You have a HACCP plan in place. You know where your problem process areas are, and everything in your process is in control—at least from a food safety standpoint. Now, one of your suppliers sends you a key ingredient laced with Salmonella. With a food safety management system (FSMS) in place, there’s a good possibility this ingredient wouldn’t have left your supplier’s dock.

An FSMS is more than just a HACCP plan; it’s much more far reaching. With an FSMS, your facility is better prepared for FSMA and able to prevent a catastrophe in the first place rather than putting out fires when something goes wrong. That’s because an FSMS gives you the tools to stay on track and help with the laborious task of recording all the information you may need at a moment’s notice for regulators and auditors.

 

What is an FSMS?

“A food safety management system is much more than a properly written and executed HACCP plan,” states Silliker Technical Director Jeff Lucas. “It is an all-inclusive system that branches out into all prerequisite programs [PRPs], contract service providers, vendor approval, allergen management programs, etc.” Each one of these individual programs can have a dramatic effect on food safety, but they must have trained individuals overseeing their proper maintenance. When all the systems work together and are properly monitored, food safety is achieved. But management commitment is critical to obtaining a comprehensive, living FSMS, says Lucas.

In the traditional sense, an FSMS is a series of specifications, procedures, processes, verifications, validations and documentation that comprises a processor’s formal plan to ensure food safety and quality management, says Barbara Levin, senior vice president and co-founder, SafetyChain Software. While software tools are available to automate the documentation of an FSMS and quality system, it can be easy to confuse a software system with a company program. “To this end, I’ve heard more companies refer to their traditional FSMS as a food safety management plan or program,” adds Levin.

“A food safety management system is a company’s program strategy for maintaining and executing a food safety program to encompass and adhere to internal and external standards, regulations and requirements,” says Katie Moore, GE Intelligent Platforms global industry manager. Moore spent years in the food and beverage industry, including her last position as a plant manager responsible for dealing with food safety issues.

The introduction to the ISO 22000 document states: “This International Standard specifies the requirements for a food safety management system that combines generally recognized key elements to ensure food safety along the food chain, up to the point of final consumption.” These include:

  • Interactive communication
  • System management
  • Prerequisite programs
  • HACCP principles.

According to the document, ISO 22000 has been aligned with ISO 9001 to enhance the compatibility of the two standards and can be applied independent of other management system standards. ISO 22000 can be used along with or part of a processor’s existing FSMS; in addition, processors can continue to use their existing FSMS by showing that it complies with ISO 22000 standards, and they can say they are ISO 22000 compliant—pending audit approval.

ISO 22000 integrates the principles of the HACCP system and application steps developed by the Codex Alimentarius Commission. By means of auditable requirements, it combines a processor’s HACCP plan with PRPs. While the standard requires that all hazards associated with the process and facilities be mitigated, it is only intended to address food safety concerns, not necessarily quality.

Food Safety System Certification 22000 (FSSC 22000), a GFSI scheme, is specifically built on ISO 22000. As such, FSSC 22000 doesn’t necessarily address quality, but provides a framework for a processor to build an FSMS. FSSC 22000 is the certification scheme for food safety management systems using the international and independent standards ISO 22000 and ISO 22003 and technical specifications for sector PRPs such as ISO 22002-1 and PAS 223, which were developed through a wide and open consultation with a large number of related organizations. The FSSC 22000 certification scheme is supported by the European Food and Drink Association (CIAA) and Grocery Manufacturers Association (GMA).

Getting help with developing an FSMS

Processors that need help setting up an FSMS should have little trouble finding a GFSI consultant. For example, certified consultants and their areas of expertise are listed on the SQF website. Contacting the certification bodies to locate a trained consultant is another option, offers Lucas. “But the processor should first attend the appropriate training for the chosen GFSI standard [BRC, SQF, FSSC 22000]. This will greatly help the processor understand the commitment and resources required to achieve certification and complete an FSMS. Training centers may also provide guidance for a consultant.”

