Preventing Insider Adulteration

Are you protected from “legitimate access”?

© Ivan Traimak | adobestock

It’s necessary to follow the requirements of FSMA’s Intentional Adulteration Rule (IA Rule) to comply with federal regulation, but having a Food Defense Plan with its vulnerability assessment and mitigation strategies goes well beyond compliance. “Intentional adulteration has the potential to cause significant public health consequences,” said Food Protection and Defense Institute (FPDI) Associate Director Jennifer van de Ligt. “At the end of the day, if anyone in the public believes their food has been intentionally adulterated, it has the potential to devastate that portion of the food industry and erode consumer confidence.” Even with the focus on always producing safe food, food safety incidents sometimes occur. So, she said, “Think of the negative impact if food was intentionally adulterated.”

There have been incidents: the 1984 Salmonella poisoning of salad bars at 10 Oregon restaurants which sickened more than 750 people; the former worker who pled guilty to poisoning salsa at a Kansas restaurant in 2011; the couple who plotted to poison supermarket food in the U.K. in 2018; and who can forget the 1982 Tylenol tampering that killed seven and led to copycat crimes?

While it is a positive sign that our food system has not had — or allowed — a major attack in recent years, it’s not so positive that the younger generations of workers don’t remember such incidents. When she brings up the Tylenol incident in training, van de Ligt said, there are many younger participants for whom this provides no frame of reference. While it is good that we have such a safe food system that we don’t have to remember such incidents, she said, it is concerning that we have leaders now that don’t remember the impact of what can happen. That is why it is critical to ensure all managers and workers understand the potential impact of intentional adulteration and the need for prevention. And, it is that for which the IA Rule and its required Food Defense Plan (FDP) is intended.

THE FDP BUILDER. In October, FDA made IA Rule compliance a little easier with its Food Defense Plan Builder, v. 2.0 (FDP Builder). The FDP Builder is a user-friendly tool designed to help food facilities develop a plan specific to their facility, as required by the rule. Harnessing FDA food defense tools, guidance, and resources into a single application, the tool guides the user through the required sections, so that, when completed, it makes up the content for the facility’s FDP. The desktop application resides on the user’s computer or selected location to which FDA has no access. FDA considers the FDP written documents as essential for minimizing or preventing intentional adulteration vulnerabilities of food. However, use of the tool is not required for compliance.

“I am really excited about it and think it will be a great benefit,” van de Ligt said. The updated FDP Builder aligns with the IA Rule and FDA guidance (unlike the initial version which FDA published in 2013) and provides a user-friendly method to develop a food defense plan. While the facility will have to develop the information to fill in the plan builder, the tool walks the user through, step by step.

One key aspect of the Food Defense Plan is the vulnerability assessment, which can be conducted through one of three methods: Key Activity Types (KAT), in which the KATs are defined as bulk liquid receiving and loading, liquid storage and handling, secondary ingredient handling, and mixing and similar activities; Three Fundamental Elements, which include potential public health impact, degree of physical access, and ability of an attacker to successfully contaminate the product; or the Hybrid Approach, in which the strengths of both the KAT and three elements method are implemented. Through the vulnerability assessment, significant vulnerabilities or actionable process steps are identified, for which mitigation strategies are to be developed and implemented.

When using the KAT approach, mitigation strategies are required for those points, steps, and procedures that meet the KAT definition. But some facilities have many processing steps involving KATs, so it can be advantageous to use the Hybrid Approach to help narrow the steps needing additional protection to those that are significantly vulnerable. Additionally, van de Ligt encourages facilities to look at low- and no-cost mitigation strategies, such as measures you are already implementing.

TOOLS AND RESOURCES. FDA also provides an online Food Defense Mitigation Strategies Database (FDMSD) which provides a range of strategies for consideration to minimize the vulnerability of an intentional attack. The mitigation strategies in the database represent a variety of measures: some may not be appropriate for all situations; some should be used in conjunction with other strategies to be effective; and some may be able to stand alone. The data can be accessed through a search for specific points, steps, or procedures for which associated strategies will be listed; or through which mitigation strategies keyword search. The FDMSD also may be accessed through the FDP Builder to make it easy to include those strategies.

FPDI also has tools and resources that can assist facilities in their food defense efforts. One of these is the Food Adulteration Incidents Registry (FAIR), a compilation of historical and current events involving economically motivated adulteration (including food fraud), which must be controlled as a hazard for compliance with the Preventive Controls Rule, and intentional adulteration (including both terrorism and sabotage) on a global scale for IA Rule compliance. The registry can help facilities be informed and have knowledge about assessing the risks that could impact their foods or facility, van de Ligt said. The incidents are publicly sourced, then screened to enable compilation of related incidents as a single issue. The dashboard includes a variety of search capabilities, incident summaries, interactive graphs, maps, and references.

FPDI’s Focused Integration of Data for Early Signals (FIDES) and Criticality Spatial Analysis (CRISTAL) enable facilities to look into the future, van de Ligt said. Both are web applications: FIDES is designed to fuse multiple streams of data to predict, monitor, and identify food system disruptions and adverse food events; CRISTAL allows users to document, visualize, and compare supply chains in support of risk and criticality assessments, mitigation efforts, and event response. 

The user sets up alerts for products or geographical areas that could impact their operation, enabling them to be more proactive in managing the supply chain. For example, if a company has set alerts for an ingredient sourced from Argentina, they would be alerted through FIDES of the occurrence of a freeze and know they may have to source the ingredient elsewhere. Through CRISTAL’s geo-spatial application, a company can map its supply chain and understand vulnerable points or issues in sourcing and transportation.

Utilizing available tools and resources from public and private organizations can be of significant value in developing and managing the supply chain and related food defense initiatives.

INSPECTIONS & AUDITS. FDA has stated that it will begin routine IA Rule inspections in March 2020 at which time its focus will be to “educate while we regulate.” Thus, initial inspections will consist of food defense plan “quick checks,” conducted at the same time as scheduled food safety inspections, to verify that the facility has satisfied the basic requirements of the IA rule. During the quick check, FDA investigators will ask questions such as, “Do you have a food defense plan?” The inspectors also may provide some educational materials.  

On the other hand, van de Ligt is hearing from facilities that the food defense specifications of third-party auditors don’t always align with the food defense plan requirements of the IA Rule. There can be a disconnect when an audit focuses on external protection, such as visitor access and perimeter protection, and does not yet include the internal requirements of the FDP. “It seems to be creating uncertainty on how to assure that requirements are being met for both, since customers are relying on the third-party audits,” she said. It also means that a facility meeting third-party audit standards may not be complying with the IA Rule, and vice versa. In the near future, van de Ligt said, the third-party audits will likely begin to include the concepts of the IA rule.

Although the requirements of the rule and its FDP can seem overwhelming at first, van de Ligt said, “There are ways to break it down into manageable chunks.” In beginning to develop your FDP, it can be helpful to look at the Food Safety Plan (FSP) you developed for the Preventive Controls rules, she said. The FSP will have process flow charts and descriptions that can be used in the FDP. You also will be able to exclude some things because of the facility-based, food-access focus of the IA Rule.

While considering the various aspects of your food defense, always stay mindful of the potential of an insider attack, van de Ligt said. “In the new food defense realm, and as required by the IA Rule, you have to consider protecting your facility from people who have legitimate access, that is, the insider attacker. Historical incidents highlight the risk posed by those with legitimate access.”

The author is Editor of QA magazine. She can be reached at llupo@gie.net.

November December 2019
Explore the November December 2019 Issue

Check out more from this issue and find your next story to read.