Processors must soon comply with FSMA's rule to try to stop intentional adulteration
As food and beverage companies should be well aware, in 2016 the FDA finalized all seven major rules that implement the core of FSMA.
The Intentional Adulteration final rule builds on the six that came before it: Preventive Controls for human food and animal food (two separate rules), Produce Safety, Foreign Supplier Verification Program, Accreditation of Third-Party Certification, and Sanitary Transportation of Human and Animal Food. These seven rules are designed to work together to systemically strengthen the food safety system and better protect public health.
Under the IA rule, domestic and foreign food facilities are required to complete and maintain a written food defense plan that assesses their potential vulnerabilities to deliberate contamination where the intent is to cause wide-scale public health harm.
Who has to follow this rule?
“The FDA is very clear that the owner, operator or agent in charge is responsible,” says Kathy Knutson, an independent food safety consultant. “It is meant to be a very facility-specific rule.”
Kathy Knutson, Ph.D., Kathy Knutson Food Safety Consulting
Dr. Knutson works nationwide with food manufacturers on recall investigations, problem-solving, training, and FDA compliance. With more than 35 years in microbiology and 15 years of full-time teaching, Dr. Knutson is passionate about training and is an effective communicator at all levels in an organization. She has taught and consulted with companies on a range of topics, including quality assurance, sanitation, Standard Operating Procedures (SOPs), Good Manufacturing Practices (GMPs), Hazard Analysis and Critical Control Points (HACCP) and the FDA’s Food Safety Modernization Act (FSMA). She is trained in prevention of intentional adulteration, and she writes a food safety blog and contributes expert services to manufacturers through ConnectFood.com, an online site for writing HACCP and food safety plans. Learn more about her at www.linkedin.com/in/kathyknutsonphd.
Because this rule is a first of its kind, the FDA recognizes that many food facilities also are meeting the requirements of other FSMA rules. For this reason, the FDA provided a longer timeline in the final rule for facilities to comply. The timeline:
- Very small businesses: Operations (including any subsidiaries and affiliates) averaging less than $10 million per year, adjusted for inflation, during the three-year period preceding the applicable calendar year in sales of human food, plus the market value of human food manufactured, processed, packed or held without sale (e.g., held for a fee). These businesses would have to comply with modified requirements within five years after the publication of the final rule, which would be July 26, 2021.
- Small businesses: Those employing fewer than 500 persons would have to comply by July 27, 2020, four years after the publication of the final rule, which will be July 27, 2020.
- Other businesses: A company that is not small or very small and does not qualify for exemptions would have to comply three years after the publication of the final rule, which is July 26 of this year.
“So by default and unless they are an exemption, businesses with more than 500 employees must comply this July by following a written food defense plan,” Knutson explains. The FDA announced recently that routine inspections to verify compliance with the IA rule will begin in March 2020.
The FDA allows great flexibility on how a food defense plan is written and implemented, providing detailed guidance, Knutson says. Food defense requirements apply to the facility and do not include the farm, but the facility does consider transportation to and from its location in the food defense plan.
Knutson emphasizes that the definition of a very small business as those that average less than $10 million is not a mistake.
“The IA rule has a different definition of very small from the Preventive Controls for Human Food rule, the produce rule or the Foreign Supplier Verification Program rule,” she says. “Any business with less than $10 million in annual revenue is exempt from compliance, and the business does not have to submit documents annually to the FDA to qualify. The business does have to provide documentation of annual revenue in person to an FDA inspector upon request for review and confirmation of the size of the business.”
This stems back to what the IA rule is meant to do: prevent widespread harm to public health.
Jon Woody, CAPT, USPHS, Director, Food Defense and Emergency Coordination Staff, Office of Analytics and Outreach, CFSAN, FDA
Captain Jon Woody is currently the Director for the Food and Drug Administration’s Food Defense and Emergency Coordination Staff at the Center for Food Safety and Applied Nutrition. In this role he leads a senior staff of subject matter experts that work to develop policies, tools and resources aimed at preventing intentional adulteration of FDA regulated food products. CAPT Woody has over 13 years’ experience working on food defense initiatives at FDA.