Credibility and history are two important indicators when choosing a consultant, according to Danna Nelson, Aptean vice president, ERP product management.

But a consultant can only do so much. “Hiring an internal food safety manager is the most sustainable approach,” says Intelex’s Lyon. “A consultant will give you a nice, big bang, but the whole point of a management system is that it needs to go on forever. A consultant can help you put those building blocks together and get the ball rolling, but you’ll want to have a manager.”

Needless to say, training also is a key part of any FSMS. “In my opinion, training is great for a company of any size,” says Junction Solution’s Hutter. “Even better is to get involved in the various industry groups. For example, I attend the United Fresh—Food Safety and Technology Council meetings. The discussions are invaluable to help us see the trends and rules being proposed and/or implemented. Additionally, the peer discussions help an organization develop a strategy to implement or improve an FSMS.”

Many industry groups such as AIOE (Alliance for Innovation and Operational Excellence), GMA and PMMI have work groups that regularly share noncompetitive best practices on topics including food safety, adds GE’s Intelligent Platforms’ Moore. These organizations also provide access to service providers and consultants to help all sizes of companies address their biggest challenges.

Large international food and beverage processors often adopt FSSC 22000 as a GFSI certification scheme because it allows them to obtain GFSI certification for FSMSs they already have in place; of course, they may have several other GFSI certifications as well. Smaller processors that may or may not have a specific FSMS in place may opt for a more prescriptive scheme such as BRC or SQF, each of which already has defined a food safety regimen(s) to follow. While FSSC 22000 has a different starting point (ISO 22000) than other schema, what’s important is that all GFSI schema produce the same results—a GFSI certification that is valid around the world.

Obviously, no certification body can guarantee a processor follows a GFSI scheme’s regimen every moment of every day. But following the scheme’s procedures can not only produce safe food, but also maintain it at a high quality, especially if the processor has designed some quality criteria in its FSMS.

According to edition 7 of the the SQF Code, certification of SQF systems by a certification body licensed by the Safe Quality Food Institute [SQFI] is not a guarantee of the safety of a supplier’s food or service or that the supplier meets all food safety regulations at all times. However, it is an assurance the supplier’s food safety plans have been implemented in accordance with the HACCP method and applicable regulatory requirements, and the plans have been verified and determined effective to manage food safety. It is also a statement of the supplier’s commitment to:

  1. Produce safe, quality food
  2. Comply with the requirements of the SQF Code
  3. Comply with applicable food legislation.

“An FSMS promotes the collection of quality data, ensures the data is entered into the system and then focuses on data validation,” explains Christian Hutter, executive vice president, products and strategy, Junction Solutions. “An FSMS’s goal is to deliver a single version of the ‘truth’ that helps a company maintain the quality and safety of its food. Plus, in the event of mistakes or recalls, the FSMS quickly defines and enforces corrective actions and provides analysis for new preventative measures to resolve future quality or safety issues.”

 

Why develop an FSMS?

“The point of a management system is to mitigate risk,” states Bevin Lyon, Intelex vice president of food and beverage. An FSMS allows a processor to regulate itself, so an enforcement officer shouldn’t be necessary to make sure the processor is following regulations. “HACCP, PRPs, management practices, training, etc. all help in identifying risks, hazards and what controls are going to be put in place,” adds Lyon.

“Each of these programs [HACCP, PRPs, training, etc.] is considered a component of a solid FSMS,” says Moore. “Standalone, they would not be sufficient to mitigate risks, but together, they help enable a safer food production environment.”

“Preventive control is a large component of the FSMA regulation,” says Silliker’s Lucas. These preventive measures apply to all programs that support the HACCP plans and FSMS programs. Many times recalls occur, not due to the failure of a well-written and executed HACCP plan, but because of poor verification and validation procedures of the supporting prerequisite programs. Establishing a matrix of training, verification and validation activities is paramount in executing a comprehensive, preventative, controlled FSMS and complying with the FSMA regulations, according to Lucas.

