Our analysis of the different GFSI recognised schemes has so far asked whether FSSC22000 or IFS, which is a good fit for your business? and led us to carry out analysis of:

Comparison and gap analysis of BRCGS Food Safety and IFS Food
Comparison and gap analysis of BRCGS Packaging and IFS PACSecure
Comparison and gap analysis of BRCGS Agents & Brokers with IFS Brokers
Comparison and gap analysis of BRCGS Storage & Distribution and IFS Logistics

We’ve also carried out a Comparison of BRCGS, IFS and FSSC certificate scores and also FSSC22000 and IFS audit protocol compared to BRCGS.

This is the first in a series of articles where we look at the FSSC22000 Standard and review it against the BRCGS Standard, for the three Standards that FSSC provide, which are:

  • Food
  • Packaging
  • Storage & Distribution

(FSSC do not have a Standard for Agents & Brokers.)

FSSC22000

Although the IFS Standard and the BRCGS Standard, do have differences – the comparison process was fairly straightforward. Their approach is different (BRCGS is very specific and feels documentation focused, whereas IFS allows much more flexibility based on risk and feels more focused on practical aspects) but overall the way the Standard is structured is very similar.

FSSC on the other hand is totally different. It’s a bit like comparing apples and pears (as we would say here in the UK).

The number of documents you need to look at is overwhelming, and the terminology they use means it’s like reading a different language. The approach is totally different too! Once you get your head around it, it does make alot of sense – but it’s a very different way of thinking to how we do things now when applying the BRCGS Standard.  It also requires a great deal of technical knowledge and experience in order to be able to develop the right management system, especially if you’re a high-risk site.

With the FSSC Standard, there is a lot of upfront ‘set up’ work to do. Setting the scene of what is needed, before it’s applied. This is because the Standard isn’t prescriptive, so you have to work out what is needed, develop it and then apply it.

In principle this sounds great. You set up the management system that is needed for your specific company, to make your specific products and to meet the requirements of your customers and any other interested parties. Then, as long as you do what you say you’re going to do, all is well.

This is where our worries lie with this approach. If you don’t say you’re going to do ‘much’ and you don’t have customers that demand high standards, then you don’t have to do much.

Let’s think about this using an example of two companies, both applying the FSSC Standard and who have both passed and achieved their certificates.

  • Company A is a small business producing retailer own label products for customers who demand high standards. They have to regularly update their management system in line with their customers standards and so, they are audited to these high standards. To do this, they need a large technical team, even though they are a small business.
  • Company B is a large international business producing the same type of product, but it’s not retail packaged, but packed as an ingredient for further manufacturing (business to business). They have set a standard which works for their business and is balanced with their targets for optimum performance and are audited by their group audit team to these standards. This site can manage with a smaller technical team.

You would expect the culture of Company A, to be one where they are used to continually improving standards and so are accepting of change to their management system.

How does Company B implement change? Where would the pressure come from to implement more stringent standards? Why would senior management agree to such changes, when they would more than likely have a cost implication? And how would the customers of Company B drive improvement?

The likelihood is that the culture of Company B would be less accepting of change and unless it’s driven from the top down – it’s going to be much more difficult to get any improvements to the management system agreed. Customers of Company B, who could be making product for retailers, would expect retailer type Standards, but would have difficulty in getting Company B to accept them.

You can see with this example, the comparison of these two companies is impossible, even though they both have an FSSC certificate. Imagine as well, what the comparison would be like if you compared a low-risk ingredient manufacturing site with a high-risk retail manufacturing site.

Comparison to BRCGS

You may remember that here at Techni-K, we told you that we are currently working on putting together one huge combined standard, made up of all the four BRCGS Standards that we work to and then writing it into our own words.

To do this, we created a huge spreadsheet where we have aligned every clause of the 4 BRC Standards, to the 18 topics (shown in the table below). When we carried out the IFS comparison, we made the spreadsheet even bigger by adding IFS clauses to align them to the 18 topics.

