization chooses to have performed by an external party but is still a part of the quality management system. The organization still assumes responsibility of conformity to all customer, statutory and regulatory requirements for all outsourced processes. The control applied to the outsourced process can be influenced by the potential impact of the outsourced process on the organization’s capability to provide product that conforms to requirements, the degree to which the control for the process is shared, and the capability of achieving the necessary control through the application of purchasing procedures

All of our manual packages come with our comprehensive guide to the process of implementing an ISO 9001 compliant Quality Management System