Unapproved ingredients and allergens, whether added intentionally or unintentionally, were the third largest reason for recalls in Germany last year, behind microbiological contamination and impurities from foreign matter. The German food warning system by the BVL (Bundesamt fuer Verbraucherschutz und Lebensmittelsicherheit) is accessible by the public and provides detailed information of warnings considering food and beverages. The warnings issued per year are growing steadily, from 100 warnings in 2015 to 161 in 2017 to 198 warnings in 2019.
WirtschaftsWoche (January 10, 2020) “Um Rueckruf wird gebeten”. Retrieved from WirtschaftsWoche3, 2020. Original source Bundesamt fuer Verbraucherschutz und Lebensmittelsicherheit
Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this seriesaddressed the importance of a physical security expert, insider threat detection programs, actionable process steps (APS) and varying approaches to a VA. Part II reviewed access, subject matter experts, mitigation strategies and community drinking water. This final article reviews broad mitigation strategies, feasibility assessments, food defense plans, partial ingredient security and the “Three Element” approach through more lessons learned from assessments conducted for the largest and most complex global food and beverage facilities, but which can also be applied to the smaller facilities that are currently in the process of readying for the next deadline of July 26.
Lesson 14: When the final rule was released, the concept of using broad mitigation strategies was eliminated. That notwithstanding and realizing that many companies seek to operate at a stricter standard for food defense with a clear focus on brand protection, versus only those process steps that potentially could result in a “wide scale public health impact.” Broad or facility-wide mitigation strategies should not be abandoned, but are less likely to get you a lot of credit for IA compliance. Including existing food safety prerequisite programs (PRP), programs and practices that are put in place to maintain a sanitary environment and minimize the risk of introducing a food safety hazard, can, in some cases, also be included as security mitigation. PRP’s with slight modifications can also contribute to a good “food defense” posture. For example, one PRP addresses hazardous chemicals and toxic substances. In some cases, non-food grade substances that could result in product contamination (not necessarily wide-scale public health impact) might be available to a disgruntled insider. It is obvious companies are concerned about contaminants being brought into the plants, but please do not overlook contaminants that are already there and ensure that they are properly secured when not in use.
Other facility-wide programs (broad mitigation) that contribute to effective food defense might include site perimeter or building security, visitor and contractor management, pre-employment background checks, employee security awareness and food defense training and sanitation chemical management.
Lesson 15: If you are using the three elements approach (Guidance Chapter 2 Section G) or the hybrid approach (Guidance Chapter 2 Section H), you will be required to make an assessment on feasibility. In the early VA’s conducted, prior to the second installment of the guidance in March of 2019, feasibility was essentially an all or nothing proposition. One could argue that a judgment call was required as to whether an intentional adulteration incident could be accomplished given the inherent conditions. Those conditions might include a lot of coworkers who might be able to observe and serve as witnesses to deter the act. With the release of the second installment of the guidance from the FDA, a new tool was made available which would allow food and beverage companies to run a calculation and make a more accurate prediction of how much of an unnamed “representative contaminant” which is assumed to be highly lethal and heat stable it might take to contaminate a product batch. Typically, the larger the batch size, the higher the quantity of the “representative contaminant” would be required to achieve a lethal dose (LD) in a serving size. So, to provide an additional level of validation with identified actionable process steps, the use of the LD calculation might be considered to provide more realistic insight into the feasibility element. For instance, if it would require one hundred pounds of the “representative contaminant,” you might feel justified in concluding that it is not realistic to get that amount of contaminant into the batch at the process step and rule out the point, step or procedure as an APS. This can save money and ensure limited food defense resources can be channeled to the areas where legitimate risk can be reduced.
Lesson 16: After an APS is identified, sites will need to determine, as the rule states, whether the existing “mitigation strategies can be applied…to significantly minimize or prevent the significant vulnerability.” Simply stated, what is in place today for food safety, and the broad-based security measures in use, may or may not be enough when you consider an insider motivated to contaminate the product. The FDA’s mitigation strategies database may offer some insights into additional food defense measures to consider. Where additional mitigation strategies are identified, from the time of completion of the VA until a site’s regulatory compliance deadline arrives (next one is July 26, 2020), that change must be incorporated into the food defense plan and fully implemented. We recommend that a site make a list of new mitigation strategies after the VA is complete for tracking purposes during the implementation phase. No mitigation strategies should be included in the food defense plan that are not fully implemented and where records cannot be adequately produced.
