Tag Archives: facility

Lessons Learned from Intentional Adulteration Vulnerability Assessments (Part I)

By Frank Pisciotta, Spence Lane
No Comments

Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series is intended to assist facilities that have not yet conducted vulnerability assessments or wish to review those already conducted, by leveraging lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.

Lesson 1: VA outcomes are greatly enhanced if a physical security professional is consulted. In support of this contention, there are several physical security mitigation strategies, which can be employed to support a food defense program, that are frequently under-utilized and are not optimally managed by non-security staff. Also, the FDA seems to promote the use of cameras even though this equipment is unlikely to prevent an incident of intentional adulteration. For organizations that choose to use video surveillance, a competent security professional can help organizations engineer and operate video surveillance for maximum benefits and to meet challenging record-keeping requirements when this mitigation strategy is included in a food defense plan.

Lesson 2: Given the focus by the FDA on the insider, a formal insider threat detection program is highly recommended. Trying to promote the common, “See Something, Say Something” strategy may not be enough. For example, if employees are not clearly told what to look for in terms of uniform requirements, how to identify persons who do not belong or changes to a coworker’s baseline behavior, which may indicate moving toward a path to violence or sabotage, then “See Something, Say Something” may end up being no more than a catchy slogan.

A key element of an insider threat detection program is the completion of effective background checks for all persons who will be allowed in the facility unescorted. This includes temporary employees and contractors. A common theme in many of the recent, serious intentional adulteration incidents was that the person responsible was involved in some sort of grievance observable to coworkers and supervisors. In all insider threat detection programs, the grievance becomes an important trip wire. The Carnegie Mellon University Software Engineering Institute has published a document titled, “Common Sense Guide to Mitigating Insider Threats, Sixth Edition”. In this document is some particularly helpful guidance that can be used to stand up an insider threat detection program, but this is an effort that can take some time to fully implement.

Lesson 3: The FDA has made it abundantly clear that they believe the focus for the food and beverage industry should be the radicalized insider. A closer look at all the recently publicized contamination events suggests that there are other profiles that need to be considered. A good foundational model for building profiles of potential offenders can be found in the OSHA definitions for workplace violence offenders, which has been expanded to address ideologically based attacks. Table I applies those descriptions to the food and beverage industry, with an asterisk placed by those offender profiles that exist in recent incidents and discussed later in the text.

Class OSHA Workplace Violence Offender Description Motivation Translated to the Food and Beverage Industry
1 The offender has no legitimate relationship to the business or its employee(s). Rather, the violence is incidental to another crime, such as robbery, shoplifting, trespassing or seeking social media fame. Behavioral Health Patient *
Social Media Fame Seeker *
Copycat *
Extortion *
Economic motivation *
2 The violent person has a legitimate relationship with the business—for example, the person is a customer, client, patient, student, or inmate—and becomes violent while being served by the business, violence falls into this category. My load isn’t ready, you are costing me money
3 The offender of this type of violence could be a current employee or past employee of the organization who attacks or threatens other employee(s) in the workplace. I am upset with a coworker and adulterate to create problems for that person *
I am upset with the company and adulterate as retribution and to harm the brand *
Youthful stupidity
I am not paid enough *
4 The offender may or may not have a relationship with the business but has a personal (or perceived personal) relationship with the victim. I am upset with an intimate partner/ coworker and adulterate to create problems for that person
5 Ideological workplace violence is directed at an organization, its people, and/or property for ideological, religious or political reasons. The violence is perpetrated by extremists and value-driven groups justified by their beliefs. Radicalized Insider
Table I. A description of OSHA workplace violence offenders and how it can be applied to the F&B industry.

A supermarket in Michigan recalled 1,700 lbs. of ground beef after 111 people fell ill with nicotine poisoning. The offender, an employee, mixed insecticide into the meat to get his supervisor in trouble. In Australia, the entire strawberry industry was brought to its knees after a disgruntled supervisor “spiked” strawberries with needles. There were more than 230 copycat incidents impacting many companies. A contract employee in Japan, apparently disgruntled over his low pay, sprayed pesticide on a frozen food processing line resulting in illnesses to more than 2,000 people. A contract worker upset with a union dispute with the company at a food manufacturing plant videoed himself urinating on the production line, then uploaded the video to the Internet. Be cognizant of any grievances in the workplace and increase monitoring or take other proactive steps to reduce the risk of intentional adulteration.

