Commentary - this is very broad/open and care must taken when preparing this program A concern would be claiming too many vulnerabilities and then having to correct too much (and the expense of that).
Below is a summary of the major sections of the document.
Requirements - "Each covered facility is required to prepare and implement a food defense plan. This written plan must identify vulnerabilities and actionable process steps, mitigation strategies, and procedures for food defense monitoring, corrective actions and verification. A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented. " .
1. You must prepare, or have prepared, and implement a written food defense plan.
- The written vulnerability assessment that identify significant vulnerabilities and actionable process steps
- The written mitigation strategies,
- The written procedures for the food defense monitoring of the implementation of the mitigation strategies
- The written procedures for food defense corrective actions,
- The written procedures for food defense verification
2. Conduct a Vulnerability Assessment (it is like HACCP, but instead of a hazard analysis, companies must complete a vulnerability assessment to identify where intentional adulteration could be an issue).
- A vulnerability assessment for each type of food manufactured, processed, packed, or held at your facility using appropriate methods to evaluate each point, step, or procedure in your food operation to identify significant vulnerabilities and actionable process steps.
- Appropriate methods must include, at a minimum, an evaluation of: (1) The potential public health impact (e.g., severity and scale) if a contaminant were added;
- The degree of physical access to the product; and
- The ability of an attacker to successfully contaminate the product, The assessment must consider the possibility of an inside attacker.
- Written vulnerability assessment and must include an explanation as to why each point, step, or procedure either was or was not identified as an actionable process step.
3. Develop Mitigation strategies for actionable process steps.that minimize the risk at the identified vulnerabilities.
- You must identify and implement mitigation strategies at each actionable process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by your facility will not be adulterated.
- For each mitigation strategy implemented at each actionable process step, you must include a written explanation of how the mitigation strategy sufficiently minimizes or prevents the significantvulnerability associated with the actionable process step.
4. Mitigation management - Monitoring, verification, and corrective action of the mitigation procedures.
Mitigation strategies management components.
Mitigation strategies management components.
A. Food defense monitoring.As appropriate to the nature of the mitigation strategy and its role in the facility’s fooddefense system:
- Written procedures including the frequency with which they are to be performed, for food defense monitoring of the mitigation strategies.
- You must monitor the mitigation strategies with adequate frequency to provide assurances that they are consistently performed.
- Records - You must document the monitoring of mitigation strategies in accordance with this section in records that are subject to verification and record keeping.
B. Food defense corrective actions Written procedures must be established and must be taken if mitigation strategies are not properly implemented. Records must be kept.The food defense corrective action procedures must describe the steps to be taken toensure that:
- Appropriate action is taken to identify and correct a problem that has occurred with implementation of a mitigation strategy; and
- Appropriate action is taken, when necessary, to reduce the likelihood that the problem will recur.
C. Food defense verification activities must include
- Verification that food defense monitoring is being conducted
- Verification that appropriate decisions about food defense corrective actions are being
- Verification that mitigation strategies are properly implemented and are significantly minimizing or preventing the significant vulnerabilities.
- Mitigation strategies for actionable process steps.(i) Review of the food defense monitoring and food defense corrective actions records within appropriate time frames to ensure that the records are complete, the activities reflected in the records occurred in accordance with the food defense plan, the mitigation strategies are properly implemented, and appropriate decisions were made about food defense corrective actions; and (ii) Other activities appropriate for verification of proper implementation of mitigation strategies
- Verification of reanalysis in accordance with
- Written procedures. You must establish and implement written procedures, including the frequency for which they are to be performed, for verification activities
- Documentation. All verification activities conducted in accordance with this section must be documented in records.
- You must conduct a reanalysis of the food defense plan, as a whole at least once every 3 years;
- You must conduct a reanalysis of the food defense plan as a whole, or the applicable portion of the food defense plan
- Whenever a significant change made in the activities conducted at your facility creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability;
- Whenever you become aware of new information about potential vulnerabilities associated with the food operation or facility;
- Whenever you find that a mitigation strategy, a combination of mitigation strategies, or the food defense plan as a whole is not properly implemented; and
- Whenever FDA requires reanalysis to respond to new vulnerabilities, credible threats to the food supply, and developments in scientific understanding including, as appropriate, results from the Department of Homeland Security biological, chemical, radiological, or other terrorism risk assessment.
- Be kept as original records, true copies (such as photocopies, pictures, scanned copies, microfilm, microfiche, or other accurate reproductions of the original records), or electronic records;
- Contain the actual values and observations obtained during food defense monitoring;
- Be accurate, indelible, and legible;
- Be created concurrently with performance of the activity documented;
- Be as detailed as necessary to provide history of work performed
- All records required by this part must be retained at the facility for at least 2 years after the date they were prepared.