Lesson 17: In the second installment of the guidance, the concept of partial ingredients was introduced. The key activity types (KAT) of secondary ingredients is now considered to include the storage of partially used, open containers of secondary ingredients where the tamper-evident packaging has been breached. Tamper evident tape looked to have promising benefits, but several of our clients have abandoned the use of this mitigation strategy, which has been proven repeatedly to be defeated without detection. It appears that using containers that can be secured with numbered seals might be a better option and even better if the seals would be metal detectable in the event one went astray in a product stream.
Lesson 18: Food defense plan unification. Facilities regulated under the IA rule are likely to already have a food defense plan for other initiates such as SQF or BRC. The IA Rule is not unlike other counter-terrorism regulations in potential to create challenges to meet voluntary and regulatory requirements without having multiple food defense plans. The IA Rule based on its modeling after HACCP creates some very specific requirements in terms of how data needs to be presented and records maintained. Sites may be doing other things to support food defense, and one strategy that might keep auditors in their lane would be to include any non-IA Rule food defense content (e.g., for SQF or BRC) in an appendix to the IA Rule Food Defense Plan.
Lesson 19: Under the VA method the FDA refers to as “the “Three Element” approach, suggestion is made in the guidance released in March 2019 that regulated facilities might consider creating stratified categories for each element of public health impact, degree of physical access and ability of the attacker to successfully contaminate product. This is asking regulated facilities to engineer their own vulnerability assessment methodology. It is our opinion that this is asking a lot from a food and beverage facility and that creating categories for each element (e.g., refer to Table 3 on page 54) will extend the time it takes to complete a vulnerability assessment, create a lot more uncertainty in the process and does not necessarily help companies to identify the areas where intentional adulteration risk is highest.
Organizations who have yet to execute vulnerability assessments (due July 26) or those who have already completed vulnerability assessments who may wish to reflect back on their existing VAs in an effort to eliminate unnecessary APS’s should find these strategies helpful in focusing limited resources to the areas where they can have the greatest effect. Since the initiation of this article series, the FDA has released its third installment of the guidance. Once we reflect on this new installment, we will address our thoughts in a future article.
Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series is intended to assist facilities that have not yet conducted vulnerability assessments or wish to review those already conducted, by leveraging lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.
Lesson 1: VA outcomes are greatly enhanced if a physical security professional is consulted. In support of this contention, there are several physical security mitigation strategies, which can be employed to support a food defense program, that are frequently under-utilized and are not optimally managed by non-security staff. Also, the FDA seems to promote the use of cameras even though this equipment is unlikely to prevent an incident of intentional adulteration. For organizations that choose to use video surveillance, a competent security professional can help organizations engineer and operate video surveillance for maximum benefits and to meet challenging record-keeping requirements when this mitigation strategy is included in a food defense plan.
Lesson 2: Given the focus by the FDA on the insider, a formal insider threat detection program is highly recommended. Trying to promote the common, “See Something, Say Something” strategy may not be enough. For example, if employees are not clearly told what to look for in terms of uniform requirements, how to identify persons who do not belong or changes to a coworker’s baseline behavior, which may indicate moving toward a path to violence or sabotage, then “See Something, Say Something” may end up being no more than a catchy slogan.
A key element of an insider threat detection program is the completion of effective background checks for all persons who will be allowed in the facility unescorted. This includes temporary employees and contractors. A common theme in many of the recent, serious intentional adulteration incidents was that the person responsible was involved in some sort of grievance observable to coworkers and supervisors. In all insider threat detection programs, the grievance becomes an important trip wire. The Carnegie Mellon University Software Engineering Institute has published a document titled, “Common Sense Guide to Mitigating Insider Threats, Sixth Edition”. In this document is some particularly helpful guidance that can be used to stand up an insider threat detection program, but this is an effort that can take some time to fully implement.
