The Food Safety Modernization Act (FSMA) “Mitigation Strategies to Protect Food Against Intentional Adulteration” or IA Rule, as it is commonly known, specifies that covered food facilities are required to perform a vulnerability assessment prior to developing a Food Defense Plan as part of the published regulation final rule.
There is a reason why the FSMA calls for an assessment rather than the more typically performed audit. Frankly, I have struggled with food industry approaches to audits used to best “measure” preparedness of food safety and food defense responsibilities, policies, and procedures, along with identification and assignment of risk/threat mitigations, as prescribed by FDA regulations.
How can the industry best determine if a food facility obtains an accurate picture of their real exposure to adverse internal and external risks and threats? How can a food business, religiously following its food protection plans and operational implementation of these plans, have full confidence they have accomplished, in operational practice, what they are supposed to do to best protect their valued assets? How committed is management to want to know and understand their business risk? Does it insist that assessments performed within their own site use the best means accurately determine the probability, severity, and criticality of hazards and risks and their mitigation strategies that expose their people, product, or the food facility to situations that could cause serious injury or death in humans or animals?
In my 47 years of wrestling with the merits of various risk/threat management approaches, I find fault in our overreliance upon internal and external audits to measure our confidence level as the fundamentally accepted way to verify that our food protection risk and threat detection systems are “always on” and working effectively.
Food Audits and Food Assessments
We need to first understand the difference between an audit and an assessment from a proven historical event perspective. We now rely upon industry food safety and food defense (and economically motivated adulteration, or EMA) standards organization audit formats. Those used are based upon requirements found in the Global Food Safety Initiative (GFSI) or often specified in supplier requirements. These formats are not designed, nor do they probe, long-standing gaps and system flaws that are deeply-rooted, often unnoticeable but often critical, in the identification of risk and threats in any given operational environment. Generally, even well-performed audits are more likely to miss what a true assessment for system weaknesses can uncover.
An audit, according to Merriam-Webster, is “a careful check or review of something.” I believe an audit consists of an evaluation of an organization’s systems, processes, and controls, performed against the set standard or documented process, often a generic, one-size fits-all approach. A food defense and EMA audit is designed to verify whatever standard is in place and is often set up using a checklist approach to ensure product, personnel, and facility security. An audit may also provide a gap analysis of the operating effectiveness of the internal controls in meeting a system or control requirement.
Audits are designed to provide an independent evaluation of system processes and controls using personnel with expert knowledge about the system or process. But they are addressed with pre-scripted audit tools that limit the ability to identify other hidden system hazards/risk/threats. By design, audits may identify system and control gaps, but only provide limited feedback from the auditor as to how to best mitigate such gaps. Worse, full reliance on audit results may allow unintentional and nondetectable food safety breakdowns to occur.
An assessment, as defined by Merriam-Webster, is an “action or an instance of making a judgment about something.” For example, a food defense vulnerability assessment is a fundamental, risk-based review and gap analysis of site or a system control strengths that could cause failure in achieving the underlying criteria used to set a system standard or process control. This process involves the identification and classification of both the known and unknown product security vulnerabilities that may impact the site or its system functions.
It is important to recognize these differences between the purpose and performance of an audit and that of an assessment. In my opinion, the purpose, importance, and structure of an audit has been over-emphasized in the determination and control over given risk/threat identification in food production and food manufacturing environments. More emphasis needs to be placed on performing a comprehensive assessment that is not taken from a “checklist” of generally well-known issues and concerns.
We have become overly reliant on the conclusions of auditors and their audit results. Peanut Corp. of America (i.e. Salmonella) and Jensen Farms (i.e. Listeria monocytogenes) are two memorable industry public health events with root-cause failures that were not identified through audits performed by highly regarded auditing firms. Audits professionally performed by third parties preceded these unfortunate events, and generally high audit result scores were issued to these firms.
In these unfortunate industry system failures, the auditors missed the use of substituted contaminated product washing and cooling equipment, poor technical assumptions, and erroneous validation and verification data. It is difficult to always identify where these unidentified and unrecognizable hazard/risk/threat gaps may latently linger, unaddressed, in a food safety or food defense (and EMA) plan unless a well-structured hazard/risk/threat assessment is performed.
The way in which FSMA rules are written has strengthened the expectations and requirement that the hazard/vulnerability/threat and control/mitigation identification will be more comprehensive than in the past. These assignments must now be thoroughly deliberated by the facility Food Safety and Food Defense Teams. Decisions to include (or not to include) a hazard/risk/threat/mitigation must now be formally justified and a part of the written facility all-hazard food protection plans. This will go far to help ensure that expert food defense-qualified individuals have enough education, experience, recognition, and training for any facility vulnerability assessments that will be performed to support the specific activities within a Food Defense Plan.
An Outside Eye
If your facility is relying solely on a food defense or GFSI-style certification program owners approach to perform this assessment activity, I would again caution management not to rely upon an audit list alone. Instead, invite other outside competent individuals, not familiar with your facility and operational activities, to assist in an assessment activity.
