ISO 22000 - 4.3 - Determining the scope of FSMS

  

In this post I will be analyzing, in depth, Sub-clause 4.3 of ISO 22000: 2018 standard, entitled: Determination of the scope of the food safety management system, with the intention that it is better understood and applied by the various organizations that establish a food safety management system (FSMS), in accordance with this standard.

Requirements of this sub-clause are generally applied in a better way than those of the previous sub-clauses of this standard, 4.1 and 4.2, but even so, it is common that organizations do not fully understand them, so it is frequent that not all elements that lead to compliance with those requirements are being applied and controlled appropriately.

In order to carry out the analysis of this sub-clause, we are going to start by identifying the requirements that are established by it, following the methodology of identification, presentation and numbering of these requirements, as I have done in other previous entries. We must always keep in mind that it is important, first, to identify each one of the requirements established in the standard (and therefore in each sub-clause, or paragraph, in order to comply with them).

For this, it is a good time to remember that it is very important to observe how each of these sub-clauses and paragraphs is written in ISO 22000:2018 standard, to identify each one of the requirements. Generally, the subject of each sentence will be the organization, some part of it, or some required element of the FSMS. The term "shall" is the one that indicates that it is a requirement, and it is always accompanied by a verb that indicates the action that is required of that organization or of the part or element in question. And the complement of the sentence indicates one or more elements of the FSMS, or one or more characteristics of that or those elements to which that requirement applies.

However, it is important that we take into account that the wording of each sub-clause or paragraph may include, in the presentation of a single "shall", different verbs related to the same element or characteristic, or that a single verb may refer to various elements or features. This situation can lead to confusion because each of these requirements is not broken down appropriately, or because one believes that a requirement is being repeated in the standard. This will never be the case, unless there was a serious flaw in the development of the standard, which to my knowledge has not happened to date. In the standards, by principle, information is usually not repeated, nor are doubtful elements clarified, unless it is through explanatory notes. Therefore, if at any time the idea that there is repeated information about a requirement of a standard comes to you, it is surely because you are not properly understanding that requirement.

For this reason, it is important to break down all the sentences that are included in those sub-clauses and paragraphs, into separate sentences that contain a single verb and a single element or characteristic to be fulfilled. Each of those sentences will be an identified requirement of the standard.

After carrying out this type of analysis, I have identified that the group of requirements established in this Sub-clause 4.3 of ISO 22000:2018, are the following:

  

If we turn now to the careful analysis of this sub-clause, as we see in its title, in order to comply with it, an organization should determine the scope of the food safety management system. In order for us to analyze this group of requirements, it is important that we understand this concept.

For an organization to be able to operate successfully, it should carry out a great diversity of processes and activities. It is common that not all these processes and activities have an impact or a direct relationship with the safety management of the food supplied by the organization. Under this consideration, it would be impracticap that if that organization wants or needs to establish an FSMS, it is integrating to it some processes and activities that do not have any impact, either in the food safety management, or in the management of the processes that it should want to integrate to that system.

Trying to explain this, it is good to remember that every organization is, by itself, a system, regardless of its size, complexity, whether it is private, public or social. Regardless of the fact that an organization should always be well managed, in the best way that its top management can achieve it, there are certain disciplines or management aspects that can be supported in standards that contain requirements and be considered as standardized management systems within the overall management system of the organization, as in this case would be the food safety management, which, being considered contractual elements with its clients, or declared by top management before its interested parties, become requirements whose compliance should be demonstrable by the organization and can be audited by the same organization, or by external organizations (clients or certification bodies).

