The end of the year is always a time of reflection. At Food Safety Tech, it is also a time when we like to share with you, our readers, the most popular articles over the last 12 months. Enjoy, and thank you to our loyal and new readers, as well as our contributors!
The FSMA Intentional Adulteration rule (Mitigation Strategies To Protect Food Against Intentional Adulteration) requires companies that fall under the rule to implement a written food defense plan, identity vulnerabilities and establish mitigation strategies based on those vulnerabilities. This is new territory for FDA as well as for many companies in the industry—and for this reason, the agency has established a longer compliance timeline. However, that doesn’t mean companies should wait—the time to prepare is now.
Christopher Snabes, senior manager, food safety at the The Acheson Group (TAG) and Jennifer van de Ligt, Ph.D., associate director at the Food Protection & Defense Institute (FPDI) sat down with Food Safety Tech to discuss some of the challenges they see industry facing related to intentional adulteration and food defense.
In addition, TAG and FPDI are interested in gauging the industry’s level of readiness in this area and have put together the survey, Intentional Adulteration & Food Defense Industry Preparedness. We encourage you to take the survey. And don’t miss subject matter experts from TAG and FPDI at this year’s Food Safety Consortium as they discuss Food Defense: Lessons Learned from Recent Incidents + Key Steps to Mitigating Risks.
Food Safety Tech: Given the subject matter of the survey, what do you feel is the current preparedness level regarding compliance with the FSMA Intentional Adulteration rule?
Christopher Snabes: I see this from a variety of fronts. Some companies established food defense solely on the events of 9/11, putting initial food defense plans in place [that involved] fences, installing security guards and gates, and locking the outside doors. Some companies we’ve worked with feel this is sufficient enough to meet the IA rule, and that’s not correct.
TAG has assessed several companies that are in the process of conducting food defense assessments, and they’re doing them based on best industry practices, and preparing for the inside attacker and/or a terrorist getting into key production areas.
TAG has worked with some companies that are fully waiting for the second and third guidance documents from FDA to come out before they do the full food defense plan. We’ve worked with some companies doing a mix of the above—they’re not waiting for the guidance but are actively testing their plans and having an outsider test their vulnerability, and then they’re rewriting plans based on the findings. They’ll also update their food defense plans, once the second and third FDA guidances are released to the public.
We feel these are the most prepared facilities; there are not a lot of companies at this point, but they’re starting to pick up steam. At this point, I would say most companies are actively pursuing a food defense plan as well as beginning to test their vulnerability.
Jennifer van de Ligt: I agree with Chris and would add that in the past two years or so, there’s also been a shift in how the industry is viewing the Intentional Adulteration rule. Many companies currently have food defense plans based on the events of 9/11 and, for the first couple of years, as the new Intentional Adulteration rule was being written, there was still a heavy emphasis on “that should be enough.” I very rarely hear that now when discussing the Intentional Adulteration rule with our industry partners. I think companies are more prepared from an understanding perspective to move beyond perimeter security and guards to really think about the risks in the facilities that would come from people with legitimate access— what the rule defines as “insider attackers”. Although understanding is increasing, Chris is correct that different parts of industry are on different paths. Some just now understand that they have to do more, while others are well on the way on to looking at how they need to structure themselves internally and are already moving towards vulnerability assessments.
FST: Are you seeing company size play a role in the readiness level?
Join the Food Protection and Defense Institute and The Acheson Group (TAG) at the 2018 Food Safety Consortium for an interactive discussion as they explore recent food defense events, highlighting key components of the incidents relative to government interactions, FSMA regulations, brand reputation, financial interests, and public health response. van de Ligt: The larger companies thinking about a multi-international approach seem to be further along in the process. I think they started thinking about the vulnerability assessment, how they’re going to structure it in their company, and how they’re going to come to compliance because of the breadth and the scope that impacts them. But we’re also seeing, at least in our training, some of the mid-sized companies beginning to take action. I think again, they realize that even though they’re smaller, they’re going to need additional resources, and they might not have those resources in house, so it might take them a bit longer.
Snabes: In general I would agree with Jennifer. I think a lot of it is because they have additional resources, and they can leverage them across many facilities as needed. I don’t see as much action being taken outside the United States on the facilities that are importing into the United States. I think that’s just starting to ramp up. I’m also seeing very small businesses that aren’t required to follow the IA rule implementing this because they want to protect their brand.
FST: What challenges are you seeing companies experience in understanding food defense, IA, and the appropriate preventive actions they should be taking?
