Food Defense Compliance: Less Than a Year to Go

Kristen Spotz, Senior Manager, Food Safety and Quality Assurance, GMA

Warren Stone, Senior Director of Science Policy, Compliance and Inspection

Procrastination: the act or habit of putting off or delaying, especially something requiring immediate attention. Stalling, deferment, postponing.

FDA’s final FSMA Rule, Mitigation Strategies to Protect Food Against Intentional Adulteration (the IA rule, 21 CFR Part 121), was published May 27, 2016, at the high point of FSMA implementation when three new FSMA regulations required compliance within the next 12 months: Preventive Controls for Human Food, Sanitary Transport of Human and Animal Food, and Foreign Supplier Verification Programs (FSVP).

Because large businesses were given until July 26, 2019, to comply with the IA rule — at that time a date over three years away — it was natural for food protection practitioners to push the IA rule to the back burner. But like income taxes, the time comes when you can’t procrastinate, defer, stall, or postpone anymore. Thus, FDA-regulated facilities required to comply with the IA rule are seeing that the time to act is now. But, in our view, that time has passed. Compliance with the IA rule, for large firms, begins in less than 10 months.

Under the IA rule, each covered facility is required to prepare and implement a Food Defense Plan (FDP). But assuming that an existing FDP will achieve compliance is misguided — even if it is scrutinized by a third-party audit scheme holder, is C-TPAT compliant, or is generated by FDA’s existing Food Defense Plan Builder tool. The requirements of the rule are a departure from traditional approaches used by major food processors to manage food defense risks. Thus, even food companies that had robust FDPs for years will likely find that these programs need a substantial overhaul to achieve compliance.

As an important side note, the rule also applies to facilities covered by FDA HACCP regulations for seafood and juice, though such facilities are exempt from the Preventive Controls regulation. It also applies to research and development facilities that are registered with FDA.

Existing FDPs are not likely to fulfill all IA rule requirements for a number of reasons. The IA rule uses a HACCP-like approach, and its focus is on preventing an inside attacker (someone with legitimate access to the facility) from intentionally contaminating food. Today, many manufacturers assess the facility as a whole for vulnerabilities and implement broad, facility-wide measures such as perimeter security. In contrast, the rule requires a vulnerability assessment where, for each type of food manufactured, processed, packed, or held at the facility, each point, step, or procedure in the food operation must be evaluated to determine significant vulnerabilities.

Further, where significant vulnerabilities and actionable process steps are found, the facility must implement mitigation strategies to reduce the potential for a successful contamination event. Finally, facilities must implement management components — food defense monitoring, verification, corrective actions, and recordkeeping — to ensure the mitigation strategies are properly implemented.

For these and other reasons, facilities subject to the rule should immediately begin developing plans for conducting vulnerability assessments, drafting model plans for facilities, and determining who should be trained and when. Two-plus years of the three-year grace period have passed, and the July 2019 implementation will be upon us soon. Begin preparations today.

A range of IA resources are available to help you in this journey, including GMA’s webinars and annual Science Forum workshops, as well as Food Safety Preventive Controls Alliance courses.