According to Jon Woody, director of the food defense and emergency coordination staff at the FDA, the agency began to focus on food defense back in 2001. A presidential directive was issued in 2004 for the FDA and the U.S. Department of Agriculture to conduct food vulnerability assessments with industry.
“As a result, we’ve had some time to learn what works and what doesn’t, and industry has played a major role in developing that knowledge,” Woody says. “In fact, the main requirements of the rule come from our collaborative efforts with industry. What’s new is that this is the first time that industry is required to take these steps—that part is novel. Up to now, food defense activities have been voluntary.”
Ryan Newkirk, Ph.D., M.P.H., Senior Advisor for Intentional Adulteration, CFSAN, FDA
Dr. Newkirk is the Senior Advisor for Intentional Adulteration at the Center for Food Safety and Applied Nutrition, U.S. Food and Drug Administration. He led the Food Safety Modernization Act Intentional Adulteration rule writing workgroup, and is a co-lead for the IA rule guidance writing workgroup. Prior to joining FDA, Dr. Newkirk held a post-doctorate position with the U.S. Department of Agriculture, Food Safety and Inspection Service. He completed his doctorate in epidemiology and food defense research at the Food Protection and Defense Institute at the University of Minnesota School of Public Health, and completed a master’s degree in infectious disease epidemiology at Saint Louis University School of Public Health.
Voluntary participation is no longer an option, though. According to Ryan Newkirk, senior adviser for intentional adulteration with the food defense and emergency coordination staff at the FDA, the purpose of the rule is to protect food from a person or group of people who are intentionally doing something to the food to either cause illness or death on a large scale.
Although what motivates people to want to cause harm is not understood, there is some speculation. Bob Strong, industry leader/trainer at SAI Global (Americas), says that the culprits often are trying to make a statement.
Bob Strong, Ph.D., senior consultant, SAI Global Assurance Services
With 45 years of experience in the food industry, Dr. Strong has a Ph.D. and BSC in Chemistry and is an accomplished food safety trainer for numerous food safety manager certification courses. He is a GMP/HACCP/HARPC instructor, a Lead Auditor trainer, and is also certified to consult on the Global Food Safety Initiative. He is certified in 21 SQF product categories. He can be reached at email@example.com.
Gone are the days when a truck driver could hang around a facility while the truck was being loaded or unloaded, Strong says. “Not even 10 years ago, truck drivers would be able to chat with staff, use the restroom and have a cup of coffee in the breakroom. This is no longer the case,” he says.
Knutson agrees. “Because you don’t know where a threat will come from and what the motivation is, facilities have really had to tighten up their security.”
It wasn’t long ago when Strong would ask his clients how many cameras they had installed, and the answer would be none. “They would tell me cameras are un-American and that they trust their employees. Now when I ask that question, the answer is 50 cameras, 100 cameras,” Strong says.
According to Newkirk, during the vulnerability assessment, companies must find the points in their processes that pose the greatest risk for intentional adulteration. They then use mitigation strategies to address these vulnerabilities. Also, a system must be put in place for food defense monitoring, corrective action and verification, which together ensure the system is working as intended to address the vulnerabilities. The fourth piece is recordkeeping.
There are also training requirements. Personnel working at the most vulnerable points in a facility are required to take food defense awareness training and to have the education, training or experience to properly implement mitigation strategies. These personnel will prepare the food defense plan.
Knutson says, “When you put a food defense team together, you want to think outside of the box. Your food safety team is not necessarily who you want to lead the food defense team. Seek out those who might have some security background. Look for those who might be ex-military because they have already been trained in tactical strategies. They will be your biggest assets on your food defense team.”
A closer look at the plan
Although this is the first time that companies are required to create food defense plans, the FDA has taken an approach similar to the Hazard Analysis Critical Control Point system, an approach adopted by industry for the identification, evaluation and control of food safety hazards. The FSMA rules advance and strengthen those safeguards.
According to the rules, the written food defense plan must identify vulnerabilities and actionable process steps. A reanalysis is required at least every three years.
This is the identification of vulnerabilities and actionable process steps for each type of food manufactured, processed, packed or held at the food facility. For each point, step or procedure in the facility’s process, these elements must be evaluated:
- The severity and scale of the potential impact on public health. This would include such considerations as the volume of product, the number of servings, the number of exposures, how fast the food moves through the distribution system, potential agents of concern and the infectious/lethal dose of each, and the possible number of illnesses and deaths.