FSMA Checklist: Intentional Adulteration ruleSnabes: Just understanding how the rules can apply to the business. For some companies, that’s still a challenge. Other companies, like the large ones, get it. Other small- and mid-sized companies are still trying to figure out how it applies to them. After that, the challenge is realizing there are expenses involved. For example, they have to install key fobs, cameras in critical areas, etc. They also have to realize they can meet the IA rule by not spending an exorbitant amount of money. For example, within a budget there are things companies can do without having to spend a lot of money, such as food defense awareness training.
Another challenge is educating all workers in food defense; enforcing the food safety culture within the facility and the idea that their job can be at risk. They have to realize that if they don’t recognize an individual inside the premises, or if something is out of place in a critical area, they need to inform their supervisor. If they see something, they need to say something—and ensure that the intentional adulteration is not taking place.
Educating employees is the least expensive way to invest in food defense, and it is the most effective. However, this can be a challenge for the companies that, for example, have a high turnover rate—if you have a lot of employees coming in and out, that means constant training, enforcement and re-educating. We see quite a bit of companies with a large turnover rate.
van de Ligt: I agree with those points. In our training, we also talk about food defense culture and how it needs to be supported across the business, similar to the way food safety culture is already in many of our businesses, and how to incorporate food defense awareness training, and on-boarding and refresher training.
The other challenges I see is that once you get to the understanding of what needs to be done and you get the buy in, there are some logistical issues at some of the companies—from big to small. Some companies are struggling with understanding which part of the business should be responsible for this (the food safety group, the security group, etc). Because we are talking about legitimate access and who is responsible for putting the plan together: How do these groups that may not have worked closely within the bigger companies now create that shared collaborative environment?
At the smaller companies, where they may not have that breadth or resources, now you’re asking a specialist in one area to pick up a completely different expertise and discipline. With a food safety and quality person, part of their job may be supply chain and sourcing, and now they also have to learn food defense. How are they managing and balancing all the different FSMA rules in their portfolio—because you have one person actually thinking about the breadth of them all. This presents a challenge to the logistics of implementation.
The other challenge I see is that FDA has done a really good job in providing input, guidance and listening sessions, and has been open and available to answer questions—more so for this rule than any of the other rules that I’ve watched go through industry. However, with the guidance being published so close to the compliance date it presents a challenge—companies that are waiting on the guidance will have to comply very quickly without the best understanding on what FDA’s thoughts are—because they’re waiting on the pending guidance.
FST:What steps should companies take to mitigate the IA risk?
van de Ligt: I have three action items for every company to take.
Read the IA rule, including the preamble if they haven’t. There’s a lot of information there that will help them understand the mindset and how the IA rule came about.
Read the guidance document when it comes out. The first guidance contains many clarifying examples that will help understanding and implementation.
Train the key people who are going to be responsible for writing the food defense plan and all employees on food defense awareness.
There are resources out there, whether it’s talking with FDA or coming to a sponsored training, for folks to get assistance in understanding and interpretation, and it would be great for them to take advantage of it.
Snabes: I agree with those three points. In general—do an FDA food defense assessment of your facility. Look for and concentrate on the key activity types that are critical. At least get a list of what areas are going to be the ones you have to mitigate. For example: The offloading of liquids, open vats, hand applied additives, etc. The most important thing I suggest doing right away is food defense awareness training for not just the supervisors, but all the employees—everyone from receiving to shipping to supply chain, etc. Everyone should be aware of the importance of food defense training and how their job depends on it.
In general, with food defense or IA—the rule is a brand new concept to FDA. It’s something they never tackled before. Because of that, there is going to be a longer time of educating before regulating. FDA is going to bend over backwards to work with companies so they understand how this rule is going to be implemented.
Any company out there can have a “strong employee” who wants to cause intentional adulteration, so the time to plan for that is now. Don’t wait for the rule to come into effect before you start planning.
As we look to 2018, the need for food defense activity remains. Increased adulteration incidents in 2017, consumer purchasing trends and FSMA rules implementation drive this need and the work necessary to complete it in 2018.
Intentional Adulteration of Food. It was evident that intentional adulteration of food did not diminish over the past year and likely increased. Adulteration cases of spices with undeclared ingredients to extend the product or boost color were documented. Terrorists plans and food adulteration tests were uncovered and publicized. In Germany, a man threatened to put antifreeze in the nation’s baby formula supply chain. And disgruntled employees continued to adulterate food to get revenge on their employer or co-workers. Given the complexity of our food system and the limited transparency of supply chains from farm to fork, those willing and able to adulterate will continue to do so in 2018.
