Tag Archives: vulnerability assessment

food safety tech

Food Labs/Cannabis Labs Virtual Conference Includes FDA Comments on Proposed Lab Accreditation Rule

By Food Safety Tech Staff
No Comments
food safety tech

Next month join Food Safety Tech and Cannabis Industry Journal for the virtual conference, Food Labs / Cannabis Labs. The event is complimentary for attendees and will be held Tuesday, June 2 through Friday, June 5 (each day the event begins at 11 am ET). The event was originally planned as an in-person event but was converted to a virtual conference as a result of the COVID-19 pandemic.

The event kicks off with FDA’s comments on the proposed FSMA laboratory accreditation rule, which will be presented by FDA’s Timothy McGrath and Donald Burr. Other session highlights include FSMA’s impact on labs; navigating the regulatory pitfalls of cannabis lab testing; the evolution of the lab testing market; documentary standards and reference materials; and vulnerability assessment frameworks and food fraud mitigation strategies. Many of the educational sessions will be followed by Tech Talks, which will be provided by sponsors in the laboratory technology or service provider fields, who will educate attendees about solutions that can assist in the food lab and/or cannabis lab environment.

More than 500 people have already registered to attend! Don’t miss this unique opportunity and register now. Please note that only registrants who attend the live event will have access to the recording.

For companies interested in Tech Talk opportunities, Contact RJ Palermo (203-667-2212). Tuesday and Wednesday are sold out.

Lessons Learned from Intentional Adulteration Vulnerability Assessments (Part III)

By Frank Pisciotta, Spence Lane
No Comments

Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series addressed the importance of a physical security expert, insider threat detection programs, actionable process steps (APS) and varying approaches to a VA. Part II reviewed access, subject matter experts, mitigation strategies and community drinking water. This final article reviews broad mitigation strategies, feasibility assessments, food defense plans, partial ingredient security and the “Three Element” approach through more lessons learned from assessments conducted for the largest and most complex global food and beverage facilities, but which can also be applied to the smaller facilities that are currently in the process of readying for the next deadline of July 26.

Lesson 14: When the final rule was released, the concept of using broad mitigation strategies was eliminated. That notwithstanding and realizing that many companies seek to operate at a stricter standard for food defense with a clear focus on brand protection, versus only those process steps that potentially could result in a “wide scale public health impact.” Broad or facility-wide mitigation strategies should not be abandoned, but are less likely to get you a lot of credit for IA compliance. Including existing food safety prerequisite programs (PRP), programs and practices that are put in place to maintain a sanitary environment and minimize the risk of introducing a food safety hazard, can, in some cases, also be included as security mitigation. PRP’s with slight modifications can also contribute to a good “food defense” posture. For example, one PRP addresses hazardous chemicals and toxic substances. In some cases, non-food grade substances that could result in product contamination (not necessarily wide-scale public health impact) might be available to a disgruntled insider. It is obvious companies are concerned about contaminants being brought into the plants, but please do not overlook contaminants that are already there and ensure that they are properly secured when not in use.

Other facility-wide programs (broad mitigation) that contribute to effective food defense might include site perimeter or building security, visitor and contractor management, pre-employment background checks, employee security awareness and food defense training and sanitation chemical management.

Lesson 15: If you are using the three elements approach (Guidance Chapter 2 Section G) or the hybrid approach (Guidance Chapter 2 Section H), you will be required to make an assessment on feasibility. In the early VA’s conducted, prior to the second installment of the guidance in March of 2019, feasibility was essentially an all or nothing proposition. One could argue that a judgment call was required as to whether an intentional adulteration incident could be accomplished given the inherent conditions. Those conditions might include a lot of coworkers who might be able to observe and serve as witnesses to deter the act. With the release of the second installment of the guidance from the FDA, a new tool was made available which would allow food and beverage companies to run a calculation and make a more accurate prediction of how much of an unnamed “representative contaminant” which is assumed to be highly lethal and heat stable it might take to contaminate a product batch. Typically, the larger the batch size, the higher the quantity of the “representative contaminant” would be required to achieve a lethal dose (LD) in a serving size. So, to provide an additional level of validation with identified actionable process steps, the use of the LD calculation might be considered to provide more realistic insight into the feasibility element. For instance, if it would require one hundred pounds of the “representative contaminant,” you might feel justified in concluding that it is not realistic to get that amount of contaminant into the batch at the process step and rule out the point, step or procedure as an APS. This can save money and ensure limited food defense resources can be channeled to the areas where legitimate risk can be reduced.

