As part of the seven major rules under the Food Safety Modernization Act (FSMA), FDA-registered food facilities averaging ten million or more USD in annual sales must have a Food Defense Plan in place to prevent Intentional Adulteration (IA) of their products. The deadline for large food facilities to have their Food Defense Plans passed on July 26, 2019. In February 2020, FDA released the third and final draft guidance for the rule and announced that inspections for Food Defense Plans will begin in March 2020.
The Intentional Adulteration rule is designed to prevent hazards being intentionally introduced to foods with the intention to cause wide-spread harm to public health as an act of terrorism to the food supply, for economic or political gain, to damage a company’s reputation (disgruntled employee or competitor). A Food Defense Plan identifies vulnerabilities at each point, step, and process in a facility and identifies mitigation strategies against those vulnerabilities. While sharing some similarities with the components in the FSMA-mandated HARPC Food Safety Plan, the Food Defense Plan approach will consider the potential for an attacker to gain access to a vulnerable step and purposefully contaminate the food.
FDA published the second update to the guidance last year, outlining several strategies facilities can use to assist in creating their Food Defense plans. The third and final installment to the guidance covers the management components of the rule, such as corrective actions, reanalysis, and verifications and contains appendices relating to common process steps that may require mitigation and potential solutions to those vulnerabilities. Below, we will give a brief overview of the new guidance.
The first section laid out in the new guidance is corrective actions. Corrective actions are intended to amend a mitigation strategy when it did not operate as intended. A corrective action should immediately identify and correct a problem that has occurred. For example, if employees continuously forget to lock the area where an ingredient storage tank is located, a corrective action could include retraining employees on proper locking procedures or replacing a broken lock. FDA acknowledges that the exact actions will depend on the facility and the product being produced.
All corrective actions must be written and should act as a “how-to” guide that describes how the facility will address the situation when a mitigation strategy is not properly implemented. Additionally, all corrective actions must be documented and recorded at the time the activity is conducted. These documents should be as detailed as necessary to explain the steps taken to correct the issue.
The second section of the guidance discusses verification. Verification is the application of methods, procedures, and other evaluations to determine whether a mitigation strategy is operating as intended according to the Food Defense Plan. Verification activities must be documented and cover the following:
- Verification that food defense monitoring is being conducted
- Verification that appropriate decisions about corrective actions are being made
- Verification that mitigation strategies are properly implemented and working as intended
- Verification of reanalysis
The exact method of verification will depend on the facility’s operations. FDA grants flexibility in this regard and acknowledges that for most facilities, verification will involve reviewing records. Verification activities for Food Defense Plans differ from Preventive Controls rules in that, for the most part, Food Defense Plan verifications will involve restricting access to certain areas of production, rather than the product or environment testing that Preventive Controls require. One example of a verification action could include a supervisor reviewing all delivery records to ensure that tamper evident seals were checked and, if broken, the shipment was rejected.
Reanalysis is intended to determine whether your Food Defense Plan is up to date and maintain that all mitigation strategies and managing components (corrective actions, verification, monitoring) remain working as intended. You must conduct reanalysis of your Food Defense Plan every three years. You must reanalyze your plan when:
- A significant change made in the activities at your facility creates a new vulnerability
- You become aware of new information about potential vulnerabilities at your facility
- You find that a mitigation strategy or combination of strategies in not being properly implemented
- New scientific data or a terrorism risk assessment reveal new credible threats
If a reanalysis discovers a new vulnerability brought on by changes, then you must revise your Food Defense Plan to account for this. Changes only need to be made to the parts of the plan that the new information relates to, not necessarily the entire plan. For example, if your facility receives new production equipment, your qualified individual would determine what actionable process steps the new equipment could introduce and implement new mitigation strategies to that part of the Food Defense Plan.
Reanalysis activities can include confirming the accuracy of product descriptions, ensuring changes at a facility are properly assessed, or ensuring records are completed and accurate. You must document reanalysis activities even if no changes need to be made to the Food Defense Plan.
The final major section of the guidance details record keeping. FDA requires numerous records be kept relating to the IA rule, including:
- Food defense plan, including vulnerability assessment and mitigation strategies
- Documentation of monitoring procedures
- Documentation of corrective actions taken
- Documentation of verification activities
- Documentation of reanalysis
- Records documenting required training
There is flexibility in how these records are kept, such as in hard or electronic copy. The records must be accurate, legible, and indelible. Records must be created concurrently with the performance of an activity. The information must be as detailed as necessary to ensure accuracy. All records must be dated and timed and then signed by the individual performing the activity. The owner, operator, or agent in charge of the facility must sign and date the Food Defense Plan upon completion or after any modification. Records must be retained for at least two years after they are prepared.
Compliance Deadlines and Inspections
The deadline for covered facilities with more than 500 full-time equivalent employees to comply with the IA rule passed on July, 26 2019. These facilities are expected to already have compliant Food Defense Plans. Businesses with fewer than 500 full-time equivalent employees must comply by July 26, 2020, leaving only a few months.
FDA has stated their intention to begin inspections for Food Defense Plans in March 2020. This continues the trend of FDA increasing enforcement efforts in regards to FSMA rules. FDA expects applicable facilities to be fully compliant in all aspects of the IA rule. Leaving out even one component could result in a citation. These citations can lead to costly detentions and delays.
Very small businesses (averaged less than $10 million in global food sales over the previous three calendar years) are exempt from most of the requirements of the IA rule, including the creation of a Food Defense Plan. These businesses must provide records to FDA proving their very small business status by July 26, 2021. There are other exemptions such as facilities that only hold food (except food held in liquid storage tanks), animal food manufacturers and processors, farms, and certain alcohol producers. You can view the full list of exemptions here.
Registrar Corp is a private company that assists businesses in complying with FDA regulations. Registrar Corp’s Food Safety Specialists are Qualified Individuals who can develop or review a Food Defense Plan for compliance. For additional questions, please contact us at +1-757-224-0177 or chat with a Regulatory Advisor 24-hours a day at www.registrarcorp.com/livehelp.