Consumer Demands. Look in your local grocery aisles and you will find an ever-increasing section of “freedom foods”. These are foods that claim to be free of something whether it be gluten, lactose, pesticides or GMOs. With increasing frequency consumers are also asking questions about the sustainability and agriculture practices of the food they buy. How have the oceans been fished? Are my eggs from cage-free chickens? Does the food I buy protect the environment. Based on current trends, consumers will continue to spend their food dollars on organic, free-of, and sustainability produced food. This means food defense needs to have a keen eye on where fraudsters could adulterate products representing these food trends.
Company Food Defense. Two things have increased in the requests we are getting from companies: New incidents and the nearing deadline for compliance of the FSMA Intentional Adulteration (IA) rule. First, adulteration incidents that affect your product or the ingredients you use changes the lens you see food defense through. Even an adulteration in an ingredient or product similar to yours makes you look twice at how protected you are. With the continued incidents, companies are taking a hard look at how they are affected. Second, food companies have completed their work to prepare for the early FSMA rules such as Preventive Controls and Foreign Supplier Verification moving their attention to the next rules. The IA rule compliance dates begin in July 2019, and we anticipate increased activities, questions and food defense efforts in 2018.
As you can see, there is a nexus of need to accomplish defense work in our food system. Perhaps 2018 will be “the” year of food defense where individually and collectively we close vulnerability gaps.
Agent detection to identify contamination of food products is required in food safety and defense programs. Detection typically involves laboratory methods or technologies, such as biosensors, that are used in close physical contact with food products. While the field of food protection has benefited from the development of novel agent detection methods in recent years, the challenge of determining which food products to test remains. The sheer volume of food produced within and traded across U.S. borders makes agent detection a daunting, time-consuming and expensive task. The decision of when to utilize detection methods depends on the risk of a particular product being contaminated. Contamination may be unintentional or intentional, including economically motivated adulteration (EMA).
The risk of contamination fluctuates over time and is a function of several factors. Risk depends on the biochemical makeup of the product, supply chain characteristics such as complexity and transport distance, and a wide range of natural or manmade events that may disrupt supply and potentially incentivize intentional adulteration. This is particularly true in the case of EMA. Events include but are not limited to natural disasters that destroy or reduce the usual supply of an ingredient, political instability that disrupts usual trade patterns, interruptions of routine food safety inspections, and market fluctuations that impact global prices. While data exists to monitor these risk factors of contamination, optimal use of this information by government and private industry is hindered by several challenges. For example, valuable data often exists across multiple data systems with data across systems appearing in inconsistent formats. In addition, the amount of data that must be reviewed to find a signal within the noise is frequently overwhelming.
To address finding signals within vast quantities of data sources and systems, the Food Protection and Defense Institute (FPDI) developed technology to curate and help make sense of this data. With support from both the FDA and the Department of Homeland Security, FPDI developed FIDES or Focused Integration of Data for Early Signals to perform “horizon scanning” of food system disruptions in support of food protection efforts, including agent detection. FIDES was designed to help users forecast, monitor and identify food system risk factors and adverse food events. The FIDES web application fuses multiple streams of data from disparate sources and displays information in the form of an online dashboard where users browse, search and layer both dynamic and reference data sets related to food system disruption events. Examples of data currently included in FIDES are import refusals, global disasters, animal health alerts, food defense incidents, historical food safety incidents, import data, price alerts and reference data on food production worldwide.
Events in recent years illustrate the value of gathering intelligence and utilizing data related to food system risks to inform decisions regarding product targeting. Tsunamis, crop failures and disease outbreaks in humans and animals around the globe have threatened supply of products such as shrimp, spices, cocoa and eggs. When supply is disrupted, companies are often forced to quickly identify new and sometimes previously unvetted suppliers, including spot market purchasing. Likewise, supply disruptions often lead to price increases. As prices increase in the absence of adequate supply, concerns about EMA also increase. In both of these instances, the risk of product contamination—both unintentional and intentional—may rise and an increase in product screening or a change in agent detection methods may be appropriate.
For example, the 2014–2016 Ebola outbreak had a significant impact on West Africa, the primary production region for the world’s cocoa supply. Disruptions from the outbreak, including border closures and other trade interference, led to uncertainty about supply availability and prices. This raised concern for EMA, particularly given that many cocoa products are sold as powders, butters and liquors— forms that are more vulnerable to EMA than raw ingredients. As a test case, FPDI reviewed FIDES data streams during the peak of the outbreak. Real-time data on the outbreak was layered with data on global cocoa production and import patterns. Import refusal data from multiple global systems was assessed to identify any concerning patterns. Historical food defense and food safety incidents were also reviewed to determine which cocoa products had been previously contaminated. A similar approach could be used by the food and agriculture sector to guide decisions about targeted inspections—which product(s) and region(s) to monitor, which method(s) to use and which contaminant(s) to test. FIDES could support targeted screening and enhanced awareness of product risk profile that would allow the food industry to assure continued supply of authentic and quality products.
