Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series addressed the importance of a physical security expert, insider threat detection programs, actionable process steps (APS) and varying approaches to a VA. To further assist facilities with reviewing old or conducting new VAs, Part II will touch on access, subject matter experts, mitigation strategies and community drinking water through more lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.
Lesson 6: Utilization of Card Access. The FDA costs of implementing electronic access control, as reported in the Regulatory Impact Analysis document (page 25) are shown in Table 1.
|Average Cost Per Covered Facility||Initial||Recurring||Total Annualized|
|Prohibit after hours key drop deliveries of raw materials||$||$1070||$1070|
|Electronic access controls for employees||$1122||$82||$242|
|Secured storage of finished products||$1999||$–||$285|
|Secured storage of raw materials||$3571||$–||$508|
|Cameras with video recording in storage rooms||$3144||$–||$448|
|Peer monitoring of access to exposed product (not used)||$47||$1122||$1129|
|Physical inspection of cleaned equipment||$–||$303||$22|
|Prohibit staff from bringing personal equipment||$157||$–||$22|
|Table I. Costs of Mitigation|
In our opinion, these costs may be underreported by a factor of five or more. A more realistic number for implementing access control at an opening is $5,000 or more depending on whether the wire needs to be run in conduit, which it typically would. While there are wireless devices available, food and beverage organizations should be mindful that the use of wireless devices may in some cases result in the loss of up to 50% of electronic access control benefits. This happens because doors using this approach may not result in monitored-for-alarm conditions, such as when doors are held open too long or are forced open. Some wireless devices may be able to report these conditions, but not always as reliable as hardwired solutions. Using electronic access control without the door position monitoring capability is a mistake. From a cost standpoint, even a wireless access control device would likely be upwards of $2,000 per opening.
Lesson 7: In the interest of time, and in facilities with more complex processes (which increases the work associated with the VA), plan to have quality, food safety and physical security personnel present for the duration of the VA. But also bring in operational specialists to assess each point, step or procedure for the respective operational areas. You may wish to have a quick high-level briefing for each operational group when it’s their turn to deliberate on their portion of the manufacturing operation. Proper planning can get a hybrid style VA done in one-and-a-half to three days maximum for the most complex of operations.
Lesson 8: Conduct a thorough site tour during the assessment process; do not limit your vulnerability activity to a conference room. Both internal and external tours are important in the assessment process by all members of the team. The external tour is needed to evaluate existing measures and identify vulnerabilities by answering questions such as:
- Is the perimeter maintained?
- Are cameras pointed correctly?
- Are doors secure?
- Are vehicles screened?
- Are guards and guard tours effective?
- Internal tours are important to validate documented HACCP points, steps or procedures.A tour also helps to validate process steps that are in multiple parts and may need to be further assessed as a KAT, for public health impact, accessibility and feasibility or to identify issues that have become “invisible” to site employees which might serve a security purpose.
- Properly conducted tours measure the effectiveness of a variety of potential internal controls such as:
- Access control
- Visitor controls
- Use of identification measures
- Use of GMP as a security measure (different colors, access to GMP equipment and clean rooms)
- Effectiveness of buddy systems
- Employee presence
Lesson 9: Do not forget the use of community drinking water in your processes. This is an easy way to introduce a variety of contaminants either in areas where water is being treated on site (even boiler rooms) or where water may sit in a bulk liquid tank with accessibility through ladders and ports. In our experience, water is listed on about half of the HACCP flow charts we assessed in the VA process.
Lesson 10: Some mitigation strategies may exist but may not be worth taking credit for in your food defense plan. Due to the record keeping requirements being modeled after HACCP, monitoring, corrective action and verification records are required for each mitigation strategy associated with an APS. This can often create more work than it is worth or result in a requirement to create a new form or record. Appropriate mitigation strategies should always be included in your food defense plan, but sometimes it produces diminishing returns if VA facilitators try to get too creative with mitigation strategies. Also, it is usually better to be able to modify an existing process or form than having to create a new one.
Lesson 11: In cases of multi-site assessments, teams at one plant may reach a different conclusion than another plant on whether an identical point, set or procedure is an APS. This is not necessarily a problem, as there may be different inherent conditions from one site to the next. However, we strongly suggest that there be a final overall review from a quality control standpoint to analyze such inconsistencies adjudicate accordingly where there is no basis for varying conclusions.