Various approaches can be used together to identify and determine the scope of the food safety management system.

a) One of these approaches to determine the scope of the food safety management system, that is, its boundaries and applicability, is to consider the diversity of products and services provided, to include in this scope those in which it is relevant to organization demonstrate compliance with the requirements of ISO 22000.

b) Another approach for the definition and determination of this scope is to consider its diversity of managed processes, to include in the scope of its FSMS those processes that have an impact on the food safety management and where it is relevant to the organization, to demonstrate compliance with the ISO 22000: 2018 standard requirements.

c) A third approach is that of the organizational structure and lines of direction and control, through which the organization can identify the areas or administrative units relevant to the food safety management system.

d) A fourth approach, relatively similar to the previous one, is that of geographic distribution, through which the organization can define which of its regional divisions or production units will be within the scope of said food safety management system and, in its case, which ones are not.

e) Finally, a fifth approach that we can apply is the one that refers to documentation control. If we take into consideration that any organization that is being systematically managed will have as support a series of documents in which a variety of relevant elements for that management have been established. This can be visualized as follows:

 

If we visualize the overall management system of an organization in this way, we can identify that, within this universe of documents, there will be a set of documents that would support the entire food safety management system, which should be controlled in a very specific way, and a common element of control in each document should be its particular scope, so from the controlled documentation approach in this FSMS, there we would see, as a whole, the scope of this system.

 

Let's start now with the analysis of the various requirements. For this, we find that the first two requirements of this sub-clause refer to elements that the organization should determine in the scope of the FSMS, and are the following:

Requirement No. 17: The organization shall determine the boundaries of the food safety management system to establish its scope.

For an organization to achieve this determination, it is worth mentioning that the scope of the food safety management system is in many cases self-evident and defined by the activities that take place in a single location. That scope of the FSMS becomes more complicated and challenging in circumstances where there are additional elements, such as:

• Outsourcing

• Logistics

• Multiple sites

• Service centers

• Service at customer facilities

• Collaborative products and services

From a review of the nature of the organization's operations, products and services, the scope of the FSMS should be clear. This should be expressed in the extent of the processes and controls that the organization has established.

The scope of the FSMS should be evident in the documented information supporting the process-based approach. Such documentation could include:

• manuals

• procedures

• instructions

• process diagrams (input – process – output)

• diagrams showing the links of the process    (inputs/outputs/customer)

• overlays showing activity locations

• identification of subcontracted processes

• resource diagrams (eg capability analysis, value stream mapping)

• programs

When an organization decides to establish a food safety management system, it is logical that it has one, at least, or more reasons for making this decision. It could be to have better control of its processes and results, to satisfy a requirement of a client or some regulation, to access or reach a better position in a market, among others. Whatever the reasons on which the organization supports its decision to establish this food safety management system, they should be considered to determine its scope.

If the organization is small, and its activities are focused on a single process, when establishing its food safety management system, it will not have any problem deciding the scope of that management system, since it will cover practically all or most of the organization's activities.

However, when a medium or large organization decides to establish a FSMS, one of the first strategic issues to decide is the scope of that system, since it will not necessarily have to cover all processes and/or products, or all of the organization's food safety management activities. Its top management should assess and decide which processes, products, services, divisions or production units will be covered by this system. Those would mark the determined scope of the FSMS.

The determination of the scope of the FSMS is of great importance, since all objectives that the organization establishes for this system should be able to be achieved through the application of controls for all the activities, products and services framed in this management system. No activity, product or service relevant to the food safety management system should be outside of this scope.

In order to carry out an in-depth analysis of this requirement and the others in this sub-clause, I suggest  you  consult three  documents published by the International Organization for Standardization (ISO) itself, listed below, which may shed light on this sub-clause, but which do not are part of the ISO 22000 family of standards, but two of them are related to the ISO 9001:2015 standard, and the other, that of subparagraph b), is used as a basis for the structuring and drafting of this type of management systems standards:

a) ISO/TS 9002: 2016 - Quality management systems — Guidelines for the application of ISO 9001:2015,

b) Annex SL of Appendix 2 of the ISO/IEC Directives Part 1, of the ISO Consolidated Supplement, and

c) Document "Guidelines on scope and applicability" of the ISO 9001 Auditing Practices Group, published by ISO.

