A newly published document in the ISO 22000 series gives the requirements for the bodies that carry out auditing and certification of food safety management systems.

ISO/TS 22003:2007 defines the rules applicable for the audit and certification of a food safety management system (FSMS) that complies with the requirements given in ISO 22000:2005. It also provides confidence to customers about the way certification of their suppliers has been granted.

FSMS certification does not attest to the safety or fitness of the products of an organization within the food chain. However, ISO 22000 does requires an organization to meet all applicable food-safety-related statutory and regulatory requirements through its management system.

ISO/TS 22003 covers topics such as resource requirements, competence of management and personnel (including auditors and persons involved in decisions related to certification), process requirements, and requirements for certification bodies. It closely follows the requirements established by ISO 17021:2006, which places rigorous requirements for competence and impartiality on the bodies that offer audit and certification to management system standards.

ISO/TS 22003 is the latest document in the ISO series for food safety management systems, which harmonizes good food safety practice worldwide. It was launched in 2005 with ISO 22000, backed by an international consensus among experts from government and industry.

ISO 22000 can be applied to organizations ranging from feed producers and primary producers through food manufacturers, transport and storage operators, and subcontractors to retail and food service outlets. Related organizations such as producers of equipment, packaging material, cleaning agents, additives and ingredients are also affected by the prospective standard.

The ISO 22000 standard was followed by technical specification ISO/TS 22004:2005 which gives advice for all types of organization within the food supply chain on how to implement an FSMS.

ISO/FDIS 22005:2007, Traceability in the feed and food chain -- General principles and basic requirements for system design and implementation, is planned for publication in September, 2007.

In the last newsletter, I reviewed the proposed changes for clause 4 of the draft ISO 9001:2009 standard. This month, we'll look at the suggested changes for clause 5, Management Responsibility, and clause 6, Resource Management.

5. Management Responsibility
The clause 5 changes are a revision to Management Commitment to include statutory requirements, as well as, clarify that the Management Representative must be a member of the organization's management.

5.1 Management Commitment

a) communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements,

Under clause 1.1 Scope - General, there is a new Note that says "statutory" and "regulatory" requirements may be expressed as "legal" requirements.

5.5 Responsibility, Authority, and Communication

Most organizations already appoint a Management Representative that is a member of their own management team. The change below clarifies that requirement.

5.5.2 Management Representative

Top management shall appoint a member of the organization's management who, irrespective of other responsibilities, shall have responsibility and authority that includes:

However, I've encountered a few small companies that have outsourced the Management Representative role to their consultant. I wonder if this clarification is aimed at that practice?

6. Resource Management
6.2 Human Resources
6.2.1 General

The revision for this clause is from work affecting "product quality" to work affecting "conformity to product requirements". Quality is the degree to which a set of inherent characteristics fulfils requirements; Conformity is the fulfilment of a requirement.

Personnel performing work affecting product quality conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience.

I doubt this change will result in new interpretations of the requirement. Anyone performing, verifying, or managing work within the scope of the quality management system, including supporting services, can affect conformity to product requirements.

6.2.2 Competence, Training, and Awareness, and Training

The clause title has been changed from "Competence, Awareness, and Training" to "Competence, Training, and Awareness". Maybe the thought was that awareness comes from some form of training and should be last in the title. And, that is also the sequence of the requirements as listed within clause 6.2.2.

The same change made to clause 6.2.1 regarding conformity to product requirements has been included in this sub-clause:

a) determine the necessary competence for personnel performing work affecting product quality conformity to product requirements,

Use below of the phrase "where applicable" seems to recognize that training or other actions may not be necessary, since individuals may already have the necessary competence. And, since "these needs" could be taken out of context, the requirement has been revised to specifically mention competence.

b) where applicable, provide training or take other actions to satisfy these needs achieve the necessary competence,

In the past, people have struggled with how to evaluate the effectiveness of the actions taken, which have been viewed primarily as training. The sub-clause below has been modified to focus more on competency instead of the effectiveness of the training.

c) ensure the effectiveness of the actions taken, ensure that the necessary competence has been achieved,

Evidence for the current requirement has in some cases included students evaluating the effectiveness of their training. However, this approach would not relate as well for the revised requirement as an evaluation of their skills.

6.3 Infrastructure

The only change under Infrastructure was to include "information systems" as an additional example of a supporting service.

c) supporting services (such as transport, or communication or information systems).

6.4 Work Environment

The only change to this clause was to add a Note to explain the term Work Environment by providing examples of work environment conditions for achieving product conformity.

Note: The term work environment relates to conditions necessary to achieve conformity to product requirements such as clean rooms, anti-static precautions, and hygiene controls.

Remember when you were in school and had to write a paper on some subject? The teacher would remind you to use the opening paragraph to provide an overview before getting into the details. The opening paragraph is like a road map that helps guide the reader through the rest of your paper. Well, clause 4.1 serves that purpose for the standard.

However, due to the broad scope of ISO 9001:2000, clause 4.1, auditors often wonder how to assess its general requirements. The answer: by recognizing its linkages to the clauses in the remainder of the standard. Audit those other areas well and you are in effect auditing clause 4.1. See my comments below each of the of the requirements of clause 4.1.

