Food Safety Modernization Act (FSMA) Final Rule for Mitigation Strategies to Protect Food Against Intentional Adulteration
Last February, the US Food and Drug Administration (US FDA) released the third and last installment of the draft guidance for the Intentional Adulteration (IA) rule. The FSMA IA rule is aimed at identifying and controlling significant hazards intentionally introduced into foods with the goal of causing illness or death. The rule specifically targets acts of terrorism. Mitigations include the development by the US and foreign food facilities of a food defence plan.
Intentional Adulteration differs from Economically Motivated Adulteration or “EMA”. The Economically Motivated Adulteration of food, also referred to as “food fraud,” is the intentional adulteration of food for economic gain. EMA requirements are addressed in the US FDA Preventive Controls Rules for human food. This rule became final in September 2015.
Concurrent to the release of the draft guidance document, FDA introduced the Food Defence Mitigation Strategies Database (FDMSD), a tool aimed at identifying mitigation strategies to protect food against intentional adulteration.
The sites that are covered by the IA rule must develop and implement a food defence plan. They must first perform a vulnerability assessment by identifying the points in the food manufacturing process where food adulteration is possible and likely. A risk rating must be applied where significant risks warrant action. Facilities must then mitigate and prevent the identified risks by implementing controls. The food defence program must be documented and includes means to monitor the process and take corrective actions. As with Hazard Analysis and Critical Control Points (HACCP), system verification and recordkeeping procedures ensure system effectiveness.
The IA rule requires that a Food Defence Qualified Individual (FDQI) be in charge, as does the implementation and verification of the Preventive Controls for Human Food Rule. Moreover, implementation and enforcement of the requirements must be assigned to supervisory personnel who have the education, experience, and/or training to perform these tasks. Facilities within the scope of the IA requirements must develop training programs to ensure that personnel involved in food defence activities receive awareness training. These records of training must also be kept on file.
The FDA Guidance Document identifies the requirements pertaining to the Food Defence Plan:
Elements of a Food Defence Plan
A food defence plan must include:
- Site identification (name of the business and physical location/country of origin)
- Vulnerability assessment with identification/risk rating of significant vulnerabilities and actionable process steps and justifications
- Mitigation strategies and justifications
- Food defence monitoring procedures
- Food defence corrective action procedures
- Food defence verification procedures
- Signatures—the food defence plan must be signed by the business owner, the operator, or the agent in charge of the facility. The plan must be signed upon initial completion and whenever modifications are made. Assuming the plan remains unchanged, a full review by the FDQI is required every 3 years.
How Do You Conduct a Vulnerability Assessment?
A vulnerability assessment is required to identify significant vulnerabilities and actionable process steps. The Food Defence Qualified Individual must conduct or oversee the completion of this assessment. The risk assessment must consider the following three criteria:
- The potential public health impact (e.g., severity and scale) if a contaminant were added to food,
- The degree of physical access to the food,
- The ability of an attacker to successfully contaminate the product.
IA Rule Draft Guidance (3rd Installment)
The third draft guidance document for the IA rule has been submitted for review.
The following table provides two examples taken from the draft guidance of adequate mitigation strategies, and food defence procedures including corrective actions and verifications for a bulk liquid receiving actionable process step.
The first compliance date for the final IA rule was July 26, 2019. It is applicable to businesses whose sales reach $10 million or more (USD) per year and workforce total 500 full-time equivalent employees or more. The compliance dates for small businesses (fewer than 500 full-time equivalent employees) is July 27, 2020. The compliance date for very small businesses is July 26, 2021. Very small businesses are exempt from the requirements of the rule but must provide written assurances that they qualify for the exemption.
SQF Code Manufacturing Edition 8.1 and IA Rule
The SQF code criteria for Food Defence are aligned with the FSMA IA requirements. The SQF code requirements pertaining to food defence are as follows:
18.104.22.168 The site’s food defence plan (refer to 22.214.171.124) shall include measures to secure incoming materials and
ingredients and protect them from a deliberate act of sabotage or terrorist-like incidents.
2.7.1 Food Defence Plan (Mandatory)
126.96.36.199 The methods, responsibility and criteria for preventing food adulteration caused by a deliberate act of
sabotage or terrorist-like incident shall be documented, implemented and maintained.
188.8.131.52 A food defence plan shall include:
- The name of the senior site management person responsible for food defence;
- The methods implemented to ensure only authorized personnel have access to production equipment and vehicles, manufacturing and storage areas through designated access points;
- The methods implemented to protect sensitive processing points from intentional adulteration;
- The measures taken to ensure the secure receipt and storage of raw materials, packaging, equipment and hazardous chemicals;
- The measures implemented to ensure raw materials, ingredients, packaging materials, work-in-progress, process inputs and finished products are held under secure storage and transportation conditions; and
- The methods implemented to record and control access to the premises by employees, contractors, and visitors.
184.108.40.206 The food defence plan shall be reviewed and challenged at least annually.
220.127.116.11 Records of reviews of the food defence plan shall be maintained.
Controlling the cycle of visitor operations
Introducing the Traction Guest Enterprise Visitor Management System:
“Traction Guest provides organizations with a single place to secure, manage and govern an entire cycle of visitor operations. This makes welcoming applicants, contractors, partners, customers, vendors, or investors as seamless as can be.
Traction Guest also helps keep sites secure, employees safe, and processes compliant – while ensuring every interaction is driving maximum productivity.”
Traction Guest provides a mitigation strategy that is aligned with the Food Defence Mitigation Strategies Database (FDMSD). A search for receiving activities in the database returns the following visitor-related mitigation solutions:
- Require driver check-ins
- Restrict access immediately around the step to authorized personnel
- Restrict access to equipment and controls to authorized personnel
- Restrict access to ingredients, products, and/or cargo to authorized personnel
- Restrict access to openings or access points (e.g., to bins, tanks, vats, ports/valves, inspection points, system openings) to authorized personnel
- Restrict access to transport operations to authorized personnel
- Restrict operations to authorized personnel
- Use personnel (e.g., guards, supervisors, trusted employees) for visual observation
- Use personnel identification (e.g., colour-coded uniforms, badges) to clearly identify authorized personnel around restricted locations, equipment, controls, and operations
The US FDA Intentional Adulteration rule requires that food facilities which produce food for sale and consumption in the US complete and implement a risk-based food defence plan. The requirement applies to both US and foreign sites shipping food to the United States. The IA requirements take the form of a HACCP-like risk assessment or TACCP (Threat Assessment and Critical Control Points) in the sense that significant food defence risks are first identified then controlled systematically. This is done by monitoring mitigation strategies, taking corrective actions where applicable, performing verifications, and keeping records of activities. Food facilities that are already certified to SQF and ship and sell to the US will need to review their existing food defence plan to ensure that FDA regulatory requirements are met. Small businesses must document the rule exemption requirements in order to show compliance. The individuals who will be assigned to the development of the plan will require training to demonstrate that they meet FDQI credentials. The Food Safety Preventive Controls Alliance (FSPCA) currently offers an Intentional Adulteration course. Attending the course is one way to demonstrate compliance with the IA rule requirements.
FDA Releases Third Installment of the Draft Guidance for the Intentional Adulteration Rule