When I performed food defense and food fraud facility vulnerability assessments, I heard facility employees who were shadowing me during my visit say numerous times, “I never noticed that” or “We don’t have a procedure for that.” During one food defense and food fraud vulnerability assessment walk-through, a manager said that “it never occurred to me that our raw packaging and packaging waste materials could be used to counterfeit our products.”
Several years ago, I was challenged by a large food manufacturer to penetrate one of their facility’s food defense systems, which were, according to their corporate physical security manager, considered to be “the best product protected security site within our manufacturing group.” Unfortunately, it was surprisingly easy to defeat the facility perimeter defenses, enter the facility from the outside, and then move unseen into the production area with exposed product through unused and unlocked dark office space. This was accomplished during normal business hours.
The point from these observations is that there is no perfect site-specific audit instrument that will accomplish what a true assessment can deliver to help safeguard product security. Prior to performing a more thorough assessment, these mentioned facilities used industry and/or government food defense audit templates to measure their own product security readiness. But, in doing so, these facilities failed to identify several of their later-proven site-specific and potentially catastrophic product security vulnerabilities. Assessing food defense system vulnerabilities after hours is another way to observe potential system failures. At these times, there is less supervision, more unrestricted access to product, packaging materials, and rework. Materials are often unsecured, warehouses are lightly manned or un-manned, and generally, fewer employees are onsite in sensitive production areas, often when contract night or weekend work occurs.
If your business intention is to meet best-practice food defense and food fraud business protection for you, your customers, and consumers, focus on a deeper-dive effort and commitment to performing a comprehensive vulnerability assessment. Don’t be tempted to default to a traditional short-version food defense audit format to merely comply with the IA Rule vulnerability assessment requirement. In doing so, in my opinion, it doesn’t comply with the intent of the rule.
Conducting an Assessment
There is no more important component to a Food Defense Plan than conducting a credible and comprehensive vulnerability assessment. There are several FDA-approved training courses offered for anyone, including facility food defense-qualified individuals, to improve upon their vulnerability assessment skills and applied methodologies. The courses also showcase available tools that can be used in this type of critical intentional adulteration activity, including the following.
FDA’s Food Defense Plan Builder has a built-in vulnerability assessment tool and helps the user to numerically rank a given vulnerability and perpetrator accessibility. It can accommodate unique vulnerability and accessibility concerns at an individual site. In fact, this food-based risk assessment tool has been used with other non-food industry applications to help identify and mitigate product security gaps.
The Food Safety and Preventive Controls Alliance (FSPCA) at the Institute of Food Safety and Health offers online, self-paced courses including “Food Defense Awareness for the IA Rule,” “FSPCA Overview of the IA,” “FSPCA IA Conducting Vulnerability Assessments using Key Activity Types,” and “FSPCA IA Identification and Explanation of Mitigation Strategies.” In addition, an onsite “FSPCA IA Conducting Vulnerability Assessments” certificate course is offered using vulnerability assessment lead instructors. These lead instructor candidates successfully completed FSPCA-required prerequisite certificate courses. There are new plans for extended training requirements to a food defense-qualified individual who meets strict criteria based upon education, experience, and training. Their lead instructor certification comes after successful completion of a three-day “Vulnerability Assessment Lead Instructor Training” at various domestic locations starting May 2019.
The Food Defense and Protection Institute (FPDI) recently introduced a one-day FDA-standardized FSPCA course on “IA Conducting Vulnerability Assessments” as included as day one of a two-day “FDPI Food Defense Industry Training” course. The first such course was held May 1-2, 2019.
IA Rule Compliance
With the first FSMA IA Rule compliance date of May 27, 2019, for large food facilities that manufacture, process, pack, or hold (store) food, it is imperative to conduct a comprehensive vulnerability assessment for your facility. Ideally, this effort should be supported by outside food defense experts, identify vulnerabilities and actionable process steps, and determine optional mitigation strategies and priorities proposed by those experts and Food Defense Team. Also, facility financials will no doubt be affected by a number of these vulnerability mitigation decisions, particularly those requiring more significant capital budget approvals prior to implementation. After a food defense vulnerability assessment has been performed and mitigation strategies are in place according to your established Food Defense Plan, don’t be satisfied with this outcome. More can be done in challenging your plan. Consider the use of food defense experts in conducting a red team exercise with the intention of identifying any remaining significant vulnerabilities, viewing alternate methods for attack and revealing other outstanding product security risks for your specific facility.
Partnering with outside food defense experts provides a deeper dive into your food defense and food fraud assessment. Such experts have established their broad product security perspectives from spending many hours at different food and non-food facility environments performing vulnerability assessments.
Park is the principal for Food-Defense, LLC. He has practiced food protection technical and management consulting for 46 years, is an FDA-recognized international processing authority, and an FSPCA PCQI Lead instructor. Reach him at email@example.com.