Protecting Food Against Intentional Adulteration: The Vulnerability Assessment (Part One)

By Debby L. Newslow
2 Comments
April 13, 2017


• Categories: Compliance, Food Manufacturing, FSMA, GFSI, RC - Food Safety Training

FDA, as part of FSMA, released its rule titled “Protecting Food Against Intentional Adulteration” on May 27, 2016. This rule was proposed in 2013. FDA received and responded to 200+ comments prior to its final release.

FDA states that this rule “is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, [and] economic disruption of the food supply absent mitigation strategies.”¹

The rule requires a documented “Food Defense Plan” that at a minimum includes the following:

• Vulnerability assessment
• Mitigation strategies
• Procedures for food defense monitoring
• Food defense corrective action procedures
• Food defense verification procedures
• Records confirming implementation, maintenance and conformance to the defined requirements
• Evidence of effective training

As a food safety professional with more than 30 years in the industry, reviewing this rule brought back many memories. These memories combined with information gained from a recently completed Food Defense/ Crisis Management workshop presented by Rod Wheeler really set my brain into motion.²

Years ago, industry focused on crisis management and product recall. Requirements included having a crisis management team that was led by associates representing both upper and middle management. In addition, most programs included the following:

• Posted identification of the crisis management team (i.e., pictures, phone numbers, etc.)
• Specific training for receptionist and guards
• Mock crisis exercises (i.e., fire drills)
• Planned crisis calls to the operation’s direct incoming phone numbers (i.e., receptionist and guards)
• Mock recalls (from supplier through finished product and distribution)
• Security inspections which may now be considered the pre-cursor to today’s “Vulnerability Assessment”

With the introduction of the GFSI approved schemes (FSSC 22000, BRC, SQF, GlobalG.A.P., Primus, etc.), requirements for crisis management, emergency preparedness, security programs, food defense training and continuity planning gained an increase focus. Do any or all of these programs meet the requirement for a “vulnerability assessment”?

In the 2013 publication, Food Safety Management Programs, this subject-matter chapter was titled “Security, Food Defense, Biovigilance, and Bioterrorism (chapter 14)”.³ An organization must identify the focus/requirements that are necessary for its operation. This decision may relate to many different parameters, including the organization’s size, design, location, food sectors represented, basic GMPs, contractor and visitor communication/access, traceability, receiving, and any other PRP programs related to ensuring the safety of your product and your facility. Requirements must be defined and associates educated to ensure that everyone has a strong and effective understanding of the requirements and what to do if a situation or event happens.

Confirming the security of a facility has always been a critical operational requirement. Many audits have been performed that included the following management statement: “Yes, of course, all the doors are locked. Security is achieved through key cards or limited distribution of door keys, thus no unwanted intruder can access our building.” This statement reminds me of a preliminary assessment that I did not too long after the shootings at a Pennsylvania manufacturer in September of 2010. The organization’s representor and myself were walking the external parameter of a food manufacturer at approximately 7:30 PM (still daylight). We found two doors (one in shipping and one accessing the main office), with the inside door latch taped so that the doors were not secure. The tape was not readily evident. The doorknob itself was locked, but a simple pull on knob opened the door. Our investigation found that a shipping office associate was waiting for his significant other to bring his dinner and was afraid that he would not be at his desk when she arrived. An office associate admitted that that door had been fixed to pull open without requiring a key several months earlier because associates frequently forgot their keys and could not gain access to start work.

Debby Newslow will present ” Sanitary Transportation for Human & Animal Food – Meeting the new FDA Requirements” at the Food Safety Supply Chain Conference  | June 5–6, 2017 | Attend in Rockville, MD or via webcast | LEARN MORE

We also observed a large overhead door adjacent to the boiler room along the street side of the facility open, allowing direct access to the processing area by passing through the boiler room and then the maintenance shop. It was stated that the door had been opened earlier in the day waiting for the delivery of new equipment. No one at the time knew the status of the shipment or why the door was still open.

Finding open access to facilities is becoming more and more common. A formal vulnerability assessment is not necessary to identify unsecured doors (24/7) in our facilities. Education and due diligence are excellent tools for this purpose.

Another frequently identified weakness is with organization’s visitor and contractor sign-in prerequisite programs. What type of “vulnerability” are we creating for ourselves (false confidence) with these programs? Frequently these programs provide more questions than answers:

• Does everyone really sign in?
• What does signing the visitor log mean?
• Are visitors required to show identification?
• Are the IDs actually reviewed and if so, what does this review include?
• Who is monitoring visitors and contractors and are they trained?
• Do all contractors have to sign the log or are they allowed to access the building at different locations?
• Do those contractors who make frequent or regular trips have their own badges and/or keys (keycards) so they don’t have to take the time to sign-in (i.e., pest control, uniform supplier vending services)?
• How are contractor badges controlled?
• Are visitors required to be accompanied during the visit or does it depend on the visitor and whom they are visiting?
• Are visitors and contractors trained in company requirements?
• Do visitors and contractors have an identifying item to alert your associates of their status (i.e., visitor badge, visitor name badge, specifically colored bump cap, colored smock, etc.)?
• How are truck drivers monitored? Do they have a secured room for them or do they have complete access to the facility to access the restrooms and breakroom?
• How are terminated associates or associates that have voluntarily left the company controlled?
  • Can these associates continue to access the facility with keys, access cards, or just through other associates (i.e., friends or associates that did not know that they were no longer an employee)?
• How many more questions can there be?

