Home Resources Blog November 2017

The Clock Is Ticking For Transition To FSSC 22000 Version 4.1!

24 November 2017

First of all, let’s start with a brief introduction regarding the latest changes this scheme has been going through over the last 12 months. 

First of all, let’s start with a brief introduction regarding the latest changes that this scheme has been going through during the last 12 months. Version 4 was published in December 2016. In this issue several new requirements were added, being the most notable of all the introduction of unannounced audits.

The reason to revise the scheme was to be aligned with the benchmark requirements of the GFSI. The version 7 of the GFSI Guidance Document, which was finally released in February 2017, was bringing new requirements to fight food fraud, to incorporate unannounced audits, incorporating the new scope food brokers and traders and to increase transparency in the benchmarking process.

After the publication of the version 4 there were several developments that influenced the drafting of version 4.1. These include:

  • GFSI Version 7.1 was published in April 2017 (and the release of version 7.2 is expected soon) adding a couple of new clauses for each scope to incorporate similar requirements than FSMA, such as purchasing from non-approved suppliers and compliance with food safety legislation. The two new sections are:

    • “15.6 Purchasing (non-approved supplier) - Use of non-approved suppliers shall be acceptable in an emergency situation provided the facility has been assessed and the product meets the specification.”

    • “25 Food Safety Legislation - The standard shall require that the organisation establishes, implements and maintains detailed procedures and instructions for all processes and operations having an effect on food safety to be compliant in the country of manufacturing as well as the country of known destination.”

  • The feedback received from industry, certification and accreditation bodies with regard to version 4.

  • The evaluation of FSSC 22000 version 4.1 against European Accreditation procedure led by the Dutch Accreditation Council (RvA).

Due to the above, on July 27th 2017, FSSC 22000 version 4.1 was released.

These are some of the changes that will only become operational from January 1st 2018:


Addition of several new definitions derived from GFSI Benchmark Requirements v7.1, some improvements in the text and a new term blackout day.


At least one unannounced audit after the initial certification audit and within each three-year period shall be conducted in every certified organization.

The unannounced audit will be conducted within 12 months after the (re)certification decision or within 12 months after the last day of the previous announced surveillance audit.

The organization can choose to replace all surveillance audits by unannounced annual surveillance audits. Neither the initial certification audit (stage 1 and stage 2) nor the re-certification audit can be replaced by an unannounced audit.

Blackout days may be agreed in advance between the certification body and the certified organisation to avoid periods during which the client would find it difficult to attend and/or there is no production (for example in case of seasonal production).

NQA will decide which of the scheduled surveillance audits will be chosen for the unannounced audit. If you refuse to participate in the unannounced audit, the certificate will have to be suspended immediately and if the unannounced audit is not conducted within a six-month timeframe, we will then have to withdraw the certificate.

Secondary sites (off-site activities) and off-site storage, warehouses and distribution facilities are also audited during the unannounced audit. Head offices controlling certain functions pertinent to certification separate to the site, will not be audited during the unannounced audit but they will be audited in an announced manner.


Critical nonconformities can now be raised during FSSC audits. A critical nonconformity will be issued if food safety is directly impacted during the audit or there is evidence of controls being lost with regards to critical aspects for ensuring safe production.

If a critical nonconformity is found in a certified organization, the certificate will be immediately suspended for a maximum of a six-month period. A follow-up audit will have to be conducted by a NQA auditor within the 6 month time frame to verify the closure of the critical nonconformity.

The certificate shall be withdrawn when the critical nonconformity is not effectively solved within the six month timeframe. When a critical nonconformity is found during a certification audit, the full audit will have to be repeated.

Opportunities for improvement are no longer acceptable, so it is probably expected to see an increase on the number of minor NC raised.


FSSC 22000 version 4.1 requires mandatory audit report content. For those certification bodies like us that work globally, the organization report can be in the native language, but the audit report that is uploaded in the FSSC 22000 portal is always in English (except checklists and NC forms that can be uploaded in the local language unless specifically requested by the FSSC Foundation).

The audit duration calculation must now be shared with the FSSC Foundation through the audit report. Additional onsite audit time, time to prepare the audit and time for report writing have been also added on top of the previous requirements.

FSSC requires additional audit time for the upgrade to FSSC 22000 version 4.1 when this is conducted during a surveillance audit. Scheduled recertification audit will no need additional audit time for transition.

With regard to the audit team, the lead auditor is not allowed to perform more than two 3 year certification cycles (six years) at the same certified site. If an auditor starts auditing within the 3 year certification cycle he/she will be rotated out after 6 years.


The auditor competence and the requirements for maintaining the auditor qualification have been also updated and specifically described by each sector within the scope (catering, food manufacturing, farming, feed production, food packaging, etc.).

In order to maintain the FSSC auditor qualification, every auditor must do at least 5 FSSC audits a year and at least 3 of them must be FSSC audits.

In the event when this requirement cannot be met (due to long term sickness, maternity/paternity leave, etc.)  NQA will ensure that the auditor has performed at least 5 GFSI audits of which at least 1 FSSC 22000 audit.

With regard to the audit team, the lead auditor is not allowed to perform more than two 3 year certification cycles (six years) at the same certified site. If an auditor starts auditing within the 3 year certification cycle he/she will be rotated out after 6 years.


The PAS 222:2011 standard shall no longer be used after January 1st 2018 for animal food and feed production companies.

The following scopes were added: Transport and storage services, Catering and Retail, including also several new reference documents: ISO/TS 22002-6 PRPs for animal feed, ISO/TS 22002-2 for catering, BSI PAS 221- PRPs for retail and NEN NTA 8059- PRPs for transport and storage.


The additional requirements “Supervision of personnel” and “Management of supplied materials” were removed from previous version 4 of the standard.

Organizations may found guidance regarding supervision of personnel in ISO 22000:2005 clause 6.2.2, so its deletion from the new version 4.1 makes sense.

Likewise, all ISO/TS 22002 PRP programmes contain management of supplied materials as one of the mandatory prerequisites to implement and, therefore, there is no need to add this subject as another additional requirement

Allergen management is now only applicable to manufacturing, production of food and feed packaging and packaging material and production of (bio) chemicals. The certified organizations within these sectors must include a documented allergen management plan that includes:

  • risk assessment addressing potential allergen cross contamination;
  • control measures to reduce or eliminate the risk of cross contamination;
  • validation and verification of effective implementation.

These sectors shall also ensure that an environmental monitoring program is in place in order to verify the effectiveness of cleaning and sanitation programs.

In Food Fraud Prevention clause, all organizations are required to documented and implement a vulnerability assessment procedure to identify potential vulnerabilities. Appropriate control measures must be put in place to reduce or eliminate these identified vulnerabilities. This has often been referred to as VACCP.

All policies, procedures and records are included in a food fraud prevention plan supported by the organization’s Food Safety Management System for all its products. The plan shall comply with applicable legislation. The clause Annual Review is now renamed to food fraud prevention plan.

Regarding Food Defense, it has gone from a PRP requirement only to a new requirement commonly known as TACCP.

To identify the threats, the organization shall assess the susceptibility of its products to potential food defense acts, such as sabotage, vandalism o terrorism.

The food defense plan must comply with legislation and its content (policies, procedures and records) shall be also supported by the organization's Food Safety Management Systems and by consequence reviewed together with it.

We are ready and fully committed to comply with all the required changes that version 4.1 brings, are you?
Author: Marta Vaquero, NQA UK Food Safety Certification Manager