Many foods, from honey to olive oil to spices, fall victim to fraudsters each year. Often a time-consuming process, conducting research about each product or ingredient can involve combing through many websites and databases for information. To save companies from doing all that heavy lifting, newer tools are aggregating the data into single platforms. One most recent example is the World Factbook of Food, developed by the Food Protection and Defense Institute (FPDI) and funded by the U.S. Department of Homeland Security. The tool was released earlier this year, and Erin Mann, project manager at FPDI, explains how it is helping food companies mitigate the risk of food fraud in their supply chain.
Food Safety Tech: What are the fundamental advantages of using the World Factbook of Food and how is it different from other tools that companies can use to assess their risk?
Erin Mann: The World Factbook of Food is a central reference location for data related for food. It pulls together a lot of high quality data points from a lot of different sources into a single tool.
Companies can look for information on a lot of different food products and a lot of different sourcing regions and countries. We have more than 125 food profiles (and growing) and more than 75 country profiles (also growing). [There are 10 food profiles and 10 country profiles that are available for free] Each of the profiles covers a large number of topics. On the food profile side, there are data points on how the product is used, codes, information about standards and grades; and a lot of data about trends and consumption, production and trade patterns; there’s information about processing and supply chain characteristics; and another section about food defense and food safety.
It’s a resource that can be used anytime a company needs to get up to speed quickly on a product, because it covers a lot of different types of risks. If a company wanted access to information related to risk about past economically motivated adulteration (EMA) or intentional adulteration (IA) incidents, the Factbook has that. There’s also data on past recalls, information about major producing countries around the world—a wealth of information in one place that companies can use broadly for risk assessment—basically any use case where they want access to a lot of information from lots of sources, the Factbook can be a great place for that.
FST: Can you expand on the food defense component of the Factbook?
Mann: One of the primary sources that we pull for the food defense section comes from a complementary tool that we use here at FPDI—our food adulteration incidence registry, called the FAIR tool, which is a database of past EMA and IA incidents. On the technology side, the Factbook is directly linked with the FAIR tool. If you’re looking at a profile for a particular product, it will access the FAIR tool and display relevant incidents for that product. It won’t give you access to the entire FAIR database, but it will give you a high-level summary of what food defense incidents have happened in the past with the product, where they happened, the year and a summary.
What we’ve seen with the FAIR tool is high incidents of food adulteration in products like oils, spices, seafood—those are the major products impacted by food adulteration, particularly EMA.
FST: From what sources are the data curated?
Mann: There’s a source list at the bottom of each profile and all the data points are referenced throughout. In terms of a high-level description of where we pull data from, it includes the USDA, FDA, Codex, the U.S. International Trade commission, United Nations data, and other industry and trade groups. It also pulls data from the World Bank and the FAIR tool.
TraceGains’ latest eBook, An Organic State of Mind, sheds light on the trends and demands that are shaping the organic industry today and how automation technology is changing the game for many organic food manufacturers and producers.
FST: How can companies use the Factbook as part of their overall risk mitigation process?
Mann: One of primary strengths of the Factbook is that companies can use it in many different ways. Our institute has done a lot of work with big data and using multiple data sources, and one of the biggest takeaways we learned through several years in this field is that whenever you use big data or you use lots of data sources, they must produce intelligence and information that is actionable. All of the data and information doesn’t do much good if there’s not a clear summary of what to do with that information.
The Factbook aims to do that. It’s a collection and synthesis of data and clean information that’s in an easy to use and easy to navigate user interface. From there, companies can take a look and see how to use the Factbook where they see a gap in their processes. It’s a great place to access lots of information about a food product in a single place. If we can see several points in an overall risk mitigation process where the Factbook can be used, it could be used to inform decisions related to procurement. [For example], if a company suddenly needed to procure a product from a new source region or if they were developing a new product and had to procure an ingredient that they hadn’t worked with before, the Factbook would be a great place to get smart quickly on that ingredient.
The Factbook could be used for understanding supplier review and specific risks related to that ingredient, or simply horizon scanning—if companies want to take a look at some of the products they’ve determined to be high risk and learn more about the product from a holistic perspective.
As stated in the Q&A, 10 food profiles and 10 country profiles are available for free. Subscribers to the World Factbook of Food pay $600 annually for full access to the tool, and bundled pricing is available for users who are interested in access to both the Factbook and the FAIR tool.