Significant vulnerability means a vulnerability that, if exploited, could reasonably be
expected to cause wide scale public health harm. A significant vulnerability is identified by a
vulnerability assessment conducted by a qualified individual, that includes consideration of the
following: (1) Potential public health impact (e.g., severity and scale) if a contaminant were
added, (2) degree of physical access to the product, and (3) ability of an attacker to successfully
contaminate the product. The assessment must consider the possibility of an inside attacker.
Mitigation strategies mean those risk-based, reasonably appropriate measures that a person knowledgeable about food defense would employ to significantly minimize or prevent
significant vulnerabilities identified at actionable process steps, and that are consistent with the
current scientific understanding of food defense at the time of the analysis.
Qualified individual means a person who has the education, training, or experience (or a
combination thereof) necessary to perform have the appropriate education, training, or experience (or a combination thereof) necessary to properly prepare and implement the the food defense plan
Qualifications of individuals:
- Be a qualified individual through the appropriate education, training, or experience (or a combination thereof) necessary to properly perform the activities; and
- Have successfully completed training for the specific function at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities.
FDA Fact Sheet
FSMA Final Rule for Mitigation Strategies to Protect Food Against Intentional Adulteration
The FDA Food Safety Modernization Act (FSMA) final rule is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, economic disruption of the food supply absent mitigation strategies.
Rather than targeting specific foods or hazards, this rule requires mitigation (risk-reducing) strategies for processes in certain registered food facilities.
The proposed rule was issued in December 2013. The changes in the final rule are largely designed to provide either more information, where stakeholders requested it, or greater flexibility for food facilities in determining how they will assess their facilities, implement mitigation strategies, and ensure that the mitigation strategies are working as intended.
In developing the rule, FDA interacted with the intelligence community and considered vulnerability assessments conducted in collaboration with the food industry.
While acts of intentional adulteration may many other forms, including acts of disgruntled employees or economically motivated adulteration, the goal of this rule is to prevent acts intended to cause wide-scale harm. Economic adulteration is addressed in the final preventive controls rules for human and animal foods.
Who is Covered?
With some exceptions listed below, this rule applies to both domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act.
This rule is designed to primarily cover large companies whose products reach many people, exempting smaller companies. There are 3,400 covered firms that operate 9,800 food facilities.
It does not cover farms.
While this is the first time that companies are required to create a food defense plan, the FDA has taken an approach similar to Hazard Analysis Critical Control Point (HACCP) system, an approach adopted by industry for the identification, evaluation and control of food safety hazards. The FSMA rules advance and strengthen those safeguards.
Each covered facility is required to prepare and implement a food defense plan. This written plan must identify vulnerabilities and actionable process steps, mitigation strategies, and procedures for food defense monitoring, corrective actions and verification. A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented.
Vulnerability assessment: This is the identification of vulnerabilities and actionable process steps for each type of food manufactured, processed, packed or held at the food facility. For each point, step, or procedure in the facility’s process, these elements must be evaluated:
- The severity and scale of the potential impact on public health. This would include such considerations as the volume of product, the number of servings, the number of exposures, how fast the food moves through the distribution system, potential agents of concern and the infectious/lethal dose of each; and the possible number of illnesses and deaths.
- The degree of physical access to the product. Things to be considered would include the presence of such physical barriers as gates, railings, doors, lids, seals and shields.
- The ability to successfully contaminate the product.
Mitigation strategies: These should be identified and implemented at each actionable process step to provide assurances that vulnerabilities will be minimized or prevented. The mitigation strategies must be tailored to the facility and its procedures.
- The final rule removes the distinction between “broad” and “focused” mitigation strategies. The original proposal only required “focused” mitigation strategies because “broad” mitigation strategies, such as a fence around the entire facility, did not protect specific points from being attacked by an insider.
- The final rule recognizes that a mitigation strategy, applied in a directed and appropriate way to protect the actionable process step from an insider attack, would sufficiently minimize the risk of intentional adulteration.
- Monitoring: Establishing and implementing procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies.
- Corrective actions: The response if mitigation strategies are not properly implemented.
- Verification: Verification activities would ensure that monitoring is being conducted and appropriate decisions about corrective actions are being made.
This rule is a first of its kind, so education and outreach is critical. Additionally, FDA recognizes that many of the food facilities covered by this rule will also be meeting the requirements of other FSMA rules. Therefore, FDA is providing a longer timeline in the final rule for facilities to comply with the intentional adulteration rule.
- Very Small Businesses—a business (including any subsidiaries and affiliates) averaging less than $10,000,000, adjusted for inflation, per year, during the three-year period preceding the applicable calendar year in sales of human food plus the market value of human food manufactured, processed, packed, or held without sale (e.g., held for a fee). These businesses would have to comply with modified requirements within five years after the publication of the final rule.