Corrective action and preventative action, also known as CAPA, is part of GMP and focuses not just on preventative actions but also on what to do when issues arise, says Hutter. “Let’s face it, issues will come up. Having the proper procedures in place to resolve the current issue at hand and, more importantly, to prevent it in the future, is an important part of any FSMS.”

 

Use a GFSI scheme to manage food safety

“Certification to a GFSI standard is a good step in developing your FSMS,” advises Lucas. “The GFSI standards focus on HACCP and securing the needed verification and validation activities for all supporting programs, that is, transportation, calibration, allergen management, pest control, metal detection, etc.”

Food and beverage companies should take advantage of GFSI-sanctioned programs for their respective industries while developing an FSMS, according to Hutter. “A company will end up spending more time and money, as well as valuable internal resources, if it decides to reinvent the wheel and develop its own standards. These sanctioned programs have more credibility in the industry.”

“Most decisions regarding which GFSI format [to use] are based on what the customer wants,” says Lucas. “The real question is not so much which format to choose, but whether the company has the knowledge and resources to develop, implement and execute an FSMS. If a company has international operations and customers to integrate into a corporate FSMS structure, it would want to take a hard look at FSSC 22000. If the customers and operations are US-based, then I would look at the BRC or SQF schema.”

“In many cases, big-box stores like Walmart, Costco and Kroger are driving the requirement, especially for their private label co-manufacturers. With the requirement, the stores pass the auditing management to third-party auditors and have a standardized platform by which to measure [their GFSI compliance],” adds Moore. As a side benefit, food manufacturers are able to consolidate a number of internal and external audits, as well as food safety and quality programs.

For all parties involved, the ultimate benefits are a better understanding and management of the food supply chain to ensure food safety in the manufacturing process, continues Moore. “Processors should evaluate each of the GFSI schemes based on their individual needs as a company.” In many cases, processors have several of the pieces for an FSMS, but may be lacking one part of the puzzle. Finding the missing piece(s) is important.

“The development of an FSMS is a ‘start where you are project,’” says Lucas. “Silliker consultants can assess a current system and perform a GAP analysis against the chosen GFSI format or FSSC 22000. If the company’s objective is to develop a system and not necessarily gain certification against a [GFSI] standard, the requirements are still the same. The ‘best practices’ are not that different. The key question to ask is, ‘Will upper management support and provide resources for a comprehensive FSMS, or is this simply going to be a binder on a shelf to show customers?’” says Lucas.

Money spent on GFSI certification will hardly be wasted. “A GFSI certification is an excellent, comprehensive foundation for enabling a solid FSMS,” says Moore. “In my experience, the majority of the large processors have signed on with a number of schemes, largely SQF, BRC or FSSC 22000, but some small and medium-sized companies have started the certification process as well.”

 

Use software to aid in recordkeeping

For years, data acquisition and control software has been used to keep track of critical process parameters and log data including batch records and electronic signatures of operators.

The software also provides a means to record adherence to an FSMS,  such as checking temperature on a daily basis, according to Aptean’s Nelson. In addition, the software can spot trends (e.g., an out-of-range temperature) more easily than a person and execute corrections much more quickly.

“Today’s food safety and quality assurance [FSQA] software solutions go far beyond recordkeeping,” says SafetyChain’s Levin. “Depending on the type of solution deployed, FSQA systems can define specifications, automatically schedule tasks, analyze test results in real time with auto-alerts for nonconformances, automate supplier compliance for approved vendor programs, automate inbound/outbound certificates of analysis, manage programs for regulatory and third-party compliance, allow in the field/plant inspections via mobile devices and much more.” All the parts of the FSMS are in the software solutions, which create central repositories of FSQA data from all facilities/locations/products for audit readiness, continuous improvement and trending, according to Levin.

ISO needs your help on ISO 22000 FSMS update

ISO 22000, the International Standard on food safety management systems, was last published in 2005. ISO is planning an update to the standard in September of this year, based on changing market needs, and would like your feedback and comments.