Lesson 16: After an APS is identified, sites will need to determine, as the rule states, whether the existing “mitigation strategies can be applied…to significantly minimize or prevent the significant vulnerability.” Simply stated, what is in place today for food safety, and the broad-based security measures in use, may or may not be enough when you consider an insider motivated to contaminate the product. The FDA’s mitigation strategies database may offer some insights into additional food defense measures to consider. Where additional mitigation strategies are identified, from the time of completion of the VA until a site’s regulatory compliance deadline arrives (next one is July 26, 2020), that change must be incorporated into the food defense plan and fully implemented. We recommend that a site make a list of new mitigation strategies after the VA is complete for tracking purposes during the implementation phase. No mitigation strategies should be included in the food defense plan that are not fully implemented and where records cannot be adequately produced.

Lesson 17: In the second installment of the guidance, the concept of partial ingredients was introduced. The key activity types (KAT) of secondary ingredients is now considered to include the storage of partially used, open containers of secondary ingredients where the tamper-evident packaging has been breached. Tamper evident tape looked to have promising benefits, but several of our clients have abandoned the use of this mitigation strategy, which has been proven repeatedly to be defeated without detection. It appears that using containers that can be secured with numbered seals might be a better option and even better if the seals would be metal detectable in the event one went astray in a product stream.

Lesson 18: Food defense plan unification. Facilities regulated under the IA rule are likely to already have a food defense plan for other initiates such as SQF or BRC. The IA Rule is not unlike other counter-terrorism regulations in potential to create challenges to meet voluntary and regulatory requirements without having multiple food defense plans. The IA Rule based on its modeling after HACCP creates some very specific requirements in terms of how data needs to be presented and records maintained. Sites may be doing other things to support food defense, and one strategy that might keep auditors in their lane would be to include any non-IA Rule food defense content (e.g., for SQF or BRC) in an appendix to the IA Rule Food Defense Plan.

Lesson 19: Under the VA method the FDA refers to as “the “Three Element” approach, suggestion is made in the guidance released in March 2019 that regulated facilities might consider creating stratified categories for each element of public health impact, degree of physical access and ability of the attacker to successfully contaminate product. This is asking regulated facilities to engineer their own vulnerability assessment methodology. It is our opinion that this is asking a lot from a food and beverage facility and that creating categories for each element (e.g., refer to Table 3 on page 54) will extend the time it takes to complete a vulnerability assessment, create a lot more uncertainty in the process and does not necessarily help companies to identify the areas where intentional adulteration risk is highest.

Conclusion

Organizations who have yet to execute vulnerability assessments (due July 26) or those who have already completed vulnerability assessments who may wish to reflect back on their existing VAs in an effort to eliminate unnecessary APS’s should find these strategies helpful in focusing limited resources to the areas where they can have the greatest effect. Since the initiation of this article series, the FDA has released its third installment of the guidance. Once we reflect on this new installment, we will address our thoughts in a future article.

Lessons Learned from Intentional Adulteration Vulnerability Assessments (Part I)

By Frank Pisciotta, Spence Lane
No Comments

Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series is intended to assist facilities that have not yet conducted vulnerability assessments or wish to review those already conducted, by leveraging lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.

Lesson 1: VA outcomes are greatly enhanced if a physical security professional is consulted. In support of this contention, there are several physical security mitigation strategies, which can be employed to support a food defense program, that are frequently under-utilized and are not optimally managed by non-security staff. Also, the FDA seems to promote the use of cameras even though this equipment is unlikely to prevent an incident of intentional adulteration. For organizations that choose to use video surveillance, a competent security professional can help organizations engineer and operate video surveillance for maximum benefits and to meet challenging record-keeping requirements when this mitigation strategy is included in a food defense plan.

Lesson 2: Given the focus by the FDA on the insider, a formal insider threat detection program is highly recommended. Trying to promote the common, “See Something, Say Something” strategy may not be enough. For example, if employees are not clearly told what to look for in terms of uniform requirements, how to identify persons who do not belong or changes to a coworker’s baseline behavior, which may indicate moving toward a path to violence or sabotage, then “See Something, Say Something” may end up being no more than a catchy slogan.

A key element of an insider threat detection program is the completion of effective background checks for all persons who will be allowed in the facility unescorted. This includes temporary employees and contractors. A common theme in many of the recent, serious intentional adulteration incidents was that the person responsible was involved in some sort of grievance observable to coworkers and supervisors. In all insider threat detection programs, the grievance becomes an important trip wire. The Carnegie Mellon University Software Engineering Institute has published a document titled, “Common Sense Guide to Mitigating Insider Threats, Sixth Edition”. In this document is some particularly helpful guidance that can be used to stand up an insider threat detection program, but this is an effort that can take some time to fully implement.

Lesson 3: The FDA has made it abundantly clear that they believe the focus for the food and beverage industry should be the radicalized insider. A closer look at all the recently publicized contamination events suggests that there are other profiles that need to be considered. A good foundational model for building profiles of potential offenders can be found in the OSHA definitions for workplace violence offenders, which has been expanded to address ideologically based attacks. Table I applies those descriptions to the food and beverage industry, with an asterisk placed by those offender profiles that exist in recent incidents and discussed later in the text.

Class OSHA Workplace Violence Offender Description Motivation Translated to the Food and Beverage Industry
1 The offender has no legitimate relationship to the business or its employee(s). Rather, the violence is incidental to another crime, such as robbery, shoplifting, trespassing or seeking social media fame. Behavioral Health Patient *
Social Media Fame Seeker *
Copycat *
Extortion *
Economic motivation *
2 The violent person has a legitimate relationship with the business—for example, the person is a customer, client, patient, student, or inmate—and becomes violent while being served by the business, violence falls into this category. My load isn’t ready, you are costing me money
3 The offender of this type of violence could be a current employee or past employee of the organization who attacks or threatens other employee(s) in the workplace. I am upset with a coworker and adulterate to create problems for that person *
I am upset with the company and adulterate as retribution and to harm the brand *
Youthful stupidity
I am not paid enough *
4 The offender may or may not have a relationship with the business but has a personal (or perceived personal) relationship with the victim. I am upset with an intimate partner/ coworker and adulterate to create problems for that person
5 Ideological workplace violence is directed at an organization, its people, and/or property for ideological, religious or political reasons. The violence is perpetrated by extremists and value-driven groups justified by their beliefs. Radicalized Insider
Table I. A description of OSHA workplace violence offenders and how it can be applied to the F&B industry.

A supermarket in Michigan recalled 1,700 lbs. of ground beef after 111 people fell ill with nicotine poisoning. The offender, an employee, mixed insecticide into the meat to get his supervisor in trouble. In Australia, the entire strawberry industry was brought to its knees after a disgruntled supervisor “spiked” strawberries with needles. There were more than 230 copycat incidents impacting many companies. A contract employee in Japan, apparently disgruntled over his low pay, sprayed pesticide on a frozen food processing line resulting in illnesses to more than 2,000 people. A contract worker upset with a union dispute with the company at a food manufacturing plant videoed himself urinating on the production line, then uploaded the video to the Internet. Be cognizant of any grievances in the workplace and increase monitoring or take other proactive steps to reduce the risk of intentional adulteration.

Lesson 4: The IA Rule requires that every point, step and procedure be analyzed to determine if it is an actionable process step (APS). The Hazard Analysis Critical Control Point flow charts are a good starting point to comply with this element of the law but cannot be counted on completely to achieve the standard of analyzing every point, step or procedure. Critical thinking and persons familiar with the production process need to be involved to ensure that no steps are missed. Oftentimes companies modify the HACCP flow diagrams after a VA.

Lesson 5: The FDA states in the second installment of guidance (here’s the full copy) to the industry that, “There are many possible approaches to conducting a VA. You may choose an approach based on considerations such as the time and resources available and the level of specificity desired. You have the flexibility to choose any VA approach, as long as your VA contains each required component (21 CFR 121.130).”

The FDA further states that the Key Activity Type, or KAT method, is an appropriate method for conducting a VA because it reflects consideration of the three required elements and the inside attacker. Using this methodology alone, however, can result in substantially more APS’s, which might otherwise be ruled out for practical purposes such as a lack of accessibility or a lack of feasibility to contaminate the product at a point, step or procedure. We have experienced up to a 90% decline in APS’s by utilizing another FDA recommended assessment approach, the hybrid approach, which assesses each point, step or procedure as first whether it is a KAT. Then to qualify as an APS, it must also trigger positively for public health impact, accessibility and feasibility to contaminate the product.

Organizations who have yet to execute vulnerability assessments (due July 26, 2020) or who may wish to reflect back on their existing VA’s in an effort to eliminate unnecessary APS’s should find these strategies helpful to focus limited resources to the areas where they can have the greatest effect. The next two articles in this series will cover more information on electronic access, the value of site tours, comparisons to drinking water security strategies, dealing with multi-site assessments and more. Read Part II of this series on intentional adulteration.

Melody Ge, Corvium
FST Soapbox

Compliance with the Intentional Adulteration Rule: Using FMEA for Your Vulnerability Assessment

By Melody Ge
No Comments
Melody Ge, Corvium

What is FMEA? What is a vulnerability assessment (VA)? How can these two be linked? Despite what you may think, there are similarities between these two methods. FMEA (Failure Modes and Effects Analysis) methods can be utilized to help objectively assess the vulnerable steps within your process.

After July 26, 2019, businesses other than small and very small businesses (defined by FDA) must comply with the FSMA Intentional Adulteration (IA) Rule. The rule is intended to enforce industry regulation to conduct vulnerability assessments and address proper mitigation plans to prevent any potential fraud risks within the food defense plan. For small businesses, the compliance date is July 27, 2020; for very small businesses, the compliance date is July 26, 2021.

Although the IA rule does not specify a particular method that you must use to conduct your VA and address proper mitigation plans, the following elements must be considered during your evaluation and mitigation strategy and must be implemented at each actionable step afterwards:

  • The potential public health impact (e.g., severity and scale) if a contaminant were added (21 CFR 121.130(a)(1))
  • The degree of physical access to the product (21 CFR 121.130(a)(2))
  • The ability of an attacker to successfully contaminate the product (21 CFR 121.130(a)(3))

During the 2019 Food Safety Consortium, Melody Ge will present: How to prepare ourselves in this data-driven transitioning time for the smart food safety era? | October 2 @ 10 am FMEA is a Six Sigma method widely used in operations when implementing a new process. It is a structured approach to discover potential failures that may exist within the design of a product or process. Within FMEA, the RPN (Risk Priority Number) score is used to prioritize risks and is calculated by Severity × Occurrence × Detection. RPN is a quantified number that helps you prioritize risks when determining actions. If we employ the same mentality, FMEA is a useful method in helping to identify vulnerable steps based on the risk within your process. Take a close look at how the RPN is generated; the following three components are also important during the vulnerability assessment.

Severity or the potential public health impact (e.g., severity and scale) if a contaminant were added.
Severity is identified when considering the consequence of when a processing step goes out of control; or thinking about the severity of the health impact. We can consider those impacts or consequences using four common categories:

  • Biological contaminants
  • Chemical contaminants
  • Physical contaminants
  • Intentional adulteration for economic gain contaminants

Occurrence or the degree of physical access to the product.

