Your HACCP plan in issue 8 of the BRC Standard,  is now called the Food Safety Plan. In this article, I’m going to cover the changes to this section…

What’s changed?

There are two main changes to the whole of this section, which we’ll go through first. And then, there’s a change to the scope of the hazards and also when a review is needed.

Main changes…

  1. There is a change of terminology that affects all of this section – HACCP or ‘food safety plan.’
  2. The change to the reference to Codex Alimentarius.

What does it mean?

The BRC standard has been amended slightly within the HACCP section to account for the changes that have taken place in the US.  In 2011 Barack Obama signed a new food safety bill called the Food Safety Modernization Act, or FSMA for short.  This Act contained a number of new rules, which were to be enforced by the FDA, which is the Food & Drug Administration.  One of which was called Preventive Controls for Human Food.  This rule required sites in the US, that were not currently governed by USDA to have a hazard analysis and risk-based preventive controls plan.  Or HARPC for short. We pronounce this as harpsee.

Up until that time, if you were not governed by the USDA, who ensure the food safety of certain sectors like dairy or fish, by law you didn’t have to have a food safety plan – or as we know it a HACCP plan.

The problem is that the FDA’s FSMA rule for Preventive Controls for Human Food, doesn’t recognise HACCP.  Which means, because HACCP is based on the Codex principles, that the FDA don’t recognise Codex.  So, Issue 7 referred to a HACCP based on the Codex principles.  This meant, in order for the BRC standard to work in the US, this needed amending.

So, they have had to add into the standard the general term of food safety plan, rather than just HACCP, in order to make it work for the US.  And now each, section says ‘equivalent to Codex Alimentarius’, because we don’t have to follow Codex, we can do something similar now.

This is also why the HACCP (or food safety plan) team leader now has to have training if it’s defined by law in the local country.  The new rule in the US says that every food safety plan must be approved by a PCQI (preventive control qualified individual). So, the standard has been amended to reflect this.

So, what do we need to do?

Well, if you produce product outside the US and don’t import it into the US, it doesn’t change much for you at all.  You just need to be aware of why the standard has been changed.

However, if you produce product in the US, or export product to the US, then you have to comply with the FSMA rule.  Which for many of us in the world is a challenge, because our local legislation requires us to work to Codex, HACCP principles.

But unfortunately, HACCP and HARPC don’t fit together exactly. I’ve written about this before so if you would like to understand why the two systems don’t work together and how to fix it, then you can read all about that using my link to these previous articles below.  I’ve also written a book on how to combine your HACCP & HARPC plan step-by-step, which has a workbook too – so it’s designed to walk you through creating your plan. More details about this are in the Issue 7 link below.

Scope of hazards

Clause 2.7.1 now lists the types of hazards we need to include, whereas before it just said ‘hazards’ and we had to go by the definition of hazard from the back of the standard, which defined it as the ones we typically know – micro, physical, chemical including allergenic and not to forget, radiological.

Now the clause says you also need to consider hazards due to fraud (e.g. substitution or deliberate/intentional adulteration) and also, malicious contamination of products. The BRC have done this so that it’s in line with the FDA’s FSMA rule for human food, as we just talked about.  Because in the US, the rule says you must include fraud and malicious contamination where there’s a risk of wide scale food safety harm.

Personally, this really annoys me.  Fraud and malicious contamination are not hazards.  They are events that would cause a hazard.  The hazard would still be micro, physical, chemical including allergens or radiological.  Yes, they may need to be included in the scope, but they are NOT hazards.  So, for me, I think the BRC have really confused things here and they should have known better.  Ok, rant over!

So, what do we do?

It’s perfectly acceptable to reference other documents or systems in your HACCP plan which meet these requirements.  Don’t replicate everything in your vulnerability assessment and your threat assessment in your HACCP. This doesn’t add any value and it just creates an admin nightmare.


Review is a theme of change for issue 8, some of the set frequencies for review have been removed or relaxed, instead we have to review when anything changes.  In clause 2.14.1 they’ve added that we need to review the HACCP (or food safety plan) when a new risk emerges.  This means that we need to listen to what is happening in industry and where there is a problem such as a recall of an ingredient or product that may affect us, then we need to do something about it.