The organization shall establish, document, implement, and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.

Clause 4.1 covers the requirement for your organization to set up a quality management system and broadly defines the associated activities. These activities are described in greater detail in the remainder of the standard. And, when you audit these other clauses, you are in essence auditing clause 4.1. To meet those requirements, you need to ensure that the activities described in 4.1 a) to f) below have been included in the quality management system.

The organization shall a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2),

Which clauses are to be identified? The NOTE for clause 4.1 states the processes to be included are those for management activities (clause 5), provision of resources (clause 6), product realization (clause 7), and measurement (clause 8).

The reference in 4.1.a to clause 1.2, Application, is to convey that all ISO 9001 requirements are intended for application, unless some can't be applied due to the nature of the organization or its product. However, those exclusions are limited to the clause 7 requirements and must not affect your ability or responsibility to provide product that mets customer and legal requirements.

How might the processes be identified? The key processes mentioned in the standard will be identified in the Quality Manual. Others may be addressed in documented plans, procedures, and work instructions. Some may be defined, but not documented. For example, there is a requirement to determine the methods to obtain and use customer satisfaction data. These methods may not be documented, but evidence must be available to prove their existence and conformity to clause 8.2.1.

b) determine the sequence and interaction of these processes,

Since clause 4.2.2.c requires the Quality Manual to describe the interaction between the processes of the quality management system, you assess conformity to 4.1.b by assessing the documented process sequence and interaction contained in the Quality Manual. That description could be conveyed in text, in a process interaction table, or in a process map (flow chart).

c) determine criteria and methods needed to ensure that both the operation and control of these processes are effective,

When we ask about methods of operation and the controls in place to ensure desired results are obtained, we could be talking about any process. So, when we pose these questions for the order entry (7.2), product design (7.3), production (7.5), purchasing (7.4), or training (6.2) process, we are in effect auditing clause 4.1.c. And, just like we test the conformity of a product by comparing its characteristics to the acceptance criteria, the effectiveness of a process is evaluated by comparing its results to the process requirements (criteria).

d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes,

When you assess conformity to clause 6.1, Provision of Resources, you are also auditing clause 4.1.d. Clause 6.1 requires your organization to determine and provide the necessary resources to implement and maintain the quality management system, as well as, continually improve its effectiveness.

What resources should be considered? Equipment, facilities, people, supporting services, work environment, suppliers, information, natural resources, and finances. You want to know if resources are being identified, planned, made available, used, monitored, and changed as necessary. Also, see if process performance is being analyzed to determine the appropriate allocation of resources.

Don't audit the resources in isolation. Evaluate them by examining the process results. If inadequate resources are provided, the process will suffer and you may spot nonconformities. Don't make subjective judgments on the proper resource level. Limit your role to evaluating the effectiveness of the resources, i.e., see if the process is delivering the planned results.

Also, don't get caught in the middle of a resource dispute. If you identify a nonconformity and are told it is due to insufficient resources, write up the resulting problem, not what may possibly be the cause. If a lack of resources is the real issue, more resources will be provided as the corrective action. If inadequate resources was just an excuse, then a different corrective action will be taken to resolve the problem.

e) monitor, measure, and analyze these processes, and

Clause 8.1 requires that processes be planned and implemented for monitoring, measurement, analysis, and improvement of the quality management system. When you audit clause 8.1, clause 8.2 (Monitoring and Measurement), and clause 8.4 (Analysis of Data), you are in effect auditing clause 4.1.e.

f) implement actions necessary to achieve planned results and continual improvement of these processes.

Clause 8.2.3 requires suitable methods be applied to monitor, and where applicable, measure your processes. It states these methods must demonstrate the ability of the processes to achieve planned results. If the planned results are not achieved, then correction and corrective action must be taken, as appropriate, to ensure conformity of the product. When you audit clause 8.2.3, you are also auditing clause 4.1.f.

Clause 8.5.1 requires your organization to continually improve the effectiveness (results) of the quality management system, which consists of interrelated processes. Therefore, when you audit clause 8.5.1, you are also auditing clause 4.1.f.

These processes shall be managed by the organization in accordance with the requirements of this International Standard.

This simply means there are process-related requirements stated elsewhere in the standard and the organization must manage the processes in accordance with those requirements. When you audit the process-related requirements in the other clauses, you also auditing this clause 4.1 requirement.

Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.

When you outsource (subcontract) any process that affects the quality of your product, you need to decide how you are going to control that process. If you outsource any process, you are still responsible for ensuring that the outsourced process provides what your customer contracted you to do.

For example, if you are the main supplier on a project, but the design is carried out by another supplier, you have to decide how you will ensure that the developed design will meet the specification provided by you (or your customer). Other examples of outsourcing include processes such as heat treatment, cleaning, galvanizing, painting, information technology, and general maintenance. How do you control the outsourcing of processes? By applying the controls required by clause 7.4.1, Purchasing Process.

Because the requirements of clause 4.1 are so general, most nonconformities are written based on the more specific requirements in the remainder of the standard. If a nonconformity is written against 4.1, it is likely a complete breakdown of some key aspect of the system and would be categorized as a major finding.