Food defense is the protection of food products from intentional contamination or adulteration, as well as biological, chemical, physical or radiological agents. It addresses additional concerns including physical, personnel and operational security. A traditional food defense program is generally perceived as a program that includes site security, visitors control or even on-site personnel monitoring. However, with the new FSMA Preventive Controls Rules and GFSI Guidance for all the recognized schemes, additional to consumer demand on product transparency, we must now take food fraud into consideration within our food defense program.
What is food fraud? According to the study from Michigan State University, food fraud is a collective term used to encompass the deliberate and intentional substitution, addition, tampering or misrepresentation of food, food ingredients or food packaging, or false misleading statements made about a product, for economic gain. It becomes not just a potential for food safety issues, but also a severe issue that could potentially damage your brand reputation. It is hence critical to have appropriate protection and prevention, as the umbrella encompasses both food defense and food safety.
What does this mean to food manufacturers? The awareness of traceability and transparency certainly should rise. Most facilities should have a food defense program in place to comply with any GMP or GFSI requirements. To make it more competent for food fraud, what could we do? Here are some quick tips to strengthen your food defense program with food fraud prevention:
Tip 1: Review your entire supply chain one more time, considering fraud risks
Tip 2: Use the HACCP concept for food fraud risk analysis
Tip 3: Double-check incoming goods
Tip 4: Make the entire supply chain transparent
Tip 5: Document all records
Tip 1: Review your entire supply chain one more time, considering fraud risks
The unknown could potentially hurt you or your program. You would prefer to be aware of what might go wrong before it goes wrong, which is why a review should be one of the key steps in your food safety program. It might be a familiar terminology in the industry; however, we could not eliminate its importance to your entire food safety management system. To maintain product authenticity, understanding where your ingredients come from and who your business partners and suppliers are become the first step to success. It also gives you an excellent opportunity to analyze the risks and potential risk sources. A thorough review should include all the approved suppliers and vendor information. Knowing the source of your product provides you with a good foundation for your food defense program. How can we efficiently review our own supply chain?
List all approved suppliers and contract vendors
Make sure all ingredients are used accordingly and as intended
Keep the supplier registration list up to date
The more you understand your own supply chain, the more helpful it will be to your food defense program.
Tip 2: Use HACCP concept for food fraud risk analysis within supply chain
Hazard Analysis Critical Control Point (HACCP), as defined by FDA, is a management system in which food safety is ensured by addressing through the analysis and control of biological, chemical and physical hazards throughout the entire supply chain. This mentality of HACCP could be used and very helpful to analyze the potential fraud risks. Its seven principles and 12 steps could be implemented to identify your own fraud risks. And it is important for us to identify the hazards from potentially adulterated ingredients to determine the next step for what needs to be controlled. Utilizing the 12 steps, we can list all the key points and steps that could potentially impact your products’ authenticity. The risks can come from personnel, visitors or the ingredients themselves. There are many resources out there; for example, US Pharmacopeia (USP) has developed a global food fraud database that is a good resource for all ingredients that have been falsely used in food products.
Ready or not – here comes organic demand! Consumers everywhere are demanding certified organic products in their homes and on their tables. TraceGains’ latest eBook, An Organic State of Mind, sheds light on the trends and demands that are shaping the organic industry today and how automation technology is changing the game for many organic food manufacturers and producers.
Tip 3: Double-check incoming goods
Many articles address the importance of vulnerability assessments to prevent food fraud plus any documentation your suppliers have provided. Yes, it is critical; however, as one of the important steps in the HACCP program, verification is also important to make sure what goes into your finished products is safe and guaranteed. This could be addressed and monitored by implementing genetic testing. Each product and ingredient has its own DNA, just like our fingerprints. Nowadays, there are many methodologies developed for this type of test. The DNA testing could be a helpful tool to help your facility verify the authenticity of your incoming raw materials. Genetic testing using techniques like polymerase chain reaction (PCR) technology to detect the DNA of the product upon receiving the incoming goods. Moreover, as fast as it can be, facilities can now receive the test results within one to two hours. The testing itself might seem like an extra step with more effort and labor. However, the return is a huge saving on damages caused by food fraud. You can now start to verify and control your supply chain from the beginning to avoid any potential adulteration.
Tip 4: Make the entire supply chain transparent
This transparency not only applies to internal employees but also outward to your customers and vendors. That way you can familiarize yourself with your own supply chain, while at the same time establish brand reputation and confidence to your customers.