Our intention was to add the clauses of FSSC to this spreadsheet too. However, it quickly became apparent that it wasn’t going to be that straightforward. Therefore, we’ve had to take a different approach. For each topic we’ve provided you with an explanation of what is needed for implementation of the FSSC Standard, rather than a direct comparison to BRC. Comparing it to BRCGS would have been misleading, as it’s really not comparable.

So, here is a summary of what is needed under each of the 18 topic headings for FSSC. In each section we’ve referenced where the requirements come from, as either FSSC, ISO (9001/22000) or Technical Spec (ISO TS22002-1)

 

1. Senior management commitment

ISO

There must be effective communication systems in place. This includes receiving information from external sources and feeding that information through the relevant internal channels.

Senior management must ensure that a Quality Policy is in place, along with the resources to achieve it. Roles, responsibilities and management are required and there must be a system of continuous improvement including management review.

Management must appoint a competent person to manage the management system and this role must have the required authority to lead its continuous improvement.

2. Document management

ISO

Before the management system is developed there are a number of pieces of work that are needed, to establish:

  • What is the purpose of the management system.
  • What the management system is expected to achieve.
  • What the boundaries are to the system (scope).
  • Identify the risks and opportunities that need addressing.

Once this is done a plan must be put in place to

  • Ensure that all the above points are met.
  • To develop and implement a change management system.
  • To set, communicate and then monitor objectives to ensure that the management system is effective.
  • Ensure that all the required resources are provided to achieve the above.

When the management system is developed or managed externally, the application and day to day management must remain the responsibility of the company.

There is a specific section for customer focus to ensure that customer requirements are met.

3. Continuous improvement

ISO

Non-conforming product process is required.

Internal audits are required.

Corrective and preventive actions are needed. Root cause analysis is not specifically mentioned but implied through the need to determine the cause of non-conformances to establish preventive actions.

Continuous improvement is a key focus and covers all aspects of the Standard.

4. Contingency

ISO

Contingency plans for emergency situations and recall and withdrawal processes are required.

5. Hazard analysis

ISO

The hazard analysis system must include OPRP’s (operational prerequisites). Hazards do not highlight radiological specifically. Hazard analysis is required for food safety purposes only; quality does not require hazard analysis.

A process is required for handling products that are out of specification because they are unsafe.

6.  Contamination control

FSSC

An allergen risk management system is required.

Food Technical Spec

  • Utilities must not pose a risk of contamination, including water, boiler chemicals, air and ventilation.
  • Microbiological, allergenic and physical contamination controls must be in place.

7. Product development

FSSC

Labelling must meet the legal requirements for the country where the product will be sold.

ISO

A product development process is required which ensures that quality objectives and customer requirements are met, including:

  • Planning.
  • Inputs and outputs of the system.
  • Review.
  • Verification and validation.
  • And change management.

8. Supplier management

ISO

Where suppliers are used for systems, products or services which relate to the management system they must be selected based on set criteria and then monitored.

The system must verify that purchased materials comply with specification.

Food Technical Spec

  • Supplier selection, approval and monitoring is required.

9. Testing

FSSC

External labs used for product safety testing must comply with ISO17025 requirements.

A risk based environmental monitoring programme is required for food and packaging sites.

A system of monitoring, measuring and analysis needs to be implemented, which ensures that the product and process meets specification.

Monitoring equipment must be accurate.

Customer satisfaction must be measured.

10. Maintenance

Food Technical Spec

  • Equipment must be of a hygienic design.
  • Planned preventive maintenance is required.

11. Product defence

FSSC

Both a threat assessment and also a vulnerability assessment is required. There is now a new FSSC guideline about how product defence should be handled, which is similar to an interpretation guide.

Food Technical Spec

  • Access controls are required for product security.

12. Training

ISO

Personnel who work internally or who support externally, must be competent in their role. The company must set the competency required and then ensure that this is met.

Competency must include an understanding of:

  • The food safety policy.
  • Objectives application to their role.
  • How they contribute to the management system.
  • The benefits of getting it right and the consequences of getting it wrong.