Lesson 4: The IA Rule requires that every point, step and procedure be analyzed to determine if it is an actionable process step (APS). The Hazard Analysis Critical Control Point flow charts are a good starting point to comply with this element of the law but cannot be counted on completely to achieve the standard of analyzing every point, step or procedure. Critical thinking and persons familiar with the production process need to be involved to ensure that no steps are missed. Oftentimes companies modify the HACCP flow diagrams after a VA.

Lesson 5: The FDA states in the second installment of guidance (here’s the full copy) to the industry that, “There are many possible approaches to conducting a VA. You may choose an approach based on considerations such as the time and resources available and the level of specificity desired. You have the flexibility to choose any VA approach, as long as your VA contains each required component (21 CFR 121.130).”

The FDA further states that the Key Activity Type, or KAT method, is an appropriate method for conducting a VA because it reflects consideration of the three required elements and the inside attacker. Using this methodology alone, however, can result in substantially more APS’s, which might otherwise be ruled out for practical purposes such as a lack of accessibility or a lack of feasibility to contaminate the product at a point, step or procedure. We have experienced up to a 90% decline in APS’s by utilizing another FDA recommended assessment approach, the hybrid approach, which assesses each point, step or procedure as first whether it is a KAT. Then to qualify as an APS, it must also trigger positively for public health impact, accessibility and feasibility to contaminate the product.

Organizations who have yet to execute vulnerability assessments (due July 26, 2020) or who may wish to reflect back on their existing VA’s in an effort to eliminate unnecessary APS’s should find these strategies helpful to focus limited resources to the areas where they can have the greatest effect. The next two articles in this series will cover more information on electronic access, the value of site tours, comparisons to drinking water security strategies, dealing with multi-site assessments and more.

Chelle Hartzer, Orkin
Bug Bytes

Stay Audit-Ready, Anytime with Integrated Pest Management

By Chelle Hartzer
No Comments
Chelle Hartzer, Orkin

The unlimited supply of food sources that manufacturing facilities provide can make pest management a daunting task, especially with the scrutiny of third-party auditors, government regulators and customers. These high standards, along with yours, mean that diligence is a key ingredient in the recipe for pest management success.

Why is this important? The steps you take to prevent pests, and how issues are resolved if pest activity is detected, affects the overall credibility of your business. After all, pest management can account for up to 20% of an audit score.

Auditors look for an integrated pest management (IPM) plan, which includes prevention, monitoring, trend reports and corrective actions. If you want to stay audit-ready, all the time, implement the following five principles.

Open Lines of Communication

A successful pest management partnership is just that: A partnership. Create an open dialogue for ongoing communication with your pest management provider. Everyone has a role to play from sanitation to inspection to maintenance. For example, if there are any changes in your facility, such as alteration of a production line, let your provider know during their next service visit. During each visit, it’s important to set aside time to discuss what was found and done during the visit, including new pest sightings and concerns.

Communication shouldn’t be limited to the management team; your entire staff should be on board. During their day-to-day duties, employees should know what to look for, and most importantly, what to do if they notice pests or signs of pests. Reporting the issue right away can make a huge difference in solving a pest problem before it gets out of hand. Also, most pest management providers offer staff training sessions. These can be an overview of the basics during your next staff meeting or a specialized training on a pertinent issue.

Inspect Regularly

A thorough inspection can tell you a lot about your facility and the places most at risk for pests. Your pest management provider will be doing inspections every visit, but routine inspections should be done by site personnel as well. Everyone at the site has a set of eyes, so why not use them? This way, you can identify hot spots for pests and keep a closer eye on them. Pests are small and can get in through the tiniest of gaps, so some potential entry points to look out for are:
• Windows and doors. Leaving them propped open is an invitation for all sorts of pests. Don’t forget to check the bottom door seal and ensure it is sealed tight to the ground.

