Food Defense Plan Compliance under FSMA

Food Defense Plan Compliance under FSMA

Initially published on May 27, 2016, US FDA’s Mitigation Strategies to Protect Food Against Intentional Adulteration regulation (“the IA rule”) aims at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. The rule applies to domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act. Some exemptions apply. 

In the recent past, food safety third-party audits have expanded their scope to include food defense. BRCGS Food Issue 9 has new training requirements for employees performing threat assessments. Most HACCP audit checklists now include a food defense element where, at a minimum, broad food defense mitigation strategies must be documented and implemented.    

What is a food defense plan and what are the responsibilities of the Food Defense Qualified Individual (FDQI) under FSMA?  

A food defense plan is a written document based on food defense principles which comprises a vulnerability assessment, focused mitigation strategies and management components such as food defense monitoring, corrective action, verification procedures and plan re-analysis.

The Food defense Qualified individual is a person who has the education, training, or experience (or a combination thereof) necessary to perform activities required under the IA rule.  FDQIs prepare or oversee the development of a food defense plan, conduct a vulnerability assessment, identify, and explain mitigation strategies and conduct a re-analysis of the plan. A qualified individual may be but is not required to be, an employee of the establishment.

Vulnerability Assessments

Vulnerability assessments are required for each type of food manufactured, processed, packed, or held at your facility. The food defense team must use appropriate methods to evaluate each point, step, or procedure in your food operation to identify significant vulnerabilities. 

The assessment must consider the following criteria: 

  • The potential public health impact (e.g., severity and scale) if a contaminant was added to the food or beverage,
  • The degree of physical access to the product,
  • The ability of an attacker to successfully contaminate the product,
  • The assessment must also consider the possibility of an inside attacker.

The vulnerability assessment must be written and must include an explanation as to why each point, step, or procedure either was or was not identified as an actionable process step. While optional, it is recommended to develop a process flow diagram to evaluate systematically each step, point or procedure in your food handling and manufacturing process. 

The US FDA does not prescribe or require a specific methodology for conducting vulnerability assessments. Facilities have the option to choose their own methodology but must consider the criteria identified above. The KAT method, the 3 Element Method may be used to identify vulnerabilities. Key Activity types (KATs) are described in the FDA Food Defense Mitigation Database.  The FSPCA food defense course curriculum also offers a tutorial on conducting assessments using the three fundamental element method. 

Mitigation Strategies and Actionable Process Steps 

Where threats are identified in the food manufacturing process, Actionable Process Steps (APS) must be determined. APSs are points, steps, or procedures in a food process where a significant vulnerability exists and at which mitigation strategies can be applied and are essential to significantly minimize or prevent the significant vulnerability.

Once the APSs are confirmed, the food defense team led by the FDQI(s) can establish risk-based, reasonably appropriate measures to significantly minimize or prevent significant vulnerabilities identified at actionable process steps. 

For each mitigation strategy implemented at each actionable process step, the FDQI(s) must include a written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability.

The site may decide to follow an existing food safety or security procedure implemented at the site. The procedure must be applicable to Food Defense and to the Actionable Process Step. It should be process-focused and be subject to management components.    

Management Components

As with the PCHF rule or with HACCP, actionable process steps must be monitored to ensure that the mitigation strategy is in effect and working. This needs to be assigned to a trained individual who needs not be an FDQI. The frequency of monitoring must be dependent upon the risk associated with loss of control at the Actionable Process Step.  

Management components ensure that monitoring, corrective action, and verification procedures are implemented at each APS and documented. Trained verifiers are tasked with ensuring monitoring and recordkeeping are happening at the frequency stated. If the process deviates from requirements, Corrective Actions are taken and documented. 

Corrective Action Procedures must describe appropriate action taken to identify and correct a problem that has occurred with the implementation of a mitigation strategy. It must also reduce the risk of reoccurrence of the threat. 

Food defense corrective actions are intended to address situations where mitigation strategies are not properly implemented. Records are subject to verification. 

Improperly implemented mitigation strategies can be identified through food defense monitoring (missing records, wrong frequency of monitoring, un-authorized or untrained operator) and verification (verification process is not followed, no signature on the records). 

Corrective action procedures must describe the steps to be taken to: 

  • Identify the problem, 
  • Correct the issue,
  • Reduce the likelihood that the problem will re-occur,
  • Protect/hold the product (where needed). 

Verification and Plan Reanalysis  

Food defense monitoring and corrective actions records are verified within appropriate timeframes to ensure that: 

  • Records are duly completed,
  • The activities reflected in the records occurred in accordance with the food defense plan,
  • The mitigation strategies are properly implemented,
  • Appropriate decisions were made about food defense corrective actions.

At a minimum, the FDQI(s) must conduct a re-analysis of the entire food defense plan at least once every 3 years. A re-analysis of the entire food defense plan or the applicable portions of the plan before any change in activities (including any change in mitigation strategy) or within 90 days after the start of production or within a reasonable timeframe exceeding 90 calendar days if justified in writing by the FDQI.

Recordkeeping requirements

Food Defense must be retained at the facility for at least 2 years after the date they were prepared. The food defense plan must be retained for at least 2 years after its use is discontinued. Finally, the owner, operator, or agent in charge of the facility must sign and date the food defense plan upon initial completion of the plan and whenever there are any modifications made to it. 


FDA IA Rule 

FSPCA public manual  (Conducting Vulnerability Assessments) 

FDA Food Defense Mitigation Database

Food Defense Drills (Free-B) 

Food Defense Training (Employees First) 

Need help developing your Food Defense Plan for SQF or FSMA (IA Rule)? Book your free consultation to learn the requirements and get a free Food Defense Questionnaire. Check our blog and store for templates, training and consulting solutions. At Sirocco, we are SQF Experts and HACCP Plan writers.      


Related Articles