13. Personnel

ISO

There is a specific section of the Standard about resources. To ensure that the required resources are provided to meet the needs of the management system and in the case of personnel, they must be competent.

It also states that the work environment that is provided for personnel must be suitable.

This means it must be suitable from:

  • An ethical perspective (e.g. regarding discrimination).
  • A physiological perspective (e.g. mental health).
  • A health and well being perspective (e.g. noise, temperature).

Food Technical Spec

  • Hygienic staff facilities must be provided, including staff eating areas.
  • Personal hygiene and behaviour rules must be set.
  • Protective clothing must be appropriate and to a hygienic standard.
  • Medical screening is required.

14. Site Standards

ISO

Also within the resources section, the company must provide the resources needed to ensure that the physical infrastructure of the site is fit for purpose and maintained.

Food Technical Spec

  • Building construction must be fit for purpose and maintained.
  • Assessment of the local area must be carried out.
  • The site must be maintained.
  • Layouts and flow must adhere to good hygiene practices.
  • Internal fabrication must be fit for purpose and maintained.
  • Equipment must be located so that it is hygienic.
  • Labs must be managed so that they do not pose a risk of contamination.
  • Temporary or mobile premises and vending machines must not be a source of contamination including pests.
  • Lighting must be adequate.

15.  Microbiologically controlled facilities

Not mentioned specifically.

16.  Hygiene

ISO

Customer property (product) that is unsuitable for use must be controlled.

Food Technical Spec

  • Waste and drainage must be managed hygienically.
  • A cleaning programme is required, including CIP systems.
  • Cleaning of product contact surfaces, plant, utensils and equipment must be cleaned at defined frequencies and to a hygienic condition.
  • Cleaning must be verified as effective.
  • A pest management system is required.

17.  Process control

ISO

Operational processes are required, suitable to the operation. This includes traceability.

Food Technical Spec

  • Rework and its use must be controlled.

18. Storage & distribution

FSSC

Transport and system conditions must minimise the risk to product.

ISO

A positive release process is required.

The product must be preserved and protected.

Food Technical Spec

  • Materials must be protected from contamination during storage.
  • Vehicle checks must be carried out.

Summary

  • FSSC requires the implementation of many documents; FSSC22000, ISO 22000, ISO 9001 and for food, ISO22002-1:2009 (please note; when we refer to ‘FSSC’ in this summary we mean FSSC and all the associated documents).
  • When reading through the different sections and requirements, there’s nothing really that stands out as different – other than needing aspects such as OPRP’s.
  • There are no specific requirements for high risk products.
  • But the requirements are so open, it means that a lot more work is needed to establish what must be controlled.
  • The way a management system for FSSC needs to be put together is totally different to BRCGS.
  • It requires a great deal of initial preparation and much more focus on establishing and developing the needed controls.
  • There is a ‘flow’ throughout the Standard. Everything you do for FSSC has a purpose; an input and an output. The output of which then leads into the input of the next requirement.
  • This ‘input and output’ theory could be drawn as a flow chart and is a totally different way of thinking from BRC.
  • The language used in FSSC is difficult to read and understand.
  • The requirements are very brief as they are all based on risk, so it’s very open to interpretation (rightly or wrongly) and there is no interpretation guide.

What do you think?

So, what are your thoughts on FSSC and the work that would be needed?

What do you think about the additional requirements?

What do you think about the topics that are not included?

Share your thoughts with your fellow techie’s and add them to the comments box below.

Have your say…

12 thoughts on “FSSC Food review for implementation

  1. Good morning,
    I find it interesting to read how cumbersome this standard seems.
    Initially, during the poll we learned that IFS vs FSSC was nearly 50/50.
    But how many of Techni-K´s readers follow BRC vs IFS vs FSSC? My company follows BRC but consider moving. And after this article, I´d say we´re moving to IFS.
    I would like to know why some companies chose FSSC over IFS when IFS seems so much straight forward.
    One benefit with FSSC may be the many different documents if you got the manpower to handle them. I mean the food industry is very fond of food safety but almost totally ignore regular quality work like ISO 9000. If you need help in this area FSSC might help out.
    Also, moving from BRC to IFS should be easier – are anyone moving to FSSC anyways?