Lesson 12: If there is no person formally responsible for physical security at your site, you may have a potential gap in a critical subject matter area. Physical security measures will make at least a partial contribution to food defense. Over 30 years, we have seen many organizations deploy electronic access control, video surveillance and lock and key control systems ineffectively, which provides a false sense of security and results in unidentified vulnerability. It is as important to select the right physical security measures to deploy, but also critical to administer them in a manner that meets the intended outcome. Most companies do not have the luxury of a full-time security professional, but someone at the plant needs to be provided with a basic level of competency in physical security to optimize your food defense posture. We have developed several online training modules that can help someone who is new to security on key food defense processes and security system administration.
Lesson 13: As companies move into ongoing implementation and execution of the mitigation strategies, it is important to check that your mitigation strategies are working correctly. You will be required to have a monitoring component, correction action and verification intended for compliance assurance. However, one of the most effective programs we recommend for our clients’ food defense and physical security programs is the penetration test. The penetration test is intended to achieve continuous improvement when the program is regularly challenged. The Safe Quality Food (SQF) Institute may agree with this and now requires facilities that are SQF certified to challenge their food defense plan at least once annually. We believe that frequency should be higher. Simple challenge tests can be conducted in 10 minutes or less and provide substantial insight into whether your mitigation strategies are properly working or whether they represent food defense theater. For instance, if a stranger were sent through the plant, how long would it take for employees to recognize and either challenge or report the condition? Another test might include placing a sanitation chemical in the production area at the wrong time. Would employees recognize, remove and investigate that situation? Challenge tests are easy high impact activities; and regardless of the outcome, can be used to raise awareness and reinforce positive behaviors.
Whether training a new security officer, reviewing existing security plans or preparing for an upcoming vulnerability assessment (due July 26, 2020), these lessons learned from experienced security consultants should help to focus efforts and eliminate unnecessary steps at your facility. The final installment in this series will address broad mitigation strategies, the “Three Element” approach and food defense plan unification. Read the final installment of this series on Lessons Learned from Intentional Adulteration Vulnerability Assessments, Part III.
A recently published paper advocates the inclusion of media reports as a source of information for assessing food fraud vulnerability.1 Those of us who maintain the Food Fraud Database could not agree more. We have been monitoring media reports for years and they are an important source of information in the database (accounting for 45% of all primary source references).
As I mentioned in last month’s post, there are challenges with using media reports to inform food fraud vulnerability. Many media reports are general discussions of the issue of food fraud and are not necessarily reporting new information. It may be difficult to filter out these types of reports without manual review. There may also be concerns about the validity of media reports on food fraud. This is the reason we implemented a classification for “weight of evidence” for incident records in the database. Overall, approximately 30% of the incident records in our database are classified as a “low” weight of evidence due to unverifiable data or a lack of corroborating reports. Some of our users choose to filter these out of their searches.
We have received requests for information about how the data in the Food Fraud Database compares with numbers reported in the paper. Table 11 in the paper described the top product categories, countries and type of fraud as reported in four food safety tracking systems.1 We have adapted that table below to data from the Food Fraud Database.
|Product Category||%||Country of Origin||%||Type||%|
|Meat/Poultry||18||India||26||Dilution/substitution (misrepresentation of animal origin)||26|
|Dairy Products||14||United States||9||Dilution/substitution with a non-food substance||14|
|Alcoholic Beverages||6||Columbia||6||Dilution/substitution (misrepresentation of botanical origin)||12|
|The most common food fraud records (“cases”) in the Food Fraud Database (2014-2015)|
As shown in Table 11 in the paper, the top four products by number of articles in the media monitoring system (in 2014-2015) were meat, seafood, milk and alcohol. As shown above, when looking at data in the Food Fraud Database from 2014 and 2015, the top ingredient categories are very similar: Meat/Poultry, Seafood, Dairy Products, and Alcoholic Beverages. However, there was little agreement in the country of origin of the reported cases among any of the systems. For the Food Fraud Database (shown above), the top countries of origin in 2014–2015 were India, China, the United States and Colombia. According to the paper, the top countries of origin reported by the food fraud media monitoring system were Egypt, the United States, the U.K. and Saudi Arabia. The top country of origin reported by RASFF was China and by HorizonScan was the Czech Republic.
Table 4 reported the “types” of food fraud (which correspond to what we call “reasons for adulteration”) and the corresponding number of articles collected, which we have also adapted to the data in the Food Fraud Database below.
|Types of Food Fraud in Records in the Food Fraud Database (2014–2015)
|Type of Food Fraud||Number of Records||%|
|Dilution/substitution – misrepresentation of animal origin||212||26|
|Dilution/substitution with a substance not approved for use in foods||118||14|
|Dilution/substitution – misrepresentation of botanical origin||101||12|
|Artificial enhancement of apparent protein content||58||7|
|Artificial enhancement with color additives||57||7|
|Dilution/substitution – misrepresentation of geographic origin||40||5|
|Dilution/substitution – misrepresentation of varietal origin||28||3|
|Use of unapproved biocides (antibiotics, anti-fungal agents, preservatives, etc.)||21||3|
|Artificial enhancement (other)||7||1|
|Formulation of an entirely fraudulent product using multiple techniques and adulterants||2||0|
|* Greater than 100% because one record can have multiple types of associated fraud|
It is not possible to make meaningful comparisons among the reported fraud “types” without harmonized definitions and standardization of data collection processes, as noted in the paper. A glance at Table 1 from the paper illustrates the variety of food fraud categorizations in use among the various systems.1 Generally, it is a challenge to directly compare any of the information coming from various sources such as RASFF, HorizonScan, the Food Fraud Database and others, due to the differences in the way data is collected, standardized and reported.
In contrast with foodborne illnesses, which are generally required to be reported to public health agencies, food fraud typically does not result in acute illness and is difficult to track. The nature of food fraud combined with differences in data tracking systems make it almost impossible to reconcile the data among the various systems. Regardless of which system is reporting, the reports are likely just a fraction of the true occurrence of food fraud; however, each can provide valuable perspective on risks to food safety (including those from food fraud). A holistic assessment of food fraud vulnerability should take into account a wide variety of information sources, including media reports.
- Bouzembrak, Y., et al. (November 2018). Development of food fraud media monitoring system based on text mining. Food Control. Vol. 93. Retrieved from https://doi.org/10.1016/j.foodcont.2018.06.003
Vulnerability assessments are a key provision of the FSMA final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration. With this requirement comes the “identification of vulnerabilities and actionable process steps” that must be taken to mitigate potential threats. During the IAFP annual meeting Lance Reeve, senior risk management consultant for food safety and defense at Nationwide Agribusiness Insurance Co., reviewed the important and sometimes-overlooked areas that companies should be looking at when conducting vulnerability assessments.
Inside the Plant
To start, vulnerability assessments should be conducted at different times of the day, and the process should involve a team approach, said Reeve. Food defense cannot effectively be managed by a single person within a facility: It needs to involve all departments, from human resources to IT to production to warehousing, and extend to outside suppliers and vendors. How is the flow of employees and visitors around the facility managed? Do staff members wear color-coded badges? Some companies have a color-coding plan to prevent contamination, but it is also a useful tool to ensure that unauthorized employees, outside contractors and visitors aren’t in restricted areas. For example, the maintenance shop may contain deadly food contaminants—do you really want general employees to be able to get into this area? Consider using electronic technology such as biometric access control to limit access based on employee/security credentials.
Working with the human resources department is a critical part of protecting a facility. Does your company have the capability to conduct thorough background checks on all employees? In addition, with all the different types of contractors and vendors who enter your facility it’s important to find out whether your contracting companies are doing the same level of background checks as your organization when they hire employees. And finally, examine how the culture within the organization. Do employees challenge the presence of visitors who shouldn’t be on the premises?
Outside the Facility
In many cases, companies will look at the inside of their facility for potential hazards and vulnerabilities, but what about the perimeter? How are you controlling the people who are coming onto company property? While this may seem obvious, Reeve recommended physical objects to establish authority: Fences (establish physical border), signs (establish where control begins), and CCTV cameras (establishes security). And when looking at the outside of the building itself, how secure is the roof? What access does a potential attacker have into the facility via the roof? How often are security checks conducted here (if at all)?
Throughout any given day, a company can receive several cargo shipments from a variety of different suppliers. Are you familiar with the food safety programs of your suppliers? They play a critical role in food defense strategies. And when your company receives shipments, Reeve advised that companies go beyond looking at the seals on trucks and examine the transportation system itself. Is cargo removed in a secure area? Is an authorized employee supervising the process or is it left in the hands of the third-party driver?
And finally, a critical part of your mitigation strategy should be to challenge the system. Once you think you may have found all the vulnerabilities, conduct penetration testing.