The U.S. FDA recently issued its final rule implementing the landmark Food Safety Modernization Act of 2011, a law making the most comprehensive revision to the U.S. food safety system in 70 years. The new rule focuses on insuring food security and preventing intentional adulteration, rather than responding to contamination, illness, or a crisis after the fact. Although the timing was coincidental, the terrorist attack in Nice, France during the summer shows how the failure to focus on seemingly mundane activities like the movement of a delivery van can have tragic consequences, and why this food security rule is essential.
In the rule published May 27, 2016 entitled “Mitigation Strategies to Protect Food Against Intentional Adulteration,” FDA states that the purpose of the “rule is to protect food from intentional acts of adulteration where there is an intent to cause wide scale public health harm.” It builds on existing requirements for all registered foreign and domestic food production facilities, applying food security protocols in a regulatory climate that is increasingly concerned about safety.
The approach is modeled on the preventive controls approach used for food safety. It includes the familiar Hazard Analysis and Critical Control Point (HACCP) approach used for seafood and juice processors, and the general hazard analysis and risk-based preventive controls approach underlying the rules governing Good Manufacturing Practices for food facilities. As FDA explains, food safety and food defense “are more similar than they are different.” Thus, the framework of the new rule requires an analysis be performed similar to the HACCP approach. This includes identification of significant vulnerabilities, development and implementation of mitigation strategies, and implementation of systematic management components to insure that measures are functioning.
The rule is flexible and rejects a “one-size-fits-all” approach. All facilities are required to conduct a vulnerability assessment and identify actionable mitigation strategies, while acknowledging “the mitigation strategies that [each] facility would establish and implement would depend on the facility, the food, and the outcome of the facility’s vulnerability assessment.” Because preventive control measures are process-oriented and can be scientifically validated, they are appropriately imposed more broadly. By contrast, security measures typically reduce physical access to prevent intentional contamination by an attacker, but cannot be scientifically validated.
What’s in the Rule?
The new rule requires development and implementation of “a written food defense plan that includes actionable process steps, focused mitigation strategies, and procedures for monitoring, corrective actions, and verification.” The Food Defense Plan sets forth steps each facility will follow to address risks and implement mitigation strategies, but the plan itself is obviously insufficient to avoid intentional adulteration. Thus, it requires implementation of the plan, and development and maintenance of records to document implementation, insuring qualified individuals are performing assigned functions and regular reassessments at least every three years or as needed (such as when there is a process change).
Actionable process steps. Key to any Food Defense Plan is identification of “actionable process steps” for “significant vulnerabilities” at the facility “for each type of food manufactured, processed, packed, or held.” It must evaluate potential public health impacts, the degree of physical access, and ability of an attacker (including an insider) to contaminate a product. FDA identifies four key activity types that indicate a significant vulnerability, although others may be identified in individual facility assessments. Those key activities are: bulk liquid receiving and loading; liquid storage and handling; secondary ingredient handling; and mixing and similar activities.
FDA also requires the Food Defense Plan include an explanation why each point, step, or procedure in a manufacturing process was or was not identified as an “actionable process step” where there was a “significant vulnerability” requiring a mitigation strategy.