As part of the FDA Food Safety Modernization Act (FSMA), the Food and Drug Administration (FDA) issued on May 27, 2016 a final rule to require domestic and foreign food facilities, with some exceptions, to address hazards that may be introduced to food with the intent to cause wide-scale harm to public health. These food facilities are required to identify significant vulnerabilities and take steps to minimize or prevent them.
Ryan Newkirk, Senior Advisor for Intentional Adulteration with the Food Defense and Emergency Coordination Staff at FDA and Captain Jon Woody, Director, Food Defense and Emergency Coordination Staff, talk about the rule and what the FDA is doing to support industry compliance, including the publication of draft guidance which was released in three installments.
Newkirk: Sure. The purpose of the rule is to protect food from a person or group of people who are intentionally doing something to the food to either cause illness or death on a large scale. The rule does this by requiring that certain facilities develop and implement a food defense plan. It applies both to domestic facilities and foreign facilities that export food to the United States.
Newkirk: There are several main components to the plan. First, facilities must conduct a vulnerability assessment, which means finding the points in their processes that pose the greatest risk for intentional adulteration. Second, facilities must put in place mitigation, or preventive, strategies to address these vulnerabilities. Third, a system must be put in place for food defense monitoring, food defense corrective action, and food defense verification, which together ensure the system is working as intended to address the vulnerabilities. Fourth is recordkeeping. Finally, there are training requirements. Personnel, and their supervisors, working at the most vulnerable points in a facility are required to take food defense awareness training and to have the education, training, or experience to properly implement mitigation strategies. In addition, preparing the food defense plan, conducting vulnerability assessments, identifying mitigation strategies, and engaging in reanalysis activities must be done or overseen by personnel with additional training or experience.
Newkirk: No, on the contrary. One food is not inherently more at risk than another. It’s the processes that are the drivers of vulnerability.
Newkirk: Yes. Examples include an open access hatch on a large liquid food storage silo or a very large mixing vat that is open without a lid. But keep in mind that these aren’t automatically vulnerabilities—it depends on the assessment carried out by the facility.
Woody: For the most part, yes. We began focusing on food defense back in 2001, working with other federal and state agencies that protect food. Assessing vulnerabilities and putting in place preventive measures to address them are familiar steps to the food industry. A presidential directive was issued in 2004 to require FDA and the U.S. Department of Agriculture to conduct food defense vulnerability assessments with industry. As a result, we’ve had some time to learn what works and what doesn’t, and industry has played a major role in developing that knowledge. In fact, the main requirements of the rule come from our collaborative efforts with industry.
We are aware that some in industry still have questions regarding implementation of the rule in their facilities and the costs associated with implementation. That is why we have worked hard to develop the three installments of draft guidance which are intended to help clarify any confusion about the requirements, highlight areas of flexibility, and address many of industry’s concerns.
The revised draft guidance (which includes the first two installments) is intended to help industry better understand:
The revised draft guidance includes appendices of food defense plan worksheets and detailed examples of vulnerability assessments using the Three Fundamental Elements and the Hybrid Approach.
The supplemental guidance (the third installment) includes the last chapters of the draft guidance, and is intended to help industry better understand:
This installment also includes appendices on FDA’s online Mitigation Strategies Database and how businesses can determine small and very small business status under the rule.
Together these guidance documents are intended to clarify the requirements of the IA rule and assist FDA and industry with developing a common understanding of the expectations for implementation.
Woody: Because of our long history of working on food defense, we have carried out a number of site visits —even before FSMA was enacted. We’ve seen many different types of facilities and products. Additionally, since the final rule published, we’ve continued with site visits, and our discussions with industry regarding their current food defense programs.
We’ve held numerous outreach activities, including a half-day public meeting describing the first two installments of guidance. We have found that during and after our interactions and dialogue with stakeholders, including site visits, meetings with companies, and the public meeting, we have made good progress in addressing important areas of concern and uncertainty. For example, a key site visit, and associated dialogue, led to an FDA blog posting which highlighted that worker safety takes precedence over implementing food defense requirements. The blog also emphasized that FDA does not expect facilities to undergo incredibly costly reengineering of plants or move huge pieces of equipment to comply with the rule.
Woody: We’ve built as much flexibility into the rule as possible. This is by no means a “one size fits all” regulation. For example, we don’t specify what method must be used to conduct the vulnerability assessment. Any method is acceptable as long as it has certain elements. In the first installment of the guidance, we identified four key activity types that FDA considers significant vulnerabilities. Instead of conducting a broader vulnerability assessment, a facility can identify actionable process steps for these specific activity types. In the revised draft of the guidance, we describe two more options (i.e., the Three Fundamental Elements and the Hybrid Approach) facilities may choose from to conduct their vulnerability assessments.
And we do not specify what preventive steps must be used. Companies have significant flexibility in choosing which mitigation strategies are most appropriate for them. For example, in the first installment of the guidance, we describe numerous mitigation strategies. There are instances where technology-based strategies may be the best way for a facility to reduce a significant vulnerability. In other instances, a strategy that is based on personnel may be a more practical and cost-efficient strategy that still reduces the significant vulnerability. FDA’s online Mitigation Strategies Database contains examples of preventive measures.