Occurrence is identified when considering how frequently a process step is expected to go out of defined controls. Is it once a week or once a month? Depending on how often the step goes out of defined controls, this will trigger different action steps as well as mitigation plans.

Detection or the ability of an attacker to successfully contaminate the product.

Detection is considered by how easy it can be detected when the failure occurs. For example, within the food production operation, mixing steps is relatively easier than a CIP step to be detected. More references could be found in FDA’s definition of KAT (Key Activity Types, as discussed in the draft guidance, “Mitigation Strategies to Protect Food Against Intentional Adulteration”), such as:

  • Bulk and liquid receiving and storage
  • Liquid storage and handling
  • Secondary ingredient handling
  • Mixing and similar activities

Once the RPN is identified, then the vulnerable steps can be sorted based on the RPN. To utilize this approach, Table 1 provides a template to be considered using FMEA for the vulnerability assessment.

Process Step Description Is it KAT? (Y/N) RPN Action Process Step Mitigation Strategy Explanation
Sev Occ Det RPN
Table 1: Determine the vulnerable steps (for reference)

As IA rules regulate, a mitigation plan must be generated once a vulnerable step is identified. The intention of the plan shall ensure those risks identified are mitigated and controlled so that the final finished products are not impacted or contaminated. One tip to begin this process is to start with reviewing your current control plan for potential food safety risks. As FSMA Preventive Controls are fully implemented, all food plants shall have a food safety plan in place with validated control plans that are intended to reduce risks for potential physical, chemical, biological and adulteration for economic gain. Sometimes, these risks are highly associated with potential vulnerable steps for intentional adulteration, especially those processing steps associated with potential economic gain hazards. If those controls are not working properly, then we can seek out other mitigation plans. Nevertheless, regardless of what steps are taken, they have to be validated to show that the IA risks are effectively mitigated. Monitoring and verification shall be conducted as well once the mitigation plan is implemented.

Of course, like all food safety management systems, every food plant should have its own designated plans based on the products being produced, operations implemented and the nature of the production. Ultimately, it will be your choice to find an effective method that fits your production culture. However, the intention should always be in compliance with the IA rules: Identify the vulnerable steps within the process, and conduct mitigation plans to control the risks of intentional adulteration.

Vulnerability assessment

Protecting Food Against Intentional Adulteration: The Vulnerability Assessment (Part One)

By Debby L. Newslow
2 Comments
Vulnerability assessment

FDA, as part of FSMA, released its rule titled “Protecting Food Against Intentional Adulteration” on May 27, 2016. This rule was proposed in 2013. FDA received and responded to 200+ comments prior to its final release.

FDA states that this rule “is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, [and] economic disruption of the food supply absent mitigation strategies.”1

The rule requires a documented “Food Defense Plan” that at a minimum includes the following:

  • Vulnerability assessment
  • Mitigation strategies
  • Procedures for food defense monitoring
  • Food defense corrective action procedures
  • Food defense verification procedures
  • Records confirming implementation, maintenance and conformance to the defined requirements
  • Evidence of effective training

As a food safety professional with more than 30 years in the industry, reviewing this rule brought back many memories. These memories combined with information gained from a recently completed Food Defense/ Crisis Management workshop presented by Rod Wheeler really set my brain into motion.2

Years ago, industry focused on crisis management and product recall. Requirements included having a crisis management team that was led by associates representing both upper and middle management. In addition, most programs included the following:

  • Posted identification of the crisis management team (i.e., pictures, phone numbers, etc.)
  • Specific training for receptionist and guards
  • Mock crisis exercises (i.e., fire drills)
  • Planned crisis calls to the operation’s direct incoming phone numbers (i.e., receptionist and guards)
  • Mock recalls (from supplier through finished product and distribution)
  • Security inspections which may now be considered the pre-cursor to today’s “Vulnerability Assessment”

With the introduction of the GFSI approved schemes (FSSC 22000, BRC, SQF, GlobalG.A.P., Primus, etc.), requirements for crisis management, emergency preparedness, security programs, food defense training and continuity planning gained an increase focus. Do any or all of these programs meet the requirement for a “vulnerability assessment”?