Lesson 3: The FDA has made it abundantly clear that they believe the focus for the food and beverage industry should be the radicalized insider. A closer look at all the recently publicized contamination events suggests that there are other profiles that need to be considered. A good foundational model for building profiles of potential offenders can be found in the OSHA definitions for workplace violence offenders, which has been expanded to address ideologically based attacks. Table I applies those descriptions to the food and beverage industry, with an asterisk placed by those offender profiles that exist in recent incidents and discussed later in the text.
OSHA Workplace Violence Offender Description
Motivation Translated to the Food and Beverage Industry
The offender has no legitimate relationship to the business or its employee(s). Rather, the violence is incidental to another crime, such as robbery, shoplifting, trespassing or seeking social media fame.
Behavioral Health Patient *
Social Media Fame Seeker *
Economic motivation *
The violent person has a legitimate relationship with the business—for example, the person is a customer, client, patient, student, or inmate—and becomes violent while being served by the business, violence falls into this category.
My load isn’t ready, you are costing me money
The offender of this type of violence could be a current employee or past employee of the organization who attacks or threatens other employee(s) in the workplace.
I am upset with a coworker and adulterate to create problems for that person *
I am upset with the company and adulterate as retribution and to harm the brand *
I am not paid enough *
The offender may or may not have a relationship with the business but has a personal (or perceived personal) relationship with the victim.
I am upset with an intimate partner/ coworker and adulterate to create problems for that person
Ideological workplace violence is directed at an organization, its people, and/or property for ideological, religious or political reasons. The violence is perpetrated by extremists and value-driven groups justified by their beliefs.
Table I. A description of OSHA workplace violence offenders and how it can be applied to the F&B industry.
A supermarket in Michigan recalled 1,700 lbs. of ground beef after 111 people fell ill with nicotine poisoning. The offender, an employee, mixed insecticide into the meat to get his supervisor in trouble. In Australia, the entire strawberry industry was brought to its knees after a disgruntled supervisor “spiked” strawberries with needles. There were more than 230 copycat incidents impacting many companies. A contract employee in Japan, apparently disgruntled over his low pay, sprayed pesticide on a frozen food processing line resulting in illnesses to more than 2,000 people. A contract worker upset with a union dispute with the company at a food manufacturing plant videoed himself urinating on the production line, then uploaded the video to the Internet. Be cognizant of any grievances in the workplace and increase monitoring or take other proactive steps to reduce the risk of intentional adulteration.
Lesson 4: The IA Rule requires that every point, step and procedure be analyzed to determine if it is an actionable process step (APS). The Hazard Analysis Critical Control Point flow charts are a good starting point to comply with this element of the law but cannot be counted on completely to achieve the standard of analyzing every point, step or procedure. Critical thinking and persons familiar with the production process need to be involved to ensure that no steps are missed. Oftentimes companies modify the HACCP flow diagrams after a VA.
Lesson 5: The FDA states in the second installment of guidance (here’s the full copy) to the industry that, “There are many possible approaches to conducting a VA. You may choose an approach based on considerations such as the time and resources available and the level of specificity desired. You have the flexibility to choose any VA approach, as long as your VA contains each required component (21 CFR 121.130).”
The FDA further states that the Key Activity Type, or KAT method, is an appropriate method for conducting a VA because it reflects consideration of the three required elements and the inside attacker. Using this methodology alone, however, can result in substantially more APS’s, which might otherwise be ruled out for practical purposes such as a lack of accessibility or a lack of feasibility to contaminate the product at a point, step or procedure. We have experienced up to a 90% decline in APS’s by utilizing another FDA recommended assessment approach, the hybrid approach, which assesses each point, step or procedure as first whether it is a KAT. Then to qualify as an APS, it must also trigger positively for public health impact, accessibility and feasibility to contaminate the product.