    1. Morning Tony,
      I’m with you on this – I’d love to know what attracts sites to FSSC. Hopefully our fellow techie’s will add their thoughts here – it would be great to see this from a different perspective.
      Kassy

  2. Good morning,

    Thank you for this article. Reading the comparisons of Company A and B sounded all too familiar. Unfortunately I have been the customer asking for Company B to adapt and improve, but I am often met with much frustration! This paragraph in the article sums it up amazingly:

    “The likelihood is that the culture of Company B would be less accepting of change and unless it’s driven from the top down – it’s going to be much more difficult to get any improvements to the management system agreed. Customers of Company B, who could be making product for retailers, would expect retailer type Standards, but would have difficulty in getting Company B to accept them.”

  3. Good morning everyone.
    I am a food safety consultant in Brussels for very small companies. I started with BRC v3 trainings, had even completed the third party auditor training.
    BRC started to lose companies in Belgium with version 5, if I correctly remember when it started with the High care and high-risk zones. The way the segregation of those products was defined was not correctly understood, as the “continental” food approach quite differs from the UK one. Some examples, raw milk cheeses, raw beef, … are common foods in Belgium and France. In addition, some of my clients would have needed hard infrastructure work to ensure segregation. So, most of them looked for an alternative and, in 2009, we started with the ISO approach.
    I am now accompanying 10 companies in certification each year.
    One of them is still using BRC because there are selling the company and didn’t want to change the system they already know.
    One other uses IFS, because one of her clients specifically ask for it and don’t allow any other certification.
    All the others are using FSSC (and no FSSC quality). The system needs reflection, for sure, but most of the PRP’s will use what is already in place in the companies. The only difference is you need to validate those PRP’s, so you need to list what is the use of the PRP in terms of food safety, quality, and legality, and say how this PRP will ensure that. When you do that job, you will probably remove some things that were mandatory and had no purpose, or think to breaches in your system you need to fill.
    The other advantage, for me, is the CCP and oPRP. A CCP is black or white, the product is safe or not. A typical example: The metal detector. But an oPRP is grey, and when the oPRP limit is not met, you will start a procedure to check whether your product is safe or not. The typical example here is the temperature, nobody throws a product when the fridge’s temperature reach 4.1°C instead of 4.0°C.
    Yes, FSSC needs quality teams to think more than to follow procedures. But it also allows for more possibilities and more different actions following the cases.
    And, btw, I already made comparisons for all standards on each PRP, so Kassy, if you want some collaboration, this can be discussed 🙂

    1. Mathieu, thanks for your comments on the good things about FSSC. I hope you can reply to my questions:
      1. Can you tell what manpower is needed to handle FSSC, please?
      2. It sounds like FSSC demands at least a small team?
      3. Also when leaving BRC for FSSC how much effort will it take?
      4. Is it possible to replace BRC within one year before the next audit?
      5. And how do you deal with the internal audits when the new standard is only partially implemented?