- The degree of physical access to the product. Consider the appropriateness of barriers such as gates, railings, doors, lids, seals and shields.
- The ability to successfully contaminate the product.
Strong says, “Regardless of the outcome, the vulnerability assessment must be written and must include an explanation as to why each point, step or procedure either was or was not identified as an actionable process step.”
Areas where food is at a high risk of intentional adulteration can include bulk liquid receiving and unloading, liquid storage and handling, secondary ingredient handling, and mixing and other similar activities. And Strong notes that ingredient and product handling vulnerabilities can exist in ingredient weighing rooms and areas for premix, rework and returned products. Other vulnerabilities can be at the mixing kettles, blending operations, grinding areas and other open processing points.
Newkirk cites the example of an open access hatch on a large liquid food storage silo or a very large mixing vat that is open without a lid. “But keep in mind that these aren’t automatically vulnerabilities. It depends on the assessment carried out by the facility.”
These should be identified and implemented at each actionable process step to provide assurances that vulnerabilities will be minimized or prevented. The mitigation strategies must be tailored to the facility and its procedures.
The final IA rule removes the distinction between “broad” and “focused” mitigation strategies. The original proposal only required focused mitigation strategies because broad strategies, such as a fence around the entire facility, would not protect specific points from being attacked by an insider.
The final rule recognizes that a mitigation strategy, applied in a directed and appropriate way to protect the actionable process step from an insider attack, would sufficiently minimize the risk of intentional adulteration.
“So if you have a mixer that does not have a lid on it, for instance, have a lid retrofit to mitigate that vulnerability,” Strong says.
Woody says that the FDA has built as much flexibility into the rule as possible to keep costs down. “This is by no means a one-size-fits-all regulation. For example, we don’t specify what method must be used to conduct the vulnerability assessment. Any method is acceptable as long as it has certain elements,” he explains. There are instances where technology-based strategies may be the best way for a facility to reduce a significant vulnerability. In other instances, a strategy based on personnel may be more practical and cost-efficient.
Steps must be taken to ensure the proper implementation of each mitigation strategy. Facilities are given more flexibility in the final rule to establish the actions most appropriate to their operations and products.
- Monitoring—Establishing and implementing procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies.
- Corrective actions—The response if mitigation strategies are not properly implemented.
- Verification—Verification activities ensure that monitoring is being conducted and appropriate decisions about corrective actions are being made.
Concerns and challenges
There is concern that the costs of complying with the rule are too high when considering the remote chance of a problem happening.
“We know that the likelihood of an incident happening at a particular facility is low, and thank goodness it’s low,” says Newkirk. “But it’s not zero. And a single act could lead to widespread harm, causing illness, death and economic disruption of the food supply. If you look at the largest outbreaks of foodborne illness, you can see what could potentially happen.”
The agency is aware that industry leaders have many questions regarding implementation of the rule in their facilities and the associated costs, he says. This is why the FDA released in May 2019 a revised and expanded installment of draft guidance.
“The most recent draft guidance adds to and replaces a version we published in June 2018. We believe that the information contained in the guidance will help address many of the concerns raised by industry,” he says.
The chapters of the current draft guidance are intended to help industry better understand:
- The components of the food defense plan.
- How to conduct vulnerability assessments by using the four Key Activity Types method (bulk liquid receiving and loading, liquid storage and handling, secondary ingredient handling, mixing and similar activities); evaluating the Three Fundamental Elements (potential public health impact, degree of physical access to the product, ability of an attacker to successfully contaminate the product); or using the Hybrid Approach, a combination of the two.
- How to identify and implement mitigation strategies.
- Food defense monitoring requirements.
- Education, training and experience requirements.
Newkirk says this installment also includes the addition of food defense plan worksheets in Appendix 1 and a new appendix that includes detailed examples of vulnerability assessments using the Three Fundamental Elements and the Hybrid Approach.
Strong says some companies find the requirements to be intrusive, and challenges he sees in the field include the shortage of time and the inherent nature to want to trust others.