Tip 5: Keep all records documented
The records you should keep, besides a registration list of all your ingredients and vendors, should include the inventory list, how ingredients are used, whether it is used outside of its intended use and authorized personnel signatures. The following are some tips for an efficient document control:
Make it clear and straightforward
Categorize it based on your own facility operations
Keep the records in the same order of your supply chain from ingredients to end consumers
After all, with the newly released requirements, as QA professionals, we need to start developing a mindset that considers food fraud as a type of hazard, and develop monitor and control strategies for mitigating it. Just like we are now so familiar with the physical, chemical and biological hazards within our production facilities compared to decades ago, food fraud will no longer be a scary term once it is proficiently understood and properly controlled.
FDA, as part of FSMA, released its rule titled “Protecting Food Against Intentional Adulteration” on May 27, 2016. This rule was proposed in 2013. FDA received and responded to 200+ comments prior to its final release.
FDA states that this rule “is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, [and] economic disruption of the food supply absent mitigation strategies.”1
The rule requires a documented “Food Defense Plan” that at a minimum includes the following:
Procedures for food defense monitoring
Food defense corrective action procedures
Food defense verification procedures
Records confirming implementation, maintenance and conformance to the defined requirements
Evidence of effective training
As a food safety professional with more than 30 years in the industry, reviewing this rule brought back many memories. These memories combined with information gained from a recently completed Food Defense/ Crisis Management workshop presented by Rod Wheeler really set my brain into motion.2
Years ago, industry focused on crisis management and product recall. Requirements included having a crisis management team that was led by associates representing both upper and middle management. In addition, most programs included the following:
Posted identification of the crisis management team (i.e., pictures, phone numbers, etc.)
Specific training for receptionist and guards
Mock crisis exercises (i.e., fire drills)
Planned crisis calls to the operation’s direct incoming phone numbers (i.e., receptionist and guards)
Mock recalls (from supplier through finished product and distribution)
Security inspections which may now be considered the pre-cursor to today’s “Vulnerability Assessment”
With the introduction of the GFSI approved schemes (FSSC 22000, BRC, SQF, GlobalG.A.P., Primus, etc.), requirements for crisis management, emergency preparedness, security programs, food defense training and continuity planning gained an increase focus. Do any or all of these programs meet the requirement for a “vulnerability assessment”?
In the 2013 publication, Food Safety Management Programs, this subject-matter chapter was titled “Security, Food Defense, Biovigilance, and Bioterrorism (chapter 14)”.3 An organization must identify the focus/requirements that are necessary for its operation. This decision may relate to many different parameters, including the organization’s size, design, location, food sectors represented, basic GMPs, contractor and visitor communication/access, traceability, receiving, and any other PRP programs related to ensuring the safety of your product and your facility. Requirements must be defined and associates educated to ensure that everyone has a strong and effective understanding of the requirements and what to do if a situation or event happens.
Confirming the security of a facility has always been a critical operational requirement. Many audits have been performed that included the following management statement: “Yes, of course, all the doors are locked. Security is achieved through key cards or limited distribution of door keys, thus no unwanted intruder can access our building.” This statement reminds me of a preliminary assessment that I did not too long after the shootings at a Pennsylvania manufacturer in September of 2010. The organization’s representor and myself were walking the external parameter of a food manufacturer at approximately 7:30 PM (still daylight). We found two doors (one in shipping and one accessing the main office), with the inside door latch taped so that the doors were not secure. The tape was not readily evident. The doorknob itself was locked, but a simple pull on knob opened the door. Our investigation found that a shipping office associate was waiting for his significant other to bring his dinner and was afraid that he would not be at his desk when she arrived. An office associate admitted that that door had been fixed to pull open without requiring a key several months earlier because associates frequently forgot their keys and could not gain access to start work.
Debby Newslow will present ” Sanitary Transportation for Human & Animal Food – Meeting the new FDA Requirements” at the Food Safety Supply Chain Conference | June 5–6, 2017 | Attend in Rockville, MD or via webcast | LEARN MORE
We also observed a large overhead door adjacent to the boiler room along the street side of the facility open, allowing direct access to the processing area by passing through the boiler room and then the maintenance shop. It was stated that the door had been opened earlier in the day waiting for the delivery of new equipment. No one at the time knew the status of the shipment or why the door was still open.
Finding open access to facilities is becoming more and more common. A formal vulnerability assessment is not necessary to identify unsecured doors (24/7) in our facilities. Education and due diligence are excellent tools for this purpose.
Another frequently identified weakness is with organization’s visitor and contractor sign-in prerequisite programs. What type of “vulnerability” are we creating for ourselves (false confidence) with these programs? Frequently these programs provide more questions than answers:
Does everyone really sign in?
What does signing the visitor log mean?
Are visitors required to show identification?
Are the IDs actually reviewed and if so, what does this review include?
Who is monitoring visitors and contractors and are they trained?
Do all contractors have to sign the log or are they allowed to access the building at different locations?
Do those contractors who make frequent or regular trips have their own badges and/or keys (keycards) so they don’t have to take the time to sign-in (i.e., pest control, uniform supplier vending services)?
How are contractor badges controlled?
Are visitors required to be accompanied during the visit or does it depend on the visitor and whom they are visiting?
Are visitors and contractors trained in company requirements?
Do visitors and contractors have an identifying item to alert your associates of their status (i.e., visitor badge, visitor name badge, specifically colored bump cap, colored smock, etc.)?
How are truck drivers monitored? Do they have a secured room for them or do they have complete access to the facility to access the restrooms and breakroom?
How are terminated associates or associates that have voluntarily left the company controlled?
Can these associates continue to access the facility with keys, access cards, or just through other associates (i.e., friends or associates that did not know that they were no longer an employee)?
The new food defense regulations have caused quite a stir in the food industry and have left many scratching their heads. Many companies are worried about how to implement these programs. The regulations have created a format and structure in which many companies can adapt within their existing food defense programs to comply with the new law. Still, one of the biggest challenges of food defense is merely the idea of developing the food defense plan and coming into compliance with the FDA’s new Food Defense rule. The FDA received many comments from industry in response to the draft guidance. Many of these comments asked the agency for additional time to come into compliance, and the FDA responded by delaying the compliance dates well beyond what was proposed in the draft rules.
According to the regulations, companies are required to implement a food defense plan that focuses on the vulnerabilities in their facility. If you follow the FDA’s template, a food defense plan will look very similar to the traditional HACCP plan. The term, VACCP, Vulnerability Analysis Critical Control Points, is a term that is being tossed around as of late. The FDA wants companies to make sure that they consider an internal attacker, one that has inside access to the buildings, processes and products that are being produced. For many companies, this is stretching them beyond their current paradigms and may force some to implement new procedures. In reality, this paradigm shift is not insurmountable when the items to be controlled are within the four walls of their facility. Even subcontractors, such as pest control providers, maintenance subcontractors, auditors, etc., can be included in these programs. However, is this enough to ensure the safety of the product you are selling, the one you are putting your name on, and the one you are personally standing behind?
The goal of current risk-based thinking is to find the weakest link in the process, evaluate the risk and likelihood of a threat to food safety, and respond appropriately to control the risk. Unlike the Preventive Controls rule and the FSVP rule, the Food Defense rule focuses on the processes occurring in a facility and does not take into account the processes involved in the supply chain. CargoNet Command Center found that there were 1500 security breaches in the transportation industry in the United States and Canada in 2015. The data was categorized by types of product and the highest percentage of any group of products was the food and beverage products which comprised 28% of the cargo thefts. On average, that is greater than one food or beverage cargo theft per day. CargoNet Command Center provides a nice map on their website showing the location of these instances and I encourage you to review this map. If your product passes along the hot spots of cargo theft, as well as having risk factors such as being valuable or in limited supply, it would be very beneficial to build systems and programs in place to address these additional risks to your product.
In another study presented at the Food Defense conference, there was a statistically significant link between breaches in IT systems to a follow-up cargo theft. Many quality and food safety professionals, much less executives, fully understand the interdependence of all business units on food safety. Many companies have problems with siloed departments, and unfortunately, this increases the vulnerabilities to attacks on the food we are trying to protect. This is a great example of how food safety is everyone’s job, and having this mentality is key to the success of food safety programs.
Of course, the requirement to the Food Defense rule must be addressed, but I challenge the industry to look beyond the walls of our facilities and instead, take a whole business approach and apply the principals of food defense to all inputs of the process that impacts the finished product. As food safety professionals, we need to work with our suppliers and our customers to ensure that the whole supply chain is protected from an attack.
SA Scott Mahloch will present FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreIn most cases, contamination that occurs within a food facility is unintentional. However, it’s been documented that terrorists are interested in targeting the food sector, and as lone wolf attacks gain popularity, companies need to be able to identify and protect themselves against the insider threat, said Special Agent Scott Mahloch, weapons of mass destruction coordinator for the Chicago division of the FBI, at the 2016 Food Safety Consortium.
