The Food Safety Modernization Act (FSMA) “Mitigation Strategies to Protect Food Against Intentional Adulteration” or IA Rule, as it is commonly known, specifies that covered food facilities are required to perform a vulnerability assessment prior to developing a Food Defense Plan as part of the published regulation final rule.
There is a reason why the FSMA calls for an assessment rather than the more typically performed audit. Frankly, I have struggled with food industry approaches to audits used to best “measure” preparedness of food safety and food defense responsibilities, policies, and procedures, along with identification and assignment of risk/threat mitigations, as prescribed by FDA regulations.
Most importantly, how can the industry best determine if a food facility obtains an accurate picture of their real exposure to adverse internal and external risks and threats? How can a food business, religiously following its food protection plans and operational implementation of these plans, have full confidence they have accomplished, in operational practice, what they are supposed to do to best protect their valued assets? That is, how comprehensive and committed is management to understand their risk and insist upon hazard/risk/threat assessments performed on their own site that would more accurately determine the probability, severity, and criticality of hazards and risks and effectiveness of their mitigation strategies that expose people, product, or the food facility to situations that could cause injury or death in humans or animals?
In my 47 years of wrestling with the merits if various risk/threat management approaches, I find fault in our overreliance upon internal and external audits to measure our confidence level as the fundamentally accepted way to verify that our food protection risk and threat detection systems are “always on” and working effectively.
Food Audits and Food Assessments
We need to first understand the difference between an audit and an assessment from a proven historical event perspective. We now rely upon industry food safety and food defense (and economically motivated adulteration, or EMA) standards organization audit formats. Those used are based upon requirements found in the Global Food Safety Initiative (GFSI) or specified in specific supplier requirements. For the most part, they are not designed for nor do they deeply probe critical issues enough in determining potential gaps and system flaws that are deeply rooted, often unnoticeable but often critical, in the identification of risk and threats in any given operational environment. Generally, even well-performed audits are more likely to miss what a true assessment for system weaknesses can uncover.
An audit, according to Merriam-Webster, is “a careful check or review of something.” I believe an audit consists of an evaluation of an organization’s systems, processes, and controls, performed against the set standard or documented process, and is often a generic, one-size-fits-all approach. A food defense and EMA audit is designed to verify whatever standard is in place and is often set up using a checklist approach to ensure product, personnel, and facility security. An audit may also provide a gap analysis of the operating effectiveness of the internal controls in meeting a system or control requirement.
Audits are designed to provide an independent evaluation of system processes and controls using personnel with expert knowledge about the system or process. But they are addressed with pre-scripted audit tools that limit the ability to identify other hidden system hazards/risk/threats. By design, audits may identify system and control gaps, but provide limited feedback from the auditor as to how to best mitigate such gaps. Worse, full reliance on audit results may allow unintentional and nondetectable food safety breakdowns to occur.
An assessment, as defined by Merriam-Webster, is an “action or an instance of making a judgment about something.” For example, a food defense vulnerability assessment is a fundamental, risk-based review and gap analysis of a site’s or a system’s control strengths that could cause failure in achieving the underlying criteria used to set a system standard or process control. This process involves the identification and classification of both the known and unknown product security vulnerabilities that may impact the site or its system functions.
It is important to recognize these differences between the purpose and performance of an audit and that of an assessment. In my opinion, the purpose, importance, and structure of an audit has been over-emphasized in the determination and control over given risk/threat identification in food production and food manufacturing environments. More emphasis needs to be placed on performing a comprehensive assessment that is not taken from a “checklist” of generally well-known issues and concerns.
We have become overly reliant upon the conclusions of auditors and their audit results. Peanut Corp. of America (i.e. Salmonella) and Jensen Farms (i.e. Listeria monocytogenes) are two memorable industry public health events with root-cause failures that were not identified through audits performed by highly regarded auditing firms. Audits professionally performed by third parties preceded these unfortunate events, and generally high audit result scores were issued to these firms.
In these unfortunate industry system failures, the auditors missed the use of substituted contaminated product washing and cooling equipment, poor technical assumptions, and erroneous validation and verification data. It is difficult to always identify where these unidentified and unrecognizable hazard/risk/threat gaps may latently linger, unaddressed, in a food safety or food defense (and EMA) plan unless a well-structured hazard/risk/threat assessment is performed.
The way in which FSMA rules are written has strengthened the expectations and requirement that the hazard/vulnerability/threat and control/mitigation identification will be more comprehensive than in the past. These assignments must now be thoroughly deliberated by the facility Food Safety and Food Defense Teams, and decisions to include (or not to include) a hazard/risk/threat/mitigation must now be formally justified and a part of the written facility all food protection plans. This will go far to help ensure that expert food defense-qualified individuals have enough education, experience, recognition, and training for any facility vulnerability assessments that will be performed to support the specific activities within a Food Defense Plan.
An Outside Eye
If your facility is relying solely on a food defense or GFSI-style certification program owners approach to perform this assessment activity, I would again caution management not to rely upon an audit list alone. Instead invite in other outside competent individuals, not familiar to your operational activities, to assist in this activity involving FDA IA Rule compliance performed through a thorough assessment.
When I performed food defense and food fraud facility vulnerability assessments, I heard facility employees who were shadowing me during my visit say numerous times, “I never noticed that” or “We don’t have a procedure for that.” During one food defense and food fraud vulnerability assessment walk-through, a manager said that “it never occurred to me that our raw packaging and packaging waste materials could be used to counterfeit our products.”
