Reaction to FSMA Food Defense Rule

The last major rule under the Food Safety Modernization Act (FSMA) was published recently. FoodQualityNews asked around for reaction.

The Food Defense rule requires firms to attempt to prevent intentional adulteration of food.

Maureen Lally, VP, marketing, North America, Installation & Services at Tyco, told FoodQualityNews that larger food and beverage companies are well on their way to complying with FSMA.

“For them, regulatory compliance is, of course, important, but preventing food safety goes far beyond compliance; it goes straight to the core of protecting valuable brands,” she said.

“However, many smaller companies do not have the expertise, staff and/or resources that may be required to fully comply with all the new FSMA regulations. This is a concern for the whole industry, because the security and safety of the food supply chain are only as strong as its weakest link. “

TycoIS provides security to food manufacturers and distributors including intrusion detection, access control, video surveillance, critical condition monitoring and emergency response planning.

No one size fits all

Joe Levitt, partner at global law firm Hogan Lovells, said the FDA listened to industry comments and made the final rule flexible as there is no one-size-fits-all.

“Rather, each covered facility needs to conduct a vulnerability assessment and then, based on that assessment, design its own food defense program to reduce the likelihood of intentional contamination,” he told us. 

“The company needs to takes into account a number of factors, including the types of the food being manufactured and the physical nature of facility. So it can and should be a customized plan.”

The former director of FDA’s Center for Food Safety and Applied Nutrition (CFSAN) said the key difference between food defense and food safety, is that food defense looks at the same system but through a different lens – a lens of how someone could intentionally contaminate the food. 

“So a food defense plan will need to pay special emphasis on physical access to the facility, and where in that facility widespread intentional contamination could occur. That is an entirely different analysis – and entirely different preventative steps – than the food safety analysis of deciding how to prevent bacteria from accidentally getting into the food.

“FDA recognized that this is the first mandatory regulation of its kind, and so the agency has allowed considerable additional time for compliance. Large companies will have three years to comply, and small businesses will have four years. That is longer than any of the other FSMA regulations.”

Levitt was CFSAN director on 9/11 and led the agency’s initial food defense efforts.

“FDA has also limited its applicability to approximately 3,400 companies, exempting any company with less than $10m in annual sales. FDA estimates that these 3,400 companies, collectively, have about 9,800 manufacturing facilities. FDA also exempted farms, warehouses, and a number of other facility types.”

Criteria for a food defense plan

Keller and Heckman said it establishes criteria for ‘food defense’ plans facilities must implement to address hazards that may be introduced with the intention to cause wide scale public health harm.

With some exceptions, the rule applies to plants that manufacture, process, pack, or hold human food and are required to register with FDA.

The final rule is effective July 26, 2016. Companies have three years from the effective date to comply, i.e., July 26, 2019. Small businesses (< 500 full-time equivalent employees) must comply within four years, i.e., July 27, 2020. 

It specifies three elements that must be evaluated when a facility conducts a vulnerability assessment: (1) the potential public health impact (e.g., severity and scale) if a contaminant were added; (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product, said Keller and Heckman.

A food defense plan must include a vulnerability assessment, mitigation strategies, mitigation strategies management components such as monitoring, corrective actions and verification, reanalysis at least once every three years and recordkeeping requirements, the law firm added.

FDA resources and industry action

Angela Spivey, partner at McGuireWoods, said with more than 200 comments on the rule, which was proposed in December 2013, it was one of the most commented on.

“Outside of small incidents there is no recent history of intentional incidents. This rule is significant in FSMA to make that preventative leap,” she told us.

“With formal regulations a lot of large manufacturers are already doing and have had food defence for vendors for decades and the small entities are exempt.

“It is the middle-size entity who is concerned as there is a lot of cost for preventative controls. To do a self-evaluation on a facility wide basis on controls points and validation is costly. Mid-level companies have some defence plan in place but it is not specific and customised to the facility, verified and validated.

“Next is the implementation. Industry is competent enough to implement and adhere to the controls. From an FDA perspective it is about enforcement with the limited resources where to focus and there is a lot to inspect in a short period of time.”  

The law firm said the rule focuses on larger companies whose products are more likely to reach greater numbers of people.

“Covered domestic and foreign food facilities for the first time will be required to prepare written food defense plans based on identified vulnerabilities at each facility, monitor and verify mitigation strategies, prepare for corrective actions, and ensure that personnel are properly trained and maintain appropriate records.”

FDA has said that compliance with voluntary industry standards of the Global Food Safety Initiative (GFSI), the International Featured Standards (IFS) Food Standard, and the Safe Quality Foods (SQF) Code will not be sufficient to comply with the Food Defense Rule.

However, the agency added existing records may be used to comply with new requirements, and it might consider participation in such programs when prioritizing risk-based inspections of facilities.

McGuireWoods said FDA has put the focus on “the inside attacker”.

FDA gave the example of a contract employee who exploited access to pre-packaged fish at a foreign facility in 2013 and injected the fish with the pesticide Malathion.

Although authorities believed the motivation was to harm the company and not the public, FDA points to the recall of 6.4 million packages of fish as an example of the harm that can be caused by an inside attacker.