I think it is important to clarify that although ISO 22000 and ISO 9001 are different standards, covering different disciplines, both deal with and set requirements for management systems, and since ISO 9001 was the first standard published by ISO on management systems management, this characteristic has promoted the existence of several supporting documents on this ISO 9001, which have not been generated for other management system standards, since ISO itself promotes that multiple documents with repeated information are not prepared. That is why it is convenient for us to know these documents related to ISO 9001, as well as the ISO 9000:2015 - terminology standard, since they contain information that may be valuable for other standardized management systems, including the FSMS under ISO 22000: 2018.

The first of these documents is a technical specification that has been developed to help users of ISO 9001:2015 Quality management systems – Requirements to apply the quality management system requirements. It provides guidance, with a section-by-section correspondence to Clauses 4 to 10 of ISO 9001:2015, although it does not provide guidance for Annexes A and B of that standard. As I have mentioned, this guidance can be valuable for the application of several requirements of other management system standards, such as those of ISO 22000:2018.

This document provides us with examples of what an organization can do, but does not add new requirements to ISO 9001, or to other standards for which it might be useful. The examples it incorporates are not definitive and only represent possibilities, not all of which are necessarily suitable for all organizations.

In accordance with this technical specification, the intent of this Sub-Clause 4.3, applying it to ISO 22000, is to determine the boundaries of the food safety management system so that it is defined in a way that helps the organization to meet the requirements and expected results of the system.

This document tells us that when determining the scope, the organization should also establish the boundaries of the food safety management system taking into account issues such as:

— the infrastructures of the organization;

— the various venues and activities of the                     organization;

— business policies and strategies;

— Centralized or externally provided functions,           activities, processes, products and services.

In a complementary way, Annex SL of Appendix 2 of the ISO/IEC Directives Part 1, of the ISO Consolidated Supplement, indicates that the intention of these requirements is to establish the physical and organizational limits to which the food safety management system will be applied.

The third document mentioned, "Guidelines on scope and applicability" of the ISO 9001 Auditing Practices Group, reminds us that when we work with management systems based on standards, there are various types of scopes, the differences of which are indicated:

- Scope of the ISO 22000 standard: Clause 1 of ISO 22000 describes its scope, the subject of the standard, the food safety management system, as well as the expected results of its application by organizations.

- Scope of the FSMS under ISO 22000, Clause 4.3 establishes that "The organization shall determine the boundaries and applicability of the FSMS to establish its scope...", as we are seeing in this document.

- Certification Scope: this certification scope is derived from the scope of the FSMS and depends on what the organization decides to certify. This scope is used to communicate the organization's FSMS certification status to relevant interested parties.

Sometimes the scope of the certificate can be narrower than the scope of the FSMS and special attention should be paid to this type of cases.

- Audit scope: It refers to the "extent and limits of an audit" (ISO 19011:2018, 3.5). Note 1 to entry: The audit scope generally includes a description of the physical and virtual locations, functions, organizational units, activities and processes, as well as the time period covered.

This same document tells us that the scope of the food safety management system refers to the determination of the boundaries and applicability of the FSMS.

Requirement No. 18: The organization shall determine the applicability of the food safety management system to establish its scope.

The document "Guidelines on scope and applicability" of the ISO 9001 Auditing Practices Group indicates that to establish applicability, those responsible should identify which products and services are formally managed within the FSMS. The products should be food, or products that will be in contact with food.

The next step is to identify the processes required to supply those products and services, whether produced by, or under the responsibility of, the organization.

Then, that applicability of the FSMS will refer to those products and services that should be supplied through processes controlled by said system, and will cover the resources, activities and production units that participate in those identified processes.

The following four requirements refer to elements that the organization shall specify in the scope of its FSMS:

Requirement No. 19: The scope shall specify the products that are included in the FSMS.

This requirement is related to the previous one, since as mentioned, the specification of the products that are included in the FSMS, by the organization, as part of the scope, are necessary to specify the applicability of this management system.