Several years ago, I was challenged by a large food manufacturer to penetrate one of their facility’s food defense systems, which were, according to their corporate physical security manager, considered to be “the best product protected security site within our manufacturing group.” Unfortunately, it was surprisingly easy to defeat the facility perimeter defenses, enter the facility from the outside, and then move unseen into the production area with exposed product through unused and unlocked dark office space. This was accomplished during normal business hours.
The point from these observations is there is no perfect site-specific audit tool that will accomplish what a true assessment can deliver to help safeguard product security. Prior to performing a more thorough assessment, these mentioned facilities used industry and/or government food defense audit templates to measure their own product security readiness. But, in doing so, these facilities failed to identify several of their later-proven site-specific and potentially catastrophic product security vulnerabilities. Assessing food defense system vulnerabilities after hours is another way to observe potential system failures. At these times, when there is less supervision, access to product, packaging materials and rework is often unsecured, when warehouses are lightly manned or un-manned, when generally fewer employees are onsite in sensitive production areas, and when contractor night work often occurs.
If your business intention is to meet best-practice food defense and food fraud business protection for you, your customers, and consumers, focus on a deeper-dive effort and commitment to performing a comprehensive vulnerability assessment. Don’t be tempted to default to a traditional short-version food defense audit format to merely comply with the IA Rule vulnerability assessment requirement. In doing so, in my opinion, it doesn’t comply with the intent of the rule.
As witnessed over the course of my career in food protection, an answer to a first question regarding an issue, without following up on that question, can still hide significant underlying gaps carrying security flaws that need to be addressed. Often, it is a follow-up second or third question to that first asked when an observation is made that exposes a critical system gap allowing a perpetrator to succeed in an attack on your people, product, or facility. A true vulnerability assessment is more likely to uncover such gaps than is a vulnerability audit.
Conducting an Assessment
There is no more important component to a Food Defense Plan than conducting a credible and comprehensive vulnerability assessment. There are several FDA-approved training courses offered for anyone, including facility food defense-qualified individuals, to improve upon their vulnerability assessment skills and applied methodologies. The courses also showcase available tools that can be used in this type of critical intentional adulteration activity, including the following.
- FDA’s Food Defense Plan Builder has a built-in vulnerability assessment tool and helps the user to numerically rank a given vulnerability and perpetrator accessibility. It can accommodate unique vulnerability and accessibility concerns at an individual site. In fact, this food-based risk assessment tool has been used with other non-food industry applications to help identify and mitigate product security gaps.
- The Food Safety and Preventive Controls Alliance (FSPCA) at the Institute of Food Safety and Health offers online, self-paced courses including “Food Defense Awareness for the IA Rule,” “FSPCA Overview of the IA,” “FSPCA IA Conducting Vulnerability Assessments using Key Activity Types,” and “FSPCA IA Identification and Explanation of Mitigation Strategies.” In addition, an onsite “FSPCA IA Conducting Vulnerability Assessments” certificate course is offered using vulnerability assessment lead instructors. These lead instructor candidates successfully completed FSPCA-required prerequisite certificate courses. There are new plans for extended training requirements to a food defense-qualified individual, who meets strict criteria based upon education, experience, and training. Their lead instructor certification comes with successful completion of a three-day “Vulnerability Assessment Lead Instructor Training” at various domestic locations starting May 2019.
- The Food Defense and Protection Institute (FPDI) recently introduced a one-day FSPCA FDA-standardized FSPCA course on “IA Conducting Vulnerability Assessments” as included as day one of a two-day “FDPI Food Defense Industry Training” course. The first such course was held May 1-2, 2019.
With the first FSMA IA Rule compliance date of May 27, 2019, fast approaching for large food facilities that manufacture, process, pack, or hold (store) food, it is imperative to conduct a comprehensive vulnerability assessment for your facility. Ideally, this effort should be supported by outside food defense experts, identify vulnerabilities and actionable process steps, and determine optional mitigation strategies and priorities proposed by those experts and Food Defense Team. Also, facility financials will no doubt be affected by a number of these vulnerability mitigation decisions, particularly those requiring more significant capital budget approvals prior to implementation. After a food defense vulnerability assessment has been performed and mitigation strategies are in place according to your established Food Defense Plan, don’t be satisfied with this outcome. There is more that can be done in challenging your plan. Consider the use of food defense experts in conducting a red team exercise with the intention of identifying any remaining significant vulnerabilities, viewing alternate methods for attack and revealing other outstanding product security risks for your specific facility.
Partnering with outside food defense experts better helps with a deeper-dive into your food defense and food fraud assessment. Such experts have established their broad product security perspectives from spending many hours at different food and non-food facility environments performing vulnerability assessments.
Is your facility approaching its assessment responsibility as “checking a box” that appears to meet a regulatory requirement, or is every effort made to best address the purpose of the IA Rule requirement? Conducting a well-constructed and comprehensive food defense and EMA vulnerability assessment is in the best interest of all stakeholders. It is obvious that, under FSMA, the FDA, academic institutions, and standards organizations will be providing a stepped-up training effort to ensure industry will be better prepared to address all hazards that, if not effectively managed, have the potential to affect public health and jeopardize your business viability.
Park is the principal for Food-Defense, LLC. He has practiced food protection technical and management consulting for 46 years, is an FDA-recognized international processing authority, and an FSPCA PCQI Lead instructor. Reach him at firstname.lastname@example.org.
Intentional Adulteration Inspections to Begin March 2020
In April, FDA announced during a public meeting that routine inspections to verify compliance with the IA rule will begin in March 2020. FDA heard from stakeholders that due to the novel nature of the IA rule and its requirements, they believe more time is needed to develop a fully compliant food defense plan. To allow industry time with resources, tools, and trainings, FDA will be starting routine IA rule inspections next year.—FQ&S