Organizations who have yet to execute vulnerability assessments (due July 26, 2020) or who may wish to reflect back on their existing VA’s in an effort to eliminate unnecessary APS’s should find these strategies helpful to focus limited resources to the areas where they can have the greatest effect. The next two articles in this series will cover more information on electronic access, the value of site tours, comparisons to drinking water security strategies, dealing with multi-site assessments and more. Read Part II of this series on intentional adulteration.
Attend the Food Defense Plenary Panel Discussion at the 2019 Food Safety Consortium | Tuesday, October 1, 2019Today FDA released an updated version of its Food Defense Plan Builder in efforts to help companies comply with the International Adulteration FSMA rule. Version 2.0 of the tool includes the following sections to help food facility owners and operators in developing a facility-specific food defense plan:
Food Defense Monitoring Procedures
Food Defense Corrective Action Procedures
Food Defense Verification Procedures
The tool is for use on a computer, and FDA states that it does not have access to any content or documents used with the tool, nor does it track or monitor how the tool is being used. The agency also emphasizes that use of this tool is not required by law and its use does not mean that a company’s food defense plan is FDA approved or compliant with the IA rule requirements.
The original version of this tool was released in 2013. FDA will be conducting a demonstration of the Food Defense Plan Builder v. 2.0 during a webinar on October 10.
What is FMEA? What is a vulnerability assessment (VA)? How can these two be linked? Despite what you may think, there are similarities between these two methods. FMEA (Failure Modes and Effects Analysis) methods can be utilized to help objectively assess the vulnerable steps within your process.
After July 26, 2019, businesses other than small and very small businesses (defined by FDA) must comply with the FSMA Intentional Adulteration (IA) Rule. The rule is intended to enforce industry regulation to conduct vulnerability assessments and address proper mitigation plans to prevent any potential fraud risks within the food defense plan. For small businesses, the compliance date is July 27, 2020; for very small businesses, the compliance date is July 26, 2021.
Although the IA rule does not specify a particular method that you must use to conduct your VA and address proper mitigation plans, the following elements must be considered during your evaluation and mitigation strategy and must be implemented at each actionable step afterwards:
The potential public health impact (e.g., severity and scale) if a contaminant were added (21 CFR 121.130(a)(1))
The degree of physical access to the product (21 CFR 121.130(a)(2))
The ability of an attacker to successfully contaminate the product (21 CFR 121.130(a)(3))
During the 2019 Food Safety Consortium, Melody Ge will present: How to prepare ourselves in this data-driven transitioning time for the smart food safety era? | October 2 @ 10 am FMEA is a Six Sigma method widely used in operations when implementing a new process. It is a structured approach to discover potential failures that may exist within the design of a product or process. Within FMEA, the RPN (Risk Priority Number) score is used to prioritize risks and is calculated by Severity × Occurrence × Detection. RPN is a quantified number that helps you prioritize risks when determining actions. If we employ the same mentality, FMEA is a useful method in helping to identify vulnerable steps based on the risk within your process. Take a close look at how the RPN is generated; the following three components are also important during the vulnerability assessment.
Severity or the potential public health impact (e.g., severity and scale) if a contaminant were added.
Severity is identified when considering the consequence of when a processing step goes out of control; or thinking about the severity of the health impact. We can consider those impacts or consequences using four common categories:
Intentional adulteration for economic gain contaminants
Occurrence or the degree of physical access to the product.
Occurrence is identified when considering how frequently a process step is expected to go out of defined controls. Is it once a week or once a month? Depending on how often the step goes out of defined controls, this will trigger different action steps as well as mitigation plans.
Detection or the ability of an attacker to successfully contaminate the product.
Detection is considered by how easy it can be detected when the failure occurs. For example, within the food production operation, mixing steps is relatively easier than a CIP step to be detected. More references could be found in FDA’s definition of KAT (Key Activity Types, as discussed in the draft guidance, “Mitigation Strategies to Protect Food Against Intentional Adulteration”), such as:
Bulk and liquid receiving and storage
Liquid storage and handling
Secondary ingredient handling
Mixing and similar activities
Once the RPN is identified, then the vulnerable steps can be sorted based on the RPN. To utilize this approach, Table 1 provides a template to be considered using FMEA for the vulnerability assessment.