In the 2013 publication, Food Safety Management Programs, this subject-matter chapter was titled “Security, Food Defense, Biovigilance, and Bioterrorism (chapter 14)”.3 An organization must identify the focus/requirements that are necessary for its operation. This decision may relate to many different parameters, including the organization’s size, design, location, food sectors represented, basic GMPs, contractor and visitor communication/access, traceability, receiving, and any other PRP programs related to ensuring the safety of your product and your facility. Requirements must be defined and associates educated to ensure that everyone has a strong and effective understanding of the requirements and what to do if a situation or event happens.

Confirming the security of a facility has always been a critical operational requirement. Many audits have been performed that included the following management statement: “Yes, of course, all the doors are locked. Security is achieved through key cards or limited distribution of door keys, thus no unwanted intruder can access our building.” This statement reminds me of a preliminary assessment that I did not too long after the shootings at a Pennsylvania manufacturer in September of 2010. The organization’s representor and myself were walking the external parameter of a food manufacturer at approximately 7:30 PM (still daylight). We found two doors (one in shipping and one accessing the main office), with the inside door latch taped so that the doors were not secure. The tape was not readily evident. The doorknob itself was locked, but a simple pull on knob opened the door. Our investigation found that a shipping office associate was waiting for his significant other to bring his dinner and was afraid that he would not be at his desk when she arrived. An office associate admitted that that door had been fixed to pull open without requiring a key several months earlier because associates frequently forgot their keys and could not gain access to start work.

Debby Newslow Debby Newslow will present ” Sanitary Transportation for Human & Animal Food – Meeting the new FDA Requirements” at the Food Safety Supply Chain Conference  | June 5–6, 2017 | Attend in Rockville, MD or via webcast | LEARN MORE

We also observed a large overhead door adjacent to the boiler room along the street side of the facility open, allowing direct access to the processing area by passing through the boiler room and then the maintenance shop. It was stated that the door had been opened earlier in the day waiting for the delivery of new equipment. No one at the time knew the status of the shipment or why the door was still open.

Finding open access to facilities is becoming more and more common. A formal vulnerability assessment is not necessary to identify unsecured doors (24/7) in our facilities. Education and due diligence are excellent tools for this purpose.

Another frequently identified weakness is with organization’s visitor and contractor sign-in prerequisite programs. What type of “vulnerability” are we creating for ourselves (false confidence) with these programs? Frequently these programs provide more questions than answers:

  • Does everyone really sign in?
  • What does signing the visitor log mean?
  • Are visitors required to show identification?
  • Are the IDs actually reviewed and if so, what does this review include?
  • Who is monitoring visitors and contractors and are they trained?
  • Do all contractors have to sign the log or are they allowed to access the building at different locations?
  • Do those contractors who make frequent or regular trips have their own badges and/or keys (keycards) so they don’t have to take the time to sign-in (i.e., pest control, uniform supplier vending services)?
  • How are contractor badges controlled?
  • Are visitors required to be accompanied during the visit or does it depend on the visitor and whom they are visiting?
  • Are visitors and contractors trained in company requirements?
  • Do visitors and contractors have an identifying item to alert your associates of their status (i.e., visitor badge, visitor name badge, specifically colored bump cap, colored smock, etc.)?
  • How are truck drivers monitored? Do they have a secured room for them or do they have complete access to the facility to access the restrooms and breakroom?
  • How are terminated associates or associates that have voluntarily left the company controlled?
    • Can these associates continue to access the facility with keys, access cards, or just through other associates (i.e., friends or associates that did not know that they were no longer an employee)?
  • How many more questions can there be?

Continue to page 2 below