The year 2015 is almost two months in, and the U.S. Food and Drug Administration has got its head down looking at the comments to the re-proposed rules under the Food Safety Modernization Act (FSMA), with the first of several deadlines – August 31, 2014 – looming ahead.
Against this backdrop, food safety experts Dr. David Acheson, and Melanie Neumann, at The Acheson Group, discussed the Top 5 Challenges for becoming FSMA Compliant with SafetyChain Software’s Barbara Levin.
The top 5 challenges were identified as:
FSMA has thrown out a number of different rules, and for food companies, figuring out where you should fit can be difficult. For instance, should you be looking at Preventive Controls, or Foreign Supplier Verification Program? The language in the Produce Rule is complicated, so if you are a mixed type facility, it can be challenging. While most companies are familiar with Hazard Analysis at Critical Control Points or HACCP, the concept of migrating into Hazard Analysis and Risk-based Preventive Controls or HARPC is not that easy.
Getting a handle around your supply chain and its various components is just difficult, and just understanding what this requirement will involve will be a huge challenge.
While testing of agricultural water was addressed in the initial Produce Rule, the re-proposed Preventive Controls rule included environmental monitoring and finished product testing as requirements for compliance. It will be a challenge for companies to determine what kind of testing they will need to do.
Keeping track of the variety and volume of records that FDA will need to for FSMA will be a huge challenge.
While we could have picked up many more than five, these were the top five that we think will be the most challenging.
Firstly, if you are not starting already to see what applies to you, then you are already behind. Do a FSMA readiness assessment and look at all the rules to determine which ones apply to you. For instance, if you are a company that makes cereal and cookies, then you probably don’t need to worry about the produce rule.
Once you determine the rules that are applicable to you, then the heavy lifting begins. You need to do a gap analysis to see where you are now and where you need to get to. Drawing out this road map to compliance then becomes critical, and that’s what companies need to do be doing now.
The goal of the preventive controls rule is to encourage food companies to start thinking much more about prevention. While HACCP principles are a great start, in some areas, it could be limited in scope, and focused only on critical control points that we can measure. But HARPC expands our thinking to risks that we can control that are beyond classic HACCP thinking, and don’t fit nicely into the seven steps of HACCP. For instance, hand washing – we may not be able to measure this, but this would still be a critical step to control risk. So it will be a challenge for food companies to take their HACCP program and elevate it to HARPC thinking.
The requirement for food companies to register has nothing to do with FSMA; it was included as part of Bioterrorism Act. According to this, if you are packing, holding, processing or manufacturing food, you need to register with FDA. FSMA added the requirement that this registration would need to be updated every two years. This requirement is now important as several of the supply chain management program rules, which are part of the Preventive Controls rule, apply to companies that need to register.
The requirement to have a supply chain management program was in very early versions of FSMA and then got pulled out, and then now it’s back. And it’s not going away. What can you do to prepare for this rule? Look at all your suppliers, look at who they are, what they are shipping to you – do a hazard analysis of all their products, know their risks and understand what they are doing to control that risk.
For instance, your supplier Mr. Smith is supplying you ground black pepper, which you are using in a variety of products. We have determined that ground black pepper has a potential for Salmonella risk and has been historically linked to Salmonella. So you need to do a hazard analysis and determine if it is a risky food and who is controlling that risk. Is it you or Mr. Smith, and that depends on what you are using that ingredient for. If you use it as a garnish in based potato chips, then there is no cooking or kill-step involved, so the risk should be controlled by Mr. Smith. Thus, FDA will expect you to figure out that Mr. Smith is indeed controlling that risk, which you can do through site visits and data.
Another scenario is that you get that pepper from Mr. Smith, but you are using it in soup, and thus, have your own kill step to control that risk. So you don’t need to pay that visit, put have your own procedures to address risk with that ingredient.
While ground black pepper is a straightforward example, where it gets tricky is when you have to do this will ALL your ingredients. Companies typically have hundreds of suppliers and thousands of ingredients. So start NOW to understand how this little part of the preventive controls rule will affect you; you only have about 18 months to figure this out. And for that reason, I think this will be a huge challenge.
While the original produce rule included testing requirements for water, the other testing requirements mandated by FSMA are mostly new. The preventive controls rule now requires food companies to have an environmental monitoring program in place. FDA has also laid out a strategy in which finished product testing can be used as a risk control system. It’s not mandated per se, but it may be a way to exercise the preventive controls rule. Companies need to plan right now to determine what kind of testing they will need to do, how to document it etc. The environmental monitoring program and product testing requirements are new. So start looking at these programs, understand the rules to determine which of these rules apply to you, and do the gap analysis and FSMA readiness assessment now.
Record keeping will be an area where companies are most likely to struggle. There will be mounds and mounds of documents that will be generated because of the FSMA rules. The days of filing cabinets are over, and it will be really hard to do this in a manual environment. Companies need to look at technology and automation to manage all this data. If companies happen to be regulated by dual agencies, we are talking about even more information that they need to collect and keep track of. So automate NOW.
We often notice that companies are keeping track of the right data and documentation, but are unable to prove this, and retrieve the information when needed. With FSMA, the agency is going to say, ‘if you can’t prove it, it didn’t happen.’ So companies need to get smart about having effective document retrieval systems.
While the above challenges broadly capture the most significant challenges, we think the following may also be something that companies would need to prepare for:
For more on this discussion, click here.