“Also what worries me is the small-to-medium-size plants are going to have nothing in writing and want to just explain it to the regulator.” This will not be an option, though, so now is the time to follow all the steps and get to documenting.
Knutson says, “It will be interesting from my perspective as a consultant to see if [companies] scramble at the last minute to try to meet the requirements for a written food defense plan.”
Where to find assistance
The good news is that the FDA has provided myriad resources for assistance to industry. The FDA has established an Intentional Adulteration Subcommittee with the Food Safety Preventive Controls Alliance to develop food defense training resources for industry and regulators alike.
The agency also intends to publish guidance documents to provide information relevant to the provisions of the final rule, such as conducting a vulnerability assessment, identifying and implementing mitigation strategies, and writing procedures for food defense monitoring, corrective actions and verification.
There are a number of tools and resources currently available on the agency’s website (www.fda.gov/fooddefense) that were developed for its voluntary food defense program.
The Mitigation Strategies Database is an online, searchable listing of mitigation strategies that can be applied to different steps in a food operation to reduce the risk of intentional adulteration.
The FDA FSMA Food Safety Technical Assistance Network is already operational and provides a central source of information to support industry understanding and implementation of FSMA. Questions submitted online or by mail will be answered by information specialists or subject matter experts.
In addition to FDA resources, there is the Food Protection and Defense Institute (FPDI), a Department of Homeland Security Center of Excellence, serving the food industry in the fight against intentional adulteration since 2004. Knutson says, “I love the folks at FPDI. For people who think about crime for a living, they are really nice, normal people. And their website is the star of the show.”
Features of the FPDI website include:
- Food Defense Online Training
- Food Adulteration Incidents Registry (FAIR)
- World Factbook of Food
- Food Defense Readiness Assessment
- Focused Integration of Data for Early Signals (FIDES)
- Intentional Adulteration Assessment Tool
Knutson says they also collaborate through two platforms: CoreSHIELD and FoodSHIELD, which allow secure sharing of resources among the food defense community. FPDI works globally to monitor food defense.
She as well as Woody recommend the Food Safety Preventive Controls Alliance (FSPCA) as a go-to source for training and other resources, as the FSPCA is the hub for writing the curriculum for the Preventive Controls for Human Food, Preventive Controls for Animal Food, and Foreign Supplier Verification rules. The first food defense training from FSPCA is available now, and it is free. From the FSPCA website, “According to the IA rule, individuals assigned to work at actionable process steps and their supervisors, are required to receive training in food defense awareness (21 CFR 121.4(b)(2)).” This training is called Food Defense Awareness for the IA Rule.
Woody says, “We need training for both industry and inspectors who will be checking to make sure the requirements are met. There are currently a number of courses available FSPCA to meet the training requirement in the IA rule. The training requirement is flexible, and these courses are just one way to meet it.”
Just this April, the FSPCA has released a means for people to become lead instructors for IA, offering even more flexibility. A lead instructor is a person who has successfully completed an FSPCA Preventive Controls course and an FSPCA Lead Instructor course. Lead instructors may independently offer the FSPCA standardized curriculum (PC course) directly to participants. Visit www.fspca.com to learn more about this new program.
Woody adds that the alliance also has initiated a series of webinars that can be viewed online. He also talks about the FDA’s Food Defense Plan Builder software, which now exists under the FDA’s voluntary program and is being updated to accommodate the new rule.
Knutson says that employees will need about 20 minutes to complete the online food defense training and a printer to print the training certificate. “I would make this a part of the new hire onboarding and immediately train your employees in food defense upon orientation.”
There are many resources to help companies find the right way to go about writing their Food Defense Plan and be compliant with the newest IA rule. Large companies should already have their plan in place. Medium and small businesses have a bit more time, but why wait?
Woody says that when the compliance dates come, FDA first plans to do “quick check” inspections, which will be combined with other food safety inspections already scheduled. Inspectors will simply evaluate the food defense plans to make sure the required components are there, he says. The second stage of inspections will be more comprehensive and requires more detailed training for inspectors.
“You may have heard the phrase ‘educate before and while we regulate.’ That certainly holds true for the intentional adulteration requirements,” says Woody. “We believe a collaborative approach is the best approach for good compliance with the rule requirements.”