  • Floor drains. Sewers can serve as a freeway system for cockroaches, and drains can grant them food, water and shelter.
  • Dock plates. A great entry point for pests, as there are often gaps surrounding dock plates.
  • Ventilation intakes. These are a favorite spot for perching, roosting or nesting birds, as well as entry points for flying insects.
  • Roof. You can’t forget about the roof, as it serves as a common entry point for birds, rodents and other pests.

Another thing to look for is conducive conditions, such as sanitation issues and moisture problems. These are areas where there may not be pests yet, but they provide a perfect situation that pests could take advantage of if they aren’t dealt with. Make sure to take pictures of deficiencies so that can be shared with the maintenance department or third-party who can fix it. You can also take a picture of the work when it has been finished, showing the corrective action!

Keep It Clean

Proper sanitation is key to maintaining food safety and for preventing and reducing pests. You need a written sanitation plan to keep your cleaning routine organized and ensure no spots are left unattended for too long. The following are some additional steps consider:

  • Minimize and contain production waste. While it’s impossible to clean up all the food in a food processing site (you are producing said food!), it’s important to clean up spills quickly and regularly remove food waste.
  • Keep storage areas dry and organized.
  • Remember FIFO procedures (first in, first out) when it comes to raw ingredients and finished products.
  • Clean and maintain employee areas such as break rooms and locker rooms.
  • Ensure the outside of your facility stays clean and neat with all garbage going into trash cans with fitted lids.
  • Make sure dumpsters are emptied regularly and the area around them kept clean.

Monitoring

Monitoring devices for many pests will be placed strategically around your facility. Some common ones are insect light traps (ILTs), rodent traps and bait stations, insect pheromone traps and glue boards. It’s important to let employees know what these are there for and to respect the devices (try not to run them over with a fork lift or unplug them to charge a cell phone). These devices will be checked on a regular basis and the type of pest and the number of pests will be recorded. This data can then be analyzed over time to show trends, hot spots, and even seasonal issues. Review this with your pest management provider on a regular basis and establish thresholds and corrective actions to deal with the issues when they reach your threshold. The pest sighting log can also be considered a monitoring tool. Every time someone writes down an issue they have seen, this can be quickly checked and dealt with.

Maintain Proper Documentation

Pest management isn’t a one-time thing but a cycle of ongoing actions and reactions. Capturing the process is extremely important for many reasons. It allows you to analyze, refine and re-adjust for the best results. It’s a great way to identify issues early. Also, it’s a critical step for auditors. Appropriate documentation must be kept on hand and up-to-date. There’s lots of documentation to keep when it comes to pest management and your provider should be keeping all of that ready—from general documentation like your annual facility assessment and risk assessment to training and certification records, pest sighting reports, safety data sheets and more.

The documentation aspect may seem like a lot at first, but a pest management provider can break it down and make it easier. It’s absolutely necessary for food and product safety and will become second nature over time.

FDA

FDA Updates Food Defense Plan Builder to Support Compliance with Intentional Adulteration FSMA Rule

By Food Safety Tech Staff
No Comments
FDA

Attend the Food Defense Plenary Panel Discussion at the 2019 Food Safety Consortium | Tuesday, October 1, 2019Today FDA released an updated version of its Food Defense Plan Builder in efforts to help companies comply with the International Adulteration FSMA rule. Version 2.0 of the tool includes the following sections to help food facility owners and operators in developing a facility-specific food defense plan:

  • Facility Information
  • Process/Product Description
  • Vulnerability Assessment
  • Mitigation Strategies
  • Food Defense Monitoring Procedures
  • Food Defense Corrective Action Procedures
  • Food Defense Verification Procedures
  • Supporting Documents
  • Signature

The tool is for use on a computer, and FDA states that it does not have access to any content or documents used with the tool, nor does it track or monitor how the tool is being used. The agency also emphasizes that use of this tool is not required by law and its use does not mean that a company’s food defense plan is FDA approved or compliant with the IA rule requirements.

The original version of this tool was released in 2013. FDA will be conducting a demonstration of the Food Defense Plan Builder v. 2.0 during a webinar on October 10.