ISO reviews its standards every five years to assess whether changes or updates are needed. The committee behind ISO 22000, ISO/TC 34/SC 17, is running a review until mid-June to collect as many comments as possible on the standard before the revision process is set to start in September.

Food and beverage processors that use, implement or make reference to ISO 22000 are invited to contact ISO through member bodies in their countries. In the USA, contact ANSI, 25 West 43rd Street, Fourth Floor, US-New York,  NY 10036-7417. For email addresses, website information and contact information for other countries, visit www.iso.org/iso/home/about/iso_members.htm.

However, a long-term strategy should be developed before settling on a software system approach. “An FSMS may be the central repository for all things food safety, but more often than not, food safety management systems are built by integrating numerous systems. This creates challenges as integrations are expensive to create and inherently difficult to maintain,” explains Hutter. “These [integrations] are built to exchange data from numerous, disparate systems and databases, all running on a mix of legacy platforms with aging and complex architectures.” Since processors need to have end-to-end visibility, the sooner this patchwork of systems can be eliminated and/or consolidated, the easier it will be for processors to have the right data at a moment’s notice, says Hutter.

One area in which food safety needs to be managed is the supply chain. “In a complex supply chain, it is often difficult to verify that input products are in compliance,” says Dag Heggelund, Trace Register executive vice president and chief technology officer. “Viewing traceability as simply a recall tool is, in our opinion, shortsighted. Enhanced traceability is one key pillar for ensuring food safety compliance; it requires you to collect far more data than what is needed for recall management.” By feeding the data collected by an enhanced traceability software tool into powerful analytic tools such as Trace Register’s TR PLUS, an operator can move from a reactive mode of operation to a proactive mode—not simply managing a recall, but preventing it, adds Heggelund.

Long passed over, supply chain distribution is one of the more difficult parts of an FSMS to control, says Hutter. But new RFID traceability and cold chain traceability solutions can be invaluable in managing food safety, especially in perishable foods applications. For example, one new traceability technology combines a temperature sensor with an RFID tag that can be attached to a pallet. The tag records temperature vs. time (and with some systems) can also communicate location information as products are transported through the supply chain. So, it’s possible with this recorded and/or live data to hold specific distribution partners accountable for situations when product has been exposed to high-temperature excursions.

One of ISO 22000’s four key areas is interactive communications, especially between a processor and its suppliers. While sharing internal data can go a long way in preventing a recall, being able to communicate data in both directions can stop potential problems in their tracks. According to Intelex’s Lyon, Nestlé has a supplier corrective action program built into its Intelex Quality Management software system. All of Nestlé’s North American suppliers have access to the system. When an incoming shipment with a nonconformance is received at a Nestlé facility, an email is automatically issued to the supplier. The supplier can then log into Nestlé’s Intelex system and state the corrective actions it will take to fix any issues. Suppliers have 24 hours to respond after receiving an email notice. 

 

References:

1 “ISO 22000: 2005,” Technical Committee ISO/TC 34, Food Products (www.iso.org/obp/ui/#iso:std:iso:22000:ed-1:v1:en).

2 “The SQF Code, Edition 7,” July 2012, Safe Quality Foods Institute, p 1.

 

For more information:

Christian Hutter, Junction Solutions, 303-327-8800, chutter@junctionsolutions.com

Barbara Levin, SafetyChain Software, 888-235-7540, blevin@safetychain.com

Bevin Lyon, Intelex, 416-599-6009, ext. 244, bevin.lyon@intelex.com

Jeff Lucas, Silliker, 312-938-5151, info@silliker.com

Danna Nelson, Aptean, 770-351-9600, danna.nelson@aptean.com

Katie Moore, GE Intelligent Platforms, 800-433-2682, katie.moore@ge.com

Dag Heggelund, Trace Register, 206-621-1601, dheggelund@traceregister.com