So, how do we do this?

So now, when alerts come out from our local authority, such as the FSA in the UK or the FDA in the US, then we need to review them to establish if there is a risk to our products or process.  If there is a potential risk, then the food safety team needs to carry out a review.  And, of course you need to make sure this is documented.

This doesn’t need to be complicated, you can set up folders in your email for when the alerts come in.  One that says ‘no review required’ and one that says ‘for review’.  It can be as easy as that – you just need to be able to show your auditor that you are reviewing the information and taken action where necessary. Just make sure you really are doing this though, your auditor will be aware of all the recalls and incidents that have happened, so don’t be caught out – you need to know them too!

I hope that helps you understand the changes to issue 8 around HACCP (or the food safety plan!).  I’d love to know your thoughts on this.  Do you agree with the changes?  And of course, if you have any questions, please just pop them in the reply box below and I’ll come back to you.

food safety plan

Have your say…

12 thoughts on “The changes to HACCP (or food safety plan) for BRC Issue 8

  1. Love the rant Kassy, made me chuckle on a cold and bleak Wednesday morning! Really useful, as always. Great to understand why they have made the changes to section 2. I’ve been keeping a list of relevant recalls or threats for a few months but I’ve been doing this as a part of a bigger database. I keep a spreadsheet where I say what type of information it is, where it’s from (I include any articles or research of ‘trends’ or technologies that need keeping an eye on to try to stay ahead! and then any relevant recalls or RASSF alerts and relevant information from Trello,) a link if it is applicable, a summary of the information, how it effects the company I work for and then if there are any follow up actions or if it’s just for information. Doesn’t really take much work and I do it mostly because I am pretty new to my role as a QM so it’s for my learning more than anything!

  2. Hello Kassy;

    Thanks for the article. There is no much impact if the only changes is to make the US Regulators happy by changing the name from HACCP to Food safety Plan and not referencing or recognizing Codex.

    In Nigeria, the regulating Agency NAFDAC & SON) recognize HACCP and also Codex but any improvement to ensure food safety around is good to share for knowledge and process improvement.

  3. HI Kassy
    good summary and information, so I want now ask if I want to export to the USA after I get BRC certificate for issue 8 the auditor still use FSMA checklist or now it is enough to get BRC checklist. thanks

    1. The FSMA checklist that you’re referring to is a voluntary module, so you don’t have to go for it. If you chose not to go for the FSMA voluntary module, then you’ll be audited to sections 1 to 9 of the BRC standard only. There’s loads of FSMA articles on our website that will help you comply with FSMA.

  4. Kassy, thanks for the article, I raised the same question at my BRC conversion training as why BRC had put fraud and malicious contamination into HACCP. GFSI clearly differentiates these as intentional ‘hazards ‘ and only unintentional Hazards should be dealt with in HACCP. I have been teaching this for the last few years when looking at the difference between vulnerability assessments , including TACCP and VACCP with HACCP and people were getting it and now I am having to say.. BRC have decided to add it into HACCP. My advice is the same as yours, mention in scope and cross reference out .. but I am sure some auditors will not accept this approach. Only time will tell

    1. Hi,
      Well I’m really glad you agree and it’s not just me being pedantic! Things are complicated enough, without complicating matters further like this.
      Hopefully the auditors will be pragmatic about it, but like you say – only time will tell!

      1. Hi Kassy/Lynn,

        Thank you for your insight into section 2.7.1 BRC V8, however, if the section states to consider fraud, malicious contamination and radiological hazards at each step therefore is it a matter of consulting the risk assessment matrix that was used for the previous four hazards in V7 and walk through each step and risk assess it that way?

        1. Hi
          For fraud and malicious contamination I would just signpost to your vulnerability assessment, as you don’t need to do it twice.
          For radiological you need to make sure this is covered in your scope and where applicable it’s covered in your hazard analysis.
          I hope that helps?

  5. Thanks for the article. We have just completed a BRC audit with fraud and malicious contamination being an issue as it was not in the Hazard Analysis. What is the best way to just “reference” it and still show that all process steps have been considered?

Share your thoughts…

Your email address will not be published.

We've tagged this article as: ,