Continue to page 2 below

The organization must ensure that there is an effective program for managing visitors, contractors, and former employees. This program must ensure that access is controlled 24/7 and not an example of an ignored “vulnerability”. Controlling access to the facility and even further to the internal “high-risk areas” is a very serious matter! It just takes a few minutes of monitoring news channels or videos online (i.e., www.youtube.com) to identify what has happened and could happen to your organization!

When discussing potential attacks related to our food supply, the CDC defines bioterrorism as:

“a deliberate release of viruses, bacteria, or other germs (agents) used to cause illness or death in people, animals, or plants. These agents are typically found in nature, but it is possible that they could be changed to increase their ability to cause disease, make them resistant to current medicines, or to increase their ability to be spread into the environment. Biological agents can be spread through the air, through water, or in food. Terrorists may use biological agents because they can be extremely difficult to detect and do not cause illness for several hours to several days.”4

Bioterrorism agents are divided into three categories based on the agent’s ease in spreading and the severity of the outcome (illness or death). The highest risk is Category A, agents with the lowest risk being Category C. For more information, specifically on bioterrorism, it is recommended that the reader visit https://emergency.cdc.gov/bioterrorism/.

Many have felt that our food supply is not a good target for a bioterrorism attack because such an attack would generally not affect a large number of individuals. But a situation can be very intense and very scary with only a few people affected.

Is it true that compromising a food manufacturer could not affect large numbers? Think about how many lives your operation touches in a 24-hour period? How many individual servings are produced per filler, per hour? For example, one bulk tanker of concentrated orange juice when reconstituted may equal as much as 24,000 gallons of finished product. Multiply the number of gallons times 128 ounces per gallon then divide by 8 ounces. How many lives could this tanker affect? The answer is: 384,000 8-ounce servings. That is a lot of individuals. I strongly recommend that every operation figure out the answer to this question for their products and share this with your associates.

Bioterrorism threats related to the food supply is absolutely a concern. We must be proactive in protecting our food supply. We can no longer learn from our mistakes. Making a mistake can result in harm and even death to our consumers. As Henry Ford said, “Quality means doing it right when no one else is looking.” We can’t have quality without a safe product.

Since the release of the FSMA, we have focused strongly on the Preventive Controls (human and animal), Produce Rule and now most recently the Food Safety Verification Programs (FSVP).  Compliance with the “Protecting Food Against Intentional Adulteration” rule may be being overlooked or just put off due to other priorities. Generally most operations feel that they have an effective security program that addresses the requirements. But are these programs truly effective? Having a security program that includes the performance of accurate vulnerability assessments is critical to each food handling and manufacturing operation.

FDA defines a “vulnerability assessment” as the identification of vulnerabilities and actionable process steps for each type of food manufactured, processed, packed or held at the food facility.”² The rule defines specific requirements that must be applied to each point, step or procedure in your operation.

Rod Wheeler, Founder and CEO of Global Food Defense Institute has identified “Commonly Found Security Vulnerabilities at Food Plants”, which include such items as adequate visitor and contractor control, ineffective employee training, no defined program and many more.² Parts 2–4 of this series of articles will include a more detailed accounting of the specific requirements defined by FDA in the rule. In addition, Wheeler, based on more than 20 years of experience in law enforcement, has listed vulnerabilities and recommendations for their control.²

Don’t wait! Evaluate the effectiveness of your security program. Focus on building entrances, visitor and contractor programs, educational programs for associates, and testing your system’s overall effectiveness. An effective means to test the system at this point is for the responsible manager to have a stranger to the operation enter the facility at various times during the operation. Keep track of how long it takes someone to stop and question this individual.   Learnings from this exercise can be quite enlightening.

References

1. FDA. (May 26, 2016). “Food Safety at a Glance” “Protecting Food Against Intentional Adulteration”, U.S. Department of Health & Human Services / U.S. Food & Drug Administration.
2. Rod Wheeler, Founder & CEO, “Global Food Defense Institute”, Washington DC and instructor/partner “Food Defense/Crisis Management” workshop. Retrieved from https://www.newslow.com/registration/2017-workshops.
3. Newslow, D. (2013). Food Safety Management Programs Applications Best Practices, and Compliance. CRC Press.
4. CDC. Emergency Preparedness and Response. Bioterrorism. Retrieved from https://emergency.cdc.gov/bioterrorism/