Patrick Embwaga, The Hershey Company
FST Soapbox

Open Letter to FDA on Adoption of Systems Approach to FSMA

By Patrick Embwaga
Patrick Embwaga, The Hershey Company

The new FSMA requirements are not technology friendly.

The new FSMA regulations are primarily intended to enhance the protection of public health through promotion of adopting a modern, preventive and risk-based approach to food safety regulation. The general consensus industry-wide is that the new regulations will increase the capacity of firms in the industry to develop effective food safety management system at facility levels that will be effective in preventing distribution of food-related hazards to the general public, which may result in foodborne illness.

There is widespread consensus that the development and implementation of a food safety system whose primary purpose is to prevent the distribution of hazardous product to the general public and hence prevent or reduce foodborne illness is a much more effective and practical approach towards this end. This is especially the case when compared to past approaches, among which many programs were quality control based and focused on end-product testing given the highly fluid and dynamic complexity in the food industry, which is being fueled by technological advancements that occur at the speed of light.

Having stated consumer safety as the primary stakeholder of a facility’s food safety system, there are other secondary stakeholders whose requirements are subservient to the consumer’s health requirements, but they play key roles in determining the architectural structure of the food safety system:

  • Regulatory requirements. Primarily serve the public and act on its behalf in ensuring that all food products distributed in the market are safe for consumption. However, the regulatory requirements have their own innate requirements (i.e., the uniformity of the structure of a food safety system) at the most basic level for the purposes of compliance, which enables a harmonized structure that conveniently lends itself to a uniform approach in the inspection of facilities by FDA agents.
  • Organizational requirements. There are existential risks to an organization should a facility ship out contaminated product, as can be seen from the recent cases widely reported by the media. These range from market share reductions to rattled shareholders, and to employees, it becomes a job security issue. In fact, this is one of the key points I always bring out during trainings: The consumer is the ultimate boss, and if the consumer complains, it’s bad for our jobs as food manufacturers. If they are outright sickened/angry/mad by our job performance, we should expect the pink slips (I’m sure a number of employees at the Blue Bell Creameries will support this opinion).

From a regulatory requirement perspective, uniformity is a key aspect of the requirements, as can be inferred from regulatory text on the preventive rules, which describe the fundamental elements that must be implemented by a facility in order for it to be compliant with FDA registration. The lifecycle of regulatory requirements are long term—the last time comprehensive changes were conducted on cGMPs was in the mid-1980s. And hence the analytical/reductionist approach of focusing on food safety at the facility level is complementary to its enforcement strategy (i.e., facility-based registration and inspection).

From the organizational perspective, given that the food safety system serves an existential purpose to the business, organizations are leveraging the best available resources to endure its proper design and implementation, including employing the use of the latest available technologies. From the organizational perspective, the organizational requirements are highly dynamic and often tied to consumer and market trends. And as such in most corporate organizations, the food safety system adopts a holistic approach, whereby plant facility food safety systems are often nested within larger hierarchical corporate food safety systems. One of the fundamental reasons for this holistic set up is to enhance efficiency of these programs, especially given their key functional roles in mitigating or preventing organizational risks that may be presented through distribution of contaminated product.


  1. David Cranston

    I disagree with your assertion that the regulation isn’t flexible or technology friendly. The basic premise that because FSMA requires a facility to have a documented PLAN in addition to records that demonstrate the plan is implemented does not by its nature have any affect on the controls an organization puts in place to achieve food safety. If a facility cannot describe, in their own way, what their Food Safety System entails then how can it be verified? How can one gauge its effectiveness? It seems that you’re also interpreting “written plan” to mean that it has to be physically printed out? FSMA does not require this, it requires the plan to be documented somewhere, it can be electronic and “available at the click of a button” and that suffices as a written plan. The key here is that there is a documented description of what WILL be done with respect to preventive controls that a facility has implemented… otherwise how could that PC ever be verified?

    There’s lots of flexibility in the rules as evident by the detailed comments & responses released by FDA upon publication of the PC for Human Food final rule. Response, 131 on page 181 describes a food safety system in which magnets and screens could be categorized as cGMPs as opposed to preventive controls… if that’s not flexibility……

    There’s really nothing in the text of the rule that precludes a facility from using an electronic approach to documenting how their system works. The key is that the food safety plan, in whatever form it takes, needs to be a detailed description of what is being done and includes the management components (monitoring, corrective actions, verification, and validation) as appropriate IN ADDITION to implementation records.

  2. Craig B. Reinhart

    Patrick, I agree with David. FDA may have used a term that you interpreted as requiring paper documentation. However, 21CFR11 explicitly allows the use of electronic records for any prerequisite record in another section of the regulations. I see no reason that this would not include storage of the food safety plan. The key will be that the plan is readily accessable to all employees that need it.

  3. Patrick Embwaga

    Thank you gentlemen for the critical reviews, while I understand the perspectives of your arguments, I’d like to point out that the regulatory text itself-“a qualified facility should have a WRITTEN Plan differs from the statement David made, that a facility should have a DOCUMENTED food safety plan. It may seem like a trivial focus on semantics, but this trivial difference could have an impact on the architectural structure of an organization’s food safety system. I think we’ll all concur that in some facility’s(especially in corporate enterprises) food safety systems will not be implemented and function as discrete entities, but rather as sub-system elements nested within the organizational hierarchy of systems. The use of the regulatory text ‘Written programs’ in my view implicitly precludes the application of visual documentation in describing the processes or structure of a given system. With new technological advances that are enabling far more application enterprise engineering of organizational systems-including Food safety systems, using model based systems engineering, I don’t see how the term “written food safety plan” would be a good fit, versus a the use of the term a DOCUMENTED plan. From the regulatory enforcement perspective, I would see the need for the usage of a terminology that will enable uniformity in interpretation of the requirements-hence a written plan, such that one cannot have employ the use of a model based food safety system-It has to be a PLAN. However not all businesses are the same in structure, in fact every business is unique unto its business model. Well for my argument’s sake, what if the regulatory language was revised to say ‘Every Facility will be required to have a DOCUMENTED food safety plan, describing the implementation of all the preventive rules requirements? I’d bet this will accord businesses more leverage in determining the architectural structure of their food safety systems, and allow the application of a modular approach in developing their food safety management systems.
    If you review the comments and arguments presented during the review of the ISO quality management standard ISO 2000:2015 by the ISO/TC 176 in changing a similar requiring that was in the previous standard ISO 2000:2008 .The technical committee changes it’s requirement provisions from requiring that an organizations have WRITTEN quality Plans, to requiring DOCUMENTED information, you can see the basis of my argument.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.