Additionally, there is significant flexibility built into the requirements related to food defense monitoring, food defense corrective actions, food defense verification, and training. Examples of flexibility and associated cost savings include:
Newkirk: The law requires us to focus on the greatest risks and the areas of most concern, so we have provided some exemptions to minimize the burden on industry. The rule is designed to primarily cover large companies whose products reach many people, exempting smaller companies. For example, the requirements do not apply to very small businesses averaging less than $10 million in sales per year. They do have to document that they are exempt, however. There are also other exemptions, including the holding of food, except for liquid food, and for farms.
While not technically exemptions, I would also add that there are other examples of acts of intentional adulteration which generally fall outside the scope of this rule. This includes acts by disgruntled employees, consumers, and competitors and economically motivated adulteration. These other acts typically are not meant to cause widespread harm.
Economically motivated adulteration is very different because the goal is financial gain. We decided that addressing economically motivated adulteration worked better under the preventive controls framework, which focuses on hazards that are known or reasonably foreseeable. The final rules on preventive controls for human and animal food address economically motivated adulteration if it can affect the safety of the food and is reasonably foreseeable. Economically motivated adulteration that affects product integrity or quality, but not food safety, is out of the scope of those rules. However, substitution for something cheaper could result in adulteration or misbranding under the Federal Food, Drug, and Cosmetic Act.
Newkirk: Larger businesses (including any subsidiaries and affiliates) are those that employ at least 500 full-time equivalent employees and whose sale or market value of human food during the previous three-year period average at least $10 million (adjusted for inflation). These larger businesses were required to comply by July 26, 2019, and routine inspections were scheduled to begin in March 2020; however, most routine inspections have been temporarily postponed at this time due to COVID-19.
Small businesses, which employ fewer than 500 full-time equivalent employees, are required to comply by July 27, 2020; however, because FDA recognizes the unique circumstances COVID-19 has created for both industry and regulators, the FDA intends to begin small business inspections in March 2021. Very small businesses, or those whose sales or market value of human food during the previous three-year period average less than $10 million, are exempt from most of the requirements, but starting July 26, 2021, upon request they must provide documentation to show that they meet the exemption.
About 9,800 food facilities are covered by the intentional adulteration rule. The rule also applies to facilities outside the country who meet coverage criteria and export food to the United States. The draft supplemental guidance (the third installment) also includes an appendix to help businesses determine which size category they fit into (such as, small or very small).
Newkirk: When we announced that inspections of large businesses under the IA rule would begin in March 2020, we felt that it was important to provide additional time for industry to benefit from certain guidance, training and other tools that FDA issued in 2019. However, since then, COVID-19 has required us to postpone most routine inspections, including those of large businesses under the IA rule, because travel restrictions, social distancing and other public health measures have made them temporarily impractical to conduct.
When routine inspections resume, our focus will be to “educate while we regulate.” In the context of the IA rule, this means that our initial routine inspections will consist of food defense plan “quick checks” to verify that the facility has satisfied the basic requirements of the rule. For those facilities that have reached their compliance dates under the IA rule, these checks will be done at the same time as already-scheduled food safety inspections to verify compliance with other regulatory programs, such as Preventive Controls for Human Food, Juice HACCP, Seafood HACCP, and others. During the quick check FDA investigators will ask the owner or operator of the facility a series of questions such as “do you have a food defense plan?” and may provide some educational materials.
Woody: Training is important for both industry and inspectors who will be checking to make sure the requirements are met. Employees and supervisors working at a facility’s most vulnerable points are required to take food defense awareness training, and these employees must be trained in the proper implementation of mitigation strategies at these steps. Awareness training is available for free through the FSPCA or facilities can also create their own training. FSPCA offers additional IA courses, such as Conducting Vulnerability Assessments using Key Activity Types, Conducting Vulnerability Assessments using the Three Elements, Identification and Explanation of Mitigation Strategies, and Food Defense Plan Preparation and Reanalysis; courses also can be taken from other training providers.
Newkirk: FDA’s Food Defense Team has worked to develop and issue additional materials to help support industry compliance before inspections begin. We recently released the last of the three IA rule draft guidance installments. This last installment focuses on food defense corrective action, food defense verification, reanalysis and recordkeeping. We believe that together these installments of draft guidance include valuable information for stakeholders who have questions or concerns about complying with the rule.
In addition, we have worked with FSPCA to create and release the IA courses. Finally, we recently released the new Food Defense Plan Builder (FDPB) version 2.0. This software program was updated so that the content aligns with the requirements of the IA rule. The FDPB may assist the food industry in meeting many of the requirements of the rule. The FDPB guides users through a series of sections that, when completed, make up the content for a facility’s food defense plan. Although the content of the FDPB is consistent with the FDA’s existing regulations and guidance, use of the FDPB is voluntary, and using the tool to develop a food defense plan does not guarantee compliance with the rule’s requirements.
We have also published a small entity compliance guide, and the preamble to the final rule is another valuable resource on how best to comply.