By Rick Barham, Director of Food Safety, Registrar Corp
On March 5, 2019, the U.S. Food and Drug Administration (FDA) published its second installment of the draft guidance outlining the requirement of facilities to develop mitigation strategies to protect food from intentional adulteration, one of the seven major rules under FDA’s Food Safety Modernization Act (FSMA). The deadline to comply for most FDA-registered food facilities is July 26, 2019, leaving only four months.
Under this rule, most FDA-registered food facilities that average more than $10 million in global food sales plus the market value of unsold food inventory must develop and implement a written Food Defense Plan. Food Defense Plans should identify vulnerabilities at each point, step, or procedure in a facility’s food making process as well as outline mitigation strategies. While the Hazard Analysis and Risk Based Preventative Controls rule (HARPC) is used to protect food from hazards that may include intentional adulteration for purposes of economic gain, Food Defense Plans are used to address scenarios where food may be contaminated for economic gain, political gain, or as a weapon against the public specifically.
Strategies for developing vulnerability assessments
FDA’s recent draft guidance outlines two methods that can assist facilities in creating their Vulnerability Assessments, the first step in the Food Defense Plan, as well as outlines education, training, or experience requirements for individuals who perform certain actions under the Intentional Adulteration (IA) rule.
FDA provides two strategies for assisting facilities in conducting their Vulnerability Assessments (VA).
Strategy 1: Four Key Activity Types (KATs)
FDA has identified four key activity types that have been assessed to have the highest risk of contamination.
- Bulk liquid receiving and loading
- Liquid storage and handling
- Secondary ingredient handling
- Mixing and similar activities (e.g. homogenizing, grinding, coating, milling, etc.)
Using the KAT method, facilities should assess each point, step, or procedure to determine whether those activities fall under the KATs. For example, the measuring of an ingredient before it is added to the product stream could be considered a KAT since it is secondary ingredient handling. Those that fit within the KATs are actionable process steps and require mitigation strategies. Facilities’ VAs must explain why each process step is or is not an actionable process step.
Strategy 2: The Three Fundamental Elements
Another method of creating a VA could be to apply the “Three Fundamental Elements” outlined in the rule to each point, step, or procedure of a facilities food making process.
- Potential public health impact if a contaminant were added
- Degree of physical access to the product
- Ability of an attacker to successfully contaminate the product
Facilities should consider the possibility of an inside attacker as well as conditions, activities, practices, or characteristics that are integral to the operation of the food making process when evaluating the three fundamental elements.
FDA’s website provides Tables and Worksheets (Chapter 2, Section F) that can help determine if the process steps are considered actionable processes, once the three fundamental elements are applied to every point, step, or procedure. Again, a written explanation is required as to why or why not a process step is an actionable process.
FDA also suggests using a hybrid method of the two outlined strategies to potentially create a more in-depth VA. “In the hybrid approach, a facility first assesses each point, step, or procedure to identify steps that fit within any of the four key activity types. Then, rather than concluding the VA with those steps identified as the actionable process steps, the facility uses the three elements to conduct a more in-depth evaluation of some of the steps.”
After conducting the VA, mitigation strategies should be applied to steps deemed actionable processes. These can include mitigating accessibility of an inside attacker (such as using locks with access codes for sensitive areas and vetting employees before giving them the code), reducing the potential of a contamination (such as increased supervision in key areas), and introducing facility-wide security measures (such as installing a perimeter fence and locking exterior doors, securing hazardous materials). These strategies require a written explanation as to why they were deployed. Each food facility will have actionable processes and mitigation strategies that are unique to their products and these strategies should reflect that accordingly.
Who must develop my food defense plan?
FDA requires activities under the IA rule to be conducted by one or more “Qualified Individuals.” These individuals should have the proper education, training, or experience to carry out these duties as outlined by the rule. Registrar Corp’s Regulatory Specialists have the necessary qualifications to develop a Food Defense Plan for your facility.
Covered facilities with more than 500 full-time equivalent employees must comply with FDA’s IA rule by July 26, 2019. Businesses with fewer than 500 full-time equivalent employees have one additional year to comply.
Very small businesses are exempt from most requirements under FDA’s Intentional Adulteration rule, including the development of a Food Defense Plan. In order to take advantage of this exemption, businesses must provide records to FDA proving their very small business status by July 26, 2021. FDA defines a very small business as “businesses (including any subsidiaries and affiliates) that averaged less than $10,000,000 in global food sales plus the market value of unsold food inventory during the previous three calendar years.”
Facilities that hold food (except food held in liquid storage tanks), manufacture or process food for animals, manufacture or process alcoholic beverages under certain conditions, and activities that fall within the definition of ‘farm’ are exempt from FDA’s Intentional Adulteration Rule. View FDA’s final rule for a complete list of exemptions.
Mr. Barham acts as Director of Food Safety at Registrar Corp. He and his team assist food facilities to comply with U.S. FDA food safety regulations by reviewing HACCP and HARPC Food Safety plans, conducting mock FDA inspections, and more.
Registrar Corp is a U.S. FDA consulting firm that helps food facilities comply with FDA regulations, including requirements under FSMA. Registrar Corp’s Food Safety Specialists are Qualified Individuals who can develop or review a Food Defense Plan for compliance. For questions or assistance, contact +1-757-224-0177 or chat with a Regulatory Advisor 24-hours a day at www.registrarcorp.com/livehelp.