      1. Good evening Tony,
        Well, I’ll try to answer your questions.
        1 & 2. The manpower will depend on your system, your process, and your company. Sorry for that easy replay. However, I can tell you about my experience. I work with very small companies, between 4 and 25 full-time workers. I also have a company (only one) with 300 people. Many of those companies don’t have what we will call “a team”. I often have 1 person talking with me, which has the “quality manager” hat, but has also another one, or even more: sales, finance, IT manager, boss, … How do we work? We usually spend a year to set up the system together (starting from nothing) with fortnightly meetings, then I make an audit on a topic every month, and they manage the system. In the big company, there is still a “part-time” quality manager, but many quality tasks are shared with other people.
        3 & 4. The fastest I did was in 2014. The CB has lost his BRC certification because of the small number of audits, so the auditor came back for another CB. And told us, the first morning, that the new CB said to the auditor 12 hours ago they won’t accept the exclusions we had. There was some high care issue with that product, so we were unable to add it to the scope in 5 minutes. The auditor came back 15 days later for the FSSC22000 and I think we had 5 minor NC. However, I was fully trained in ISO, so it wasn’t a big job for me. With the new version, there are some additional requirements, like the SWOT analysis and the interested parties which may tale a little time. One year? Sure, you can easily do it. Don’t forget to ask your CB, if you’re already certified against a GFSI standard, you can take the 1st audit in one shot, not in 2 phases.
        5. The internal audits don’t need to prove that you work following the standard. Your audits will need to prove that what you put in place is effectively working and ensure food safety, legality, and quality. I have 22 internal audits to run, but we don’t run each of them annually. We run annually the non-conformance & complaints, suppliers, traceability, allergens and analyses audits. So, the ones giving a lot of data about the system or, which are required to be run annually (like traceability due to regulations). Others are run every 2 or 3 years.
        If I correctly understand, you don’t start with no data. You have a BRC system in place, all data from that system is also an input and can be used during the FSSC audit.

        1. Good morning Mathieu,
          thanks for your reply. It is valuable to have for future use as all articles are. Yes, we are BRC certified so we got plenty of systems in place. What worries me is the number of new documents in FSSC and that is what makes my company lean towards IFS instead. Will see when the annual audit is over.

          Kassy´s summary of all these comparisons will be of great value and that is why I take the time to be pretty active in the comments in the series of food safety – I gather information.

  4. Hi,
    I enjoy your comparisons. As an auditor I find them a useful resource for QA personnel and auditors alike.
    With regards to the language used in ISO22000 and FSSC yes it can be difficult to understand, I think it has to do the standard not being as prescriptive as other standards and as you highlight it is risk and outcome based.
    I believe ISO22000/FSSC can be a more practical standard given that you need to identify the potential hazards that can impact the business as well as determine what hazards can impact the product (HACCP). Determine the controls required (based on risk) and then measure performance against what good looks like (Objectives) and if the business is not meeting objectives make corrections….
    With the more prescriptive standards such as BRC there are similar requirements but some are pointless, i.e. (3.4.1) audits shall be based on risk…. but all activities shall be covered at least once each year !!!
    When choosing between the standards you should consider the culture and maturity of the business. Some businesses need the prescription and direction to help them improve while other businesses may have sophisticated tools in place and a dynamic culture and benefit from a more outcomes based standard.
    While BRC has an interpretation guide I have found that ISO9001:2015 uses similar language and there are a number of good “Plain English” interpretations on the internet that can be used to decipher some of the terminology in ISO22000.
    Also just to complicate FSSC further the Board of Stakeholder (Bos) requirements can make decisions that change or over rule FSSC requirements.

    Again, thanks for the insight provided 🙂

  5. Kassy, Rob mentions one important aspect: “When choosing between the standards you should consider the culture and maturity of the business.”
    I need this to be reflected in your future summary of this series of articles. Where are you and where are you going? What standard suits best with this in mind. My company has just begun a modernization journey with regards to e.g. systems. We will most likely not hire more staff but we will start working smarter with the help from web-based systems. Will this journey make us needing a certain standard? Also, we have begun the food safety culture/company culture journey so in a couple of years much improvement is done.

    1. Please don’t forget that food safety culture has been bring to the GFSI benchmarking, so every standard will require that FSC in about 2 years of time.

      1. Hi, yes this will be incorporated in our system regardless of what standard we will follow – I think and hope. FSC makes us be more aware and company culture creates a nicer workplace.

  6. I appreciate the focused and methodical approach, the way it was explained and summarised. The risk-based approach, though, has left me hanging, especially when there is no interpretation guide. This can lead to a product which risk classification goes either way, perceived a high/medium risk yet it is not, and can lead to controls that are way too stringent; or perceived as low risk yet the signs show the need for more stringent, responsive controls. The situation can go at the expense of both the manufacturer and the consumer.

    Thank you for sharing the article.

Share your thoughts…

Your email address will not be published. Required fields are marked *

We've tagged this article as: