Process authority Dave Park has seen an awful lot in his nearly half century in the food safety arena. Today, as principal of Food Defense, LLC, he helps domestic and international processors with issues concerning current good manufacturing practices, HACCP, and the Food Safety Modernization Act (FSMA) regulatory compliance in addition to food safety and food defense. On the food defense side, that includes performing vulnerability assessments, and reviewing, developing, and implementing food defense plans.
“If you don’t have a food defense program, you are on the wrong side of the food protection curve,” Park declares. Not having a plan pinned on an intentionally thorough, site-specific vulnerability assessment and mitigation strategy creates unacceptable risk for the business, the employees, and consumers, he adds.
It has been clearly proven that past events have been devastating for stakeholders and are a result of not having a preventive program that’s effective. “Promoting an everyday culture of employee awareness and training which supports a well-thought-out food defense plan is an effective deterrent to an intentional food tampering attack, by whomever the attacker, whatever their motivation, and whenever the opportunity,” Park continues.
In 2016, FDA developed 21 CFR 121 Mitigation Strategies to Protect Food Against Intentional Adulteration, a regulation that requires facilities to develop a food defense plan that includes a written vulnerability assessment.
Food defense plan compliance for large processors went into effect June 2019, drawing more attention to the intentional adulteration (IA) rule. The compliance date for small businesses is July 27, 2020, with July 26, 2021, compliance for very small businesses.
According to Earl Arnold, manager, food defense/FSMA, operations, quality assurance at AIB International, there are several benefits to developing, implementing, and maintaining a food defense program. “First is protecting the consumer from injury or illness. Second is protecting the brand,” he says. “If a facility develops and implements a program and prevents consumer harm, they are protecting the brand.”
Education before regulation
Although food manufacturers have had food defense programs in place for years, Arnold says they were largely voluntary, based on importance for the facility and not standardized. “Those traditional programs focused on exterior security and identifying criminal activity and keeping it out of the facility. However, they did not focus on interior aspects, where intentional adulteration could occur from insiders. With FDA’s new requirements, this is not the case.”
FDA’s current enforcement view for those facilities that need to comply with provisions of the FSMA IA rule still fundamentally adhere to their food defense policy of “educate before we regulate,” says Park. In March 2020, FDA consumer safety officers began to inquire about a facility’s food defense plan development and implementation activities during an inspection, he adds. “There are perhaps a dozen or so questions being posed to food facility management during inspections as an FDA compliance ‘Quick-Check,’” states Park. “FDA describes this exchange as a high-level review between the FDA consumer safety officers with facility management representative [i.e. normally the food defense-qualified individual], to see if the facility has addressed basic requirements that are described in the IA rule.”
Not one size fits all
Anywhere ingredients, products, and packaging materials are exposed and unprotected can be subject to vulnerability. Mixing, blending, formulating, and packing products from raw material sources are areas where contamination can occur if mitigations aren’t properly assigned and monitored.
Park believes electronic or human supervision and surveillance will always be a key deterrent to attacks. This is particularly true in sensitive production areas where product and packaging materials are exposed and where material handling steps take place. “A two-person rule would be considered an effective mitigation under those circumstances,” he says. Something as simple as asking, “Are all self-closing doors properly adjusted and actually self-closing?” is also often overlooked and unaddressed.
Detecting a perpetrator in the act of intentional product tampering is extremely difficult. However, being alert to indicators and warnings about employee behavior may signal the need for closer worker supervision and surveillance. Employees may observe peculiar, erratic, or threatening behavior in another employee, and such incidents need to be reported and verified.
“Leveraging what we already know in terms of the knowledge of the ingredient/product, the packaging, and the process flows within a facility, is paramount in developing an effective vulnerability assessment, mitigation strategy, and, ultimately, a food defense plan,” says Park. Trained and experienced qualified individuals are required to take the responsibility in satisfying IA rule requirements, as well as implementing other food defense best practice requirements. “It all ties into using a comprehensive approach when developing and implementing a food defense plan,” Park continues. “I see the benefits of including a third-party outside food defense professional, too, whether they’re addressing physical security gaps or operational flow within the facility that identifies exposed ingredient, product and packaging contamination opportunities. The approach to food defense is not one size fits all.”
Using the right vulnerability assessment, mitigation, and food defense plan development tools can provide those responsible for determining a potential incident’s probability severity and criticality. Many plants now rely on tools other than FDA’s Food Defense Plan Builder version 2. “It’s not required,” Park says, but “obviously, you need to follow a systematic approach in following a food defense strategy.”
FDA’s guidance documents outline important considerations in food defense without being overly prescriptive. “There’s enough flexibility in what FDA has presented, even though their guidance is lengthy. This provides the food facility with a number of options in not only responding to the IA rule regulations, but developing an effective food defense program that improves the chances an intentional adulteration event will be deterred or detected before product is distributed to the public,” Park explains.
There are a variety of best practices for the planning, implementation, and maintenance of a food defense program, according to Arnold. First is identifying a program leader who has an understanding of food defense or is trained in the requirements. Second is conducting a detailed vulnerability assessment that focuses on the production process. “When assessing, things like a criminal asking, ‘How would a person that wanted to do something bad be able to do so?’ The answer should help identify potential significant gaps [where] you should develop and implement controls,” Arnold states. He advises being realistic in developing controls by evaluating whether they would seriously reduce the potential for someone to cause harm. “Those controls should then be implemented and documented, while also being reviewed and improved as you progress,” he adds.
Time to update your plan?
Arnold says it is a best practice for food and beverage facilities to review their food defense plans annually. “Regulations may have different requirements though. FDA states plans should be reviewed a minimum of every three years or when significant changes occur that could affect the facility, or when a mitigation strategy isn’t working correctly,” he adds.
Park says that a food defense plan re-analysis and updates need to occur when a food facility has:
1. Normal scheduled changes in a physical facility that include equipment design or installation layout changes, changes in key personnel, new ingredients/products or packaging material suppliers, and significant or different processing steps, for example.
2. Any time new vulnerabilities are introduced because of examples in number one above.
3. Re-analysis is required more frequently than the three-year mandatory re-analysis requirement that is in the IA rule if significant change introduces new vulnerability.
4. If plant managers or food defense team members learn information from industry sources, trade associations, and publicly disclosed incident or shared intelligence reports that new or previously unidentified potential vulnerabilities associated with their facilities and similar or same products exist, the facility needs to review their food defense plans.
Arnold agrees processors should conduct a food defense vulnerability assessment and develop mitigation strategies as needed. FDA has specific requirements on what is included within a vulnerability assessment, he explains, and the assessment must include reviewing all products and all processing steps. “When assessing each processing step, you must consider access to the product, the ability to contaminate, and the public health impact if a contaminant is added at this processing step. If significant vulnerabilities are identified, meaning a vulnerability, if exploited, would reasonably cause wide-scale harm, then implement controls. And when conducting the assessment, I must consider an insider could be the bad person.”
Helping manufacturers succeed
“Monitoring, verification, and recordkeeping also are required to ensure that your facility has designed and implemented an effective food defense plan,” says Park. “In these early months of IA rule implementation, FDA wants to engage in broad discussions to make sure your facility is actively working toward full IA rule compliance. The agency understands that this process requires transparent government/industry communications that involve highly sensitive information and has assured industry that such information exchanged will remain government protected. Education and training efforts will be ongoing and require a significant investment in both time and financial resources, not only for the food facility, but also for FDA to meet the intentions of the IA rule.
“Facilities with food defense programs that are under third-party auditing bodies don’t always align with the detailed food defense plan requirements of the IA rule,” Park says. While certification bodies are becoming more robust in food defense requirements, it is still a top-level auditing effort. “An audit, in my opinion, is different than an assessment,” he states. “GFSI (Global Food Safety Initiative) schemes check top-tier questions related to regulatory compliance, but, as audits generally do, are designed to identify only significant gaps, but are not designed to specifically suggest new opportunities for food defense plan improvements.”
Make plans to visit PACK EXPO International to see the latest technologies for food processing and packaging machinery and materials.