Is it KAT? (Y/N)
Action Process Step
Table 1: Determine the vulnerable steps (for reference)
As IA rules regulate, a mitigation plan must be generated once a vulnerable step is identified. The intention of the plan shall ensure those risks identified are mitigated and controlled so that the final finished products are not impacted or contaminated. One tip to begin this process is to start with reviewing your current control plan for potential food safety risks. As FSMA Preventive Controls are fully implemented, all food plants shall have a food safety plan in place with validated control plans that are intended to reduce risks for potential physical, chemical, biological and adulteration for economic gain. Sometimes, these risks are highly associated with potential vulnerable steps for intentional adulteration, especially those processing steps associated with potential economic gain hazards. If those controls are not working properly, then we can seek out other mitigation plans. Nevertheless, regardless of what steps are taken, they have to be validated to show that the IA risks are effectively mitigated. Monitoring and verification shall be conducted as well once the mitigation plan is implemented.
Of course, like all food safety management systems, every food plant should have its own designated plans based on the products being produced, operations implemented and the nature of the production. Ultimately, it will be your choice to find an effective method that fits your production culture. However, the intention should always be in compliance with the IA rules: Identify the vulnerable steps within the process, and conduct mitigation plans to control the risks of intentional adulteration.
Learn more about food fraud at the Food Labs Conference | June 2–4, 2020 | Rockville, MDThis week FDA made an announcement during a public meeting that the agency’s routine inspection to verify compliance with the FSMA Intentional Adulteration rule will start next March.
The first compliance date for the rule is this July. It is a requirement for food facilities covered under this rule to develop and implement a food defense plan that identifies vulnerabilities and the consequent mitigation plan.
FDA stated that it has received feedback on the “novel nature” of the rule’s requirements and that stakeholders want more time to develop their food defense plans. “ To allow industry time with the forthcoming materials, tools, and trainings, and because the IA rule represents new regulatory territory for all of us, we will be starting routine IA rule inspections in March 2020,” FDA stated and added that it is working on developing more resources as well as the final part of draft guidance to continue to assist industry.
The FSMA Intentional Adulteration rule (Mitigation Strategies To Protect Food Against Intentional Adulteration) requires companies that fall under the rule to implement a written food defense plan, identity vulnerabilities and establish mitigation strategies based on those vulnerabilities. This is new territory for FDA as well as for many companies in the industry—and for this reason, the agency has established a longer compliance timeline. However, that doesn’t mean companies should wait—the time to prepare is now.
Christopher Snabes, senior manager, food safety at the The Acheson Group (TAG) and Jennifer van de Ligt, Ph.D., associate director at the Food Protection & Defense Institute (FPDI) sat down with Food Safety Tech to discuss some of the challenges they see industry facing related to intentional adulteration and food defense.
In addition, TAG and FPDI are interested in gauging the industry’s level of readiness in this area and have put together the survey, Intentional Adulteration & Food Defense Industry Preparedness. We encourage you to take the survey. And don’t miss subject matter experts from TAG and FPDI at this year’s Food Safety Consortium as they discuss Food Defense: Lessons Learned from Recent Incidents + Key Steps to Mitigating Risks.
Food Safety Tech: Given the subject matter of the survey, what do you feel is the current preparedness level regarding compliance with the FSMA Intentional Adulteration rule?
Christopher Snabes: I see this from a variety of fronts. Some companies established food defense solely on the events of 9/11, putting initial food defense plans in place [that involved] fences, installing security guards and gates, and locking the outside doors. Some companies we’ve worked with feel this is sufficient enough to meet the IA rule, and that’s not correct.
TAG has assessed several companies that are in the process of conducting food defense assessments, and they’re doing them based on best industry practices, and preparing for the inside attacker and/or a terrorist getting into key production areas.
TAG has worked with some companies that are fully waiting for the second and third guidance documents from FDA to come out before they do the full food defense plan. We’ve worked with some companies doing a mix of the above—they’re not waiting for the guidance but are actively testing their plans and having an outsider test their vulnerability, and then they’re rewriting plans based on the findings. They’ll also update their food defense plans, once the second and third FDA guidances are released to the public.