- Small Businesses—a business employing fewer than 500 persons would have to comply four years after the publication of the final rule.
- Other Businesses—a business that is not small or very small and does not qualify for exemptions would have to comply three years after the publication of the final rule.
- A very small business. While exempt, the business would be required to provide to FDA, upon request, documentation to demonstrate that the business is very small.
- The holding of food, except the holding of food in liquid storage tanks
- The packing, re-packing, labeling or re-labeling of food where the container that directly contacts the food remains intact
- Activities that fall within the definition of “farm”
- Manufacturing, processing, packing, or holding of food for animals
- Alcoholic beverages under certain conditions
- On-farm manufacturing, processing, packing, or holding by a small or very small business of certain foods identified as having low-risk production practices. The exemption applies if such activities are the only activities conducted by the business subject to the rule. These foods include certain types of eggs, and certain types of game meats.
- FDA has established an Intentional Adulteration Subcommittee with the Food Safety Preventive Controls Alliance to develop food defense training resources for industry and regulators alike.
- The agency intends to publish guidance documents to provide information relevant to the provisions of the final rule, such as conducting a vulnerability assessment, identifying and implementing mitigation strategies, and writing procedures for food defense monitoring, corrective actions and verification.
- In addition, FDA has a number of tools and resources currently available on our website (www.fda.gov/fooddefense) that were developed for our voluntary food defense program.
- The Mitigation Strategies Database is an online, searchable listing of mitigation strategies that can be applied to different steps in a food operation to reduce the risk of intentional adulteration.
- The FDA FSMA Food Safety Technical Assistance Network is already operational and provides a central source of information to support industry understanding and implementation of FSMA. Questions submitted online or by mail will be answered by information specialists or subject matter experts.
Final Food Safety Modernization Act Rule: Intentional Adulteration
Monday, June 13, 2016
The seventh and final component of the FDA Food Safety Modernization Act was finalized and published on May 27, 2016. The Intentional Adulteration Final Rule requires food companies to identify vulnerabilities within their food process with a goal of preventing intentional contamination of the food supply that would lead to wide-scale harm.
The rule applies to both domestic and foreign companies that are required to register with the FDA as “food facilities” under the Federal Food, Drug, and Cosmetic Act. Because the rule is designed to primarily cover large companies with a wide reach to many people, smaller companies and farms are not required to comply. To qualify for the exemption, smaller companies are required to provide to the FDA documentation to demonstrate that the business is small.
The rule requires the food facilities to complete and maintain a written food defense plan. This plan is designed to assess potential vulnerabilities to intentional contamination of the food supply. This is similar to the Hazard Analysis Critical Control Point system, which is widely used within the food industry for identification, evaluation, and control of food safety hazards.
The food facilities must identify and implement mitigation strategies to address any vulnerabilities that are found, establish a food defense monitoring procedure and corrective actions, verify the procedures and corrective actions are working, and ensure all relevant employees receive the proper training and maintain records. A reanalysis is required every three years or when certain criteria are met.
- Vulnerability Assessment: Each point, step, or procedure in the facility’s process must be evaluated for the severity and scale of the potential impact on public health, degree of physical access to the product, and ability to successfully contaminate the product.
- Mitigation Strategies: Requires steps to be taken to ensure proper implementation of each mitigation strategy. Food facilities will be given flexibility to establish actions that are appropriate to their operation and product.
- Monitoring: Food facilities must establish and implement procedures for monitoring the mitigation strategies. This includes how often they will be performed.
- Corrective Actions: Requires a response if the mitigation strategies are not properly implemented.
- Verification: In order to ensure that monitoring is being conducted and appropriate decisions about any corrective actions are being made.
- Training and Recordkeeping: Food facilities must ensure all employees that will work in vulnerable areas receive the necessary training. Additionally, the food facilities must maintain records for food defense monitoring, corrective actions, and verification activities.
Food manufacturers that are not designated as a “small business” or a “very small business” must comply with the new rule within three years after publication (i.e. May 27, 2019). “Small businesses” employing fewer than 500 persons must comply within four years after publication. A “very small business” which averages less than $10,000,000 per year during the three-year period preceding the applicable calendar year in sales of human food plus the market value of human food manufactured, processed, packed, or held without sale, is exempt and must provide documentation sufficient to show their small status. Very small business have five years to comply.
The rule was initially proposed in December 2013. The final rule takes into consideration over 200 comments from the food industry, government regulatory partners, and consumer advocates. With the finalization of the Intentional Adulteration rule, the FDA has finalized all seven of the rules that implement the Food Safety Modernization Act. The previous rules are: the Preventive Controls rules for human food and animal food, the Produce Safety rule, the Foreign Supplier Verification Program rule, the Accreditation of Third-Party Certification rule, and the rule on Sanitary Transportation of Human and Animal Food.