In the following video, Mahloch talks about FBI’s role in the food industry, explains how food companies can protect themselves against terrorism by identifying the insider threat, and discusses some of the FBI’s initiatives surrounding food defense. “One of the biggest concerns that we have is the disgruntled employee and the FBI really isn’t in the position to identify these people,” says Mahloch. “That’s going to be the frontline supervisors, the coworkers that can see somebody’s behavior that maybe deviates outside anything that they would recognize as being baseline behavior.”
Many people associate terrorism with spectacular attacks such as those that occurred on September 11. However, lone wolf attacks are far more likely to happen in what has unfortunately become the new normal. “The last thing on your mind is a terrorist being interested in food. It does exist, and bad guys do have an interest in this area,” said Special Agent Scott Mahloch, weapons of mass destruction coordinator for the Chicago division of the FBI during the Food Safety Consortium last week. What does this mean for the food industry?
SA Scott Mahloch will present FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreAccording to the Department of Homeland Security, with 2.2 million farms and 900,000 restaurants in the United States, the food and agricultural sector accounts for 1/5 of the national economic activity. There are several industry targets for terrorism: Food processing facilities; food storage and distribution; restaurants, grocery stores and markets; commercial facilities; and cruise lines.
While Mahloch emphasized that there is no imminent threat to the food sector, one of the biggest areas of concern for this particular industry is the insider threat. “The insider threat is that person [who] knows the facilities, processes, distribution network and can cause the greatest impact,” said Mahloch. This can be in the form of a disgruntled employee who has or can gain access to equipment or other areas of a facility that would otherwise be secure and then introduce contaminants into food products. Mahloch stressed the important role that a food company plays in monitoring employees and reporting any deviation from normal behavior. This is not an easy task—in fact, it is the most difficult threat to detect, and the most difficult threat to protect against, Mahloch pointed out.
Insider Threat: The threat posed by an individual who exploits his/her position, credentials or employment to achieve trusted access to the means, processes, equipment, material, location, facility and/or target necessary to carry out a terrorist action.
The likelihood of an employee becoming an insider threat increases with a variety of personal factors, including financial need, feelings of anger or revenge, being a sympathizer with terrorist ideology, having problems at work, compulsive and destructive behavior, ego and family issues. Food organizations also open themselves up to vulnerabilities via the following:
Allowing easy access to restricted or sensitive areas within a facility (i.e., not limiting personnel access to certain areas or clearly labeling access controls)
Failure to have physical security controls over personal items that are either brought into or taken from the workplace
Vague security policies/Lax security perception
High employee turnover
Lack of proper employee vetting
Failure to train employees in proper security protocols
Failure to have consequences for violating security policy
When assessing the insider threat, what should food companies look for in an effort to protect their facility and products? “You’re the first line of defense,” said Mahloch. “We get a lot of phone calls where people run things by us. If something doesn’t seem right, say something.” He provided several key behaviors that may be characterized as suspicious in some instances:
Someone taking a photograph or video, or notes/sketches, of food processing operations or sensitive areas
Someone attempting to gain information about company operations, especially related to security and personnel, in person, or by phone or email
Someone conducting surveillance of self services areas such as salad bars, condiment stands or open bulk containers
Shipping area: Unscheduled deliveries, driver who is unfamiliar with facility delivery protocols, items left on dock at unusual hours, illegally parked or unattended vehicles, or shipping documents that don’t match
Companies can take several preventive steps to protect their facilities, products and personnel. Proactive measures include:
Monitoring products for evidence of tampering, resealing or damage
Securing open containers of food or ingredients in storage areas
Controlling access to specific areas of facility by delivery personnel, employees, vendors and contractors, and general visitors
Securing loading dock area, and standardize delivery and pickup protocol
Developing a written food defense plan
Training employees, contractors and vendors to recognize suspicious activity and report it accordingly
It’s important to stay alert and be aware—employee observations are critical, said Mahloch. Once suspicious activity is observed, the facility security officer or manager should be notified, and from there a decision can be made on whether external parties need to be involved. In general, state and local partners investigate an incident before the FBI gets involved.
“When it comes to intentional contamination [or a] terrorist incident—that’s an area that we investigate and ultimately prosecute,” said Mahloch. He emphasized the FBI is not a regulatory agency, so it would not show up at a facility due to a company’s lack of compliance to FSMA, for example. The agency is interested in food defense and intentional contamination that has the purpose of causing harm.
For more information about the FBI’s role in food defense, the agency has a document on its website that summarizes food defense for the industry, including some of the above-mentioned factors to look for when trying to identifying suspicious behavior. If a company wants to report suspicious activity that is not an emergency, it can call 1-855-TELL-FBI (1-855-835-5324).
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.