We feel these are the most prepared facilities; there are not a lot of companies at this point, but they’re starting to pick up steam. At this point, I would say most companies are actively pursuing a food defense plan as well as beginning to test their vulnerability.
Jennifer van de Ligt: I agree with Chris and would add that in the past two years or so, there’s also been a shift in how the industry is viewing the Intentional Adulteration rule. Many companies currently have food defense plans based on the events of 9/11 and, for the first couple of years, as the new Intentional Adulteration rule was being written, there was still a heavy emphasis on “that should be enough.” I very rarely hear that now when discussing the Intentional Adulteration rule with our industry partners. I think companies are more prepared from an understanding perspective to move beyond perimeter security and guards to really think about the risks in the facilities that would come from people with legitimate access— what the rule defines as “insider attackers”. Although understanding is increasing, Chris is correct that different parts of industry are on different paths. Some just now understand that they have to do more, while others are well on the way on to looking at how they need to structure themselves internally and are already moving towards vulnerability assessments.
FST: Are you seeing company size play a role in the readiness level?
Join the Food Protection and Defense Institute and The Acheson Group (TAG) at the 2018 Food Safety Consortium for an interactive discussion as they explore recent food defense events, highlighting key components of the incidents relative to government interactions, FSMA regulations, brand reputation, financial interests, and public health response. van de Ligt: The larger companies thinking about a multi-international approach seem to be further along in the process. I think they started thinking about the vulnerability assessment, how they’re going to structure it in their company, and how they’re going to come to compliance because of the breadth and the scope that impacts them. But we’re also seeing, at least in our training, some of the mid-sized companies beginning to take action. I think again, they realize that even though they’re smaller, they’re going to need additional resources, and they might not have those resources in house, so it might take them a bit longer.
Snabes: In general I would agree with Jennifer. I think a lot of it is because they have additional resources, and they can leverage them across many facilities as needed. I don’t see as much action being taken outside the United States on the facilities that are importing into the United States. I think that’s just starting to ramp up. I’m also seeing very small businesses that aren’t required to follow the IA rule implementing this because they want to protect their brand.
FST: What challenges are you seeing companies experience in understanding food defense, IA, and the appropriate preventive actions they should be taking?
FSMA Checklist: Intentional Adulteration ruleSnabes: Just understanding how the rules can apply to the business. For some companies, that’s still a challenge. Other companies, like the large ones, get it. Other small- and mid-sized companies are still trying to figure out how it applies to them. After that, the challenge is realizing there are expenses involved. For example, they have to install key fobs, cameras in critical areas, etc. They also have to realize they can meet the IA rule by not spending an exorbitant amount of money. For example, within a budget there are things companies can do without having to spend a lot of money, such as food defense awareness training.
Another challenge is educating all workers in food defense; enforcing the food safety culture within the facility and the idea that their job can be at risk. They have to realize that if they don’t recognize an individual inside the premises, or if something is out of place in a critical area, they need to inform their supervisor. If they see something, they need to say something—and ensure that the intentional adulteration is not taking place.
Educating employees is the least expensive way to invest in food defense, and it is the most effective. However, this can be a challenge for the companies that, for example, have a high turnover rate—if you have a lot of employees coming in and out, that means constant training, enforcement and re-educating. We see quite a bit of companies with a large turnover rate.
van de Ligt: I agree with those points. In our training, we also talk about food defense culture and how it needs to be supported across the business, similar to the way food safety culture is already in many of our businesses, and how to incorporate food defense awareness training, and on-boarding and refresher training.
The other challenges I see is that once you get to the understanding of what needs to be done and you get the buy in, there are some logistical issues at some of the companies—from big to small. Some companies are struggling with understanding which part of the business should be responsible for this (the food safety group, the security group, etc). Because we are talking about legitimate access and who is responsible for putting the plan together: How do these groups that may not have worked closely within the bigger companies now create that shared collaborative environment?