Requirement No. 20: The scope shall specify the services that are included in the FSMS.

This requirement is related to the two previous ones, since, as was also commented, this specification of the services that are provided by the organization, if any, that are included in the FSMS, as part of its scope, so they are necessary to specify the applicability of this management system.

Requirement No. 21: The scope shall specify the processes that are included in the FSMS.

As in the three previous cases, to comply with this requirement, the organization should specify, within its scope, all the processes that are included in the FSMS, both inside and, where appropriate, outside the organization, to specify the applicability of this management system.

Requirement No. 22: The scope shall specify the production sites that are included in the FSMS.

To meet this requirement, the organization should specify, within its scope, all the production sites that are included in the FSMS.

The following four requirements refer to elements that the organization shall include in the scope of the FSMS:

Requirement No. 23: The scope shall include the activities that can influence the food safety of its end products.

The organization, when specifying its scope, in order to fulfill this requirement, should identify and include all relevant activities that may affect the food safety of its end products or services.

Requirement No. 24: The scope shall include the processes that can influence the food safety of its end products.

The organization, when specifying its scope, should identify and include all processes that may affect the food safety of its end products or services, including those that may be outsourced.

Requirement No. 25: The scope shall include the products that can influence the food safety of its end products.

The organization, when specifying that scope, should identify and include all products that may affect the food safety of its end products or services, including raw materials, ingredients, inputs, packaging and others that may be in contact with food.

Requirement No. 26: The scope shall include the services that can influence the food safety of its end products.

The organization, when specifying that scope, should identify and include all services that may affect the food safety of its end products, regardless of whether those end products are services.

The following three requirements refer to elements that the organization shall consider in the scope of the FSMS:

Requirement No. 27: When determining this scope, the organization shall consider the external issues indicated in 4.1.

To comply with this requirement, to establish the scope of the FSMS, the organization should take into account the relevant external factors that have been identified when applying the methodological tools used by the organization, within its strategic planning, to determine these types of factors, such as the so-called PESTAL analysis (Analysis of Political, Economic, Social, Technological, Environmental and Legal external factors), or another.

Requirement No. 28: When determining this scope, the organization shall consider the internal issues indicated in 4.1.

Similarly, to comply with this requirement, to establish the scope of the FSMS, the organization should take into consideration the relevant internal factors that have been identified when applying the methodological tool used by the organization, within its strategic planning, to determine this type of factors, such as the so-called McKinsey “Seven “S” analysis, which helps determine the relevant internal factors, such as strategy, structure, systems, shared values, skills, style and staff, and is so called because these seven factors are identified with terms that begin with that letter.

Requirement No. 29: When determining this scope, the organization shall consider the requirements indicated in 4.2.

To comply with this requirement No. 29, the organization should take into consideration all the identified requirements that come from all the relevant interested parties that have been identified by the organization, such as customers, potential customers, final consumers, health authorities, suppliers, among others, in compliance with the aforementioned Sub-clause 4.2, to establish the scope of the FSMS.

The last two requirements refer to scope characteristics as documented information.

Requirement No. 30: The scope shall be available as documented information.

The scope should be available to all relevant interested parties, including those responsible for the organization, suppliers, customers, internal auditors and, where appropriate, external auditors and certification bodies, as documented information, in the form and means that the organization has provided, such as a manual or a web page.

Requirement No. 31: The scope shall be maintained as documented information.

The organization should establish adequate controls to maintain the scope, to ensure that the current version is in place, with the appropriate releases and issuance date, and that revision, updates, re-releases, additions and authorizations are made into the FSMS, as specified by the organization itself.

As a summary and reminder of requirements of this Subclause 4.3 of ISO 22000:2018 standard, I present the following table:

In the next entry, we will analyze Subclause 4.4.- The food safety management system, of this ISO 22000:2018 standard.

Author:

Ernesto Palomares Hilton