At the smaller companies, where they may not have that breadth or resources, now you’re asking a specialist in one area to pick up a completely different expertise and discipline. With a food safety and quality person, part of their job may be supply chain and sourcing, and now they also have to learn food defense. How are they managing and balancing all the different FSMA rules in their portfolio—because you have one person actually thinking about the breadth of them all. This presents a challenge to the logistics of implementation.
The other challenge I see is that FDA has done a really good job in providing input, guidance and listening sessions, and has been open and available to answer questions—more so for this rule than any of the other rules that I’ve watched go through industry. However, with the guidance being published so close to the compliance date it presents a challenge—companies that are waiting on the guidance will have to comply very quickly without the best understanding on what FDA’s thoughts are—because they’re waiting on the pending guidance.
FST:What steps should companies take to mitigate the IA risk?
van de Ligt: I have three action items for every company to take.
Read the IA rule, including the preamble if they haven’t. There’s a lot of information there that will help them understand the mindset and how the IA rule came about.
Read the guidance document when it comes out. The first guidance contains many clarifying examples that will help understanding and implementation.
Train the key people who are going to be responsible for writing the food defense plan and all employees on food defense awareness.
There are resources out there, whether it’s talking with FDA or coming to a sponsored training, for folks to get assistance in understanding and interpretation, and it would be great for them to take advantage of it.
Snabes: I agree with those three points. In general—do an FDA food defense assessment of your facility. Look for and concentrate on the key activity types that are critical. At least get a list of what areas are going to be the ones you have to mitigate. For example: The offloading of liquids, open vats, hand applied additives, etc. The most important thing I suggest doing right away is food defense awareness training for not just the supervisors, but all the employees—everyone from receiving to shipping to supply chain, etc. Everyone should be aware of the importance of food defense training and how their job depends on it.
In general, with food defense or IA—the rule is a brand new concept to FDA. It’s something they never tackled before. Because of that, there is going to be a longer time of educating before regulating. FDA is going to bend over backwards to work with companies so they understand how this rule is going to be implemented.
Any company out there can have a “strong employee” who wants to cause intentional adulteration, so the time to plan for that is now. Don’t wait for the rule to come into effect before you start planning.
Question 1: Is food fraud addressed in the FDA’s Intentional Adulteration rule (“Mitigation Strategies to Protect Food Against Intentional Adulteration”)?
Karen Everstine: Food fraud, or what the FDA calls “economically motivated adulteration” (EMA), is certainly an intentional act. However, recent U.S. regulations for food fraud/EMA are outlined in the Preventive Controls (PC) rules (“Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls for Human Food” and “Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls for Food for Animals”) and not in the Intentional Adulteration (IA) Rule. FDA indicated that the IA rule was intended to “prevent acts intended to cause wide-scale harm.” Therefore, new requirements related to food fraud/EMA are included in the hazard analysis requirements in the PC rules. FDA indicated they anticipate EMA preventive controls to be needed only in rare circumstances and “usually in cases where there has been a pattern of EMA in the past.” It is important to note that these requirements are specific to hazards that may be introduced for the purposes of economic gain. EMA that only affects product quality is outside the scope of the PC rules. However, there are misbranding and adulteration provisions of the Food Drug and Cosmetic Act that apply to EMA more broadly (whether or not the substance used may be a hazard).
Question 2: If my facility includes food fraud/EMA in our hazard analysis, will we be compliant with global food fraud requirements?
Everstine: Addressing food fraud/EMA only in your hazard analysis is not sufficient for GFSI compliance. Therefore, if your facility needs to be GFSI compliant, you will need to implement a food fraud vulnerability assessment and mitigation plan that covers all types of fraud. This includes fraud that only affects quality and it includes counterfeiting, theft, diversion, and gray market production. While FDA has indicated they are primarily focused on food fraud/EMA that has a known pattern of occurrence and could be a hazard, GFSI requires that industry evaluate vulnerability more broadly. This includes identifying fraud opportunities (such as complex supply chains), individual capability, and “weak signals” of fraud that could include indicators such as price changes for commodities.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.