© Andrejs Pidjass | Thinkstock.com

By Lisa Lupo

One of the key differences between the Intentional Adulteration (IA) rule and the other rules of FSMA is that the others primarily address specific foods or hazards, FDA Deputy Commissioner for Food and Veterinary Medicine Dr. Stephen Ostroff said, but IA requires that food facilities address vulnerable processes — identifying key routes, developing a written food defense plan with mitigation strategies, and taking steps to ensure the plan is working.

“The drivers of vulnerabilities are not the food itself but the processes through which the food goes,” affirmed Robert Brackett, who is vice president and director of NCFST, Illinois Institute of Technology and a former director of FDA’s Center for Food Safety and Applied Nutrition. Brackett participated in a panel discussion on the rule with FDA policy analysts Colin Barthel and Ryan Newkirk, who was the lead writer of the rule. The critical element of the rule is its application to wide-scale, public-health harm, Brackett said. “All of its requirements are based on that.” The rule applies to food facilities that are required to register with FDA; it does not apply to farms or retail; and there are exemptions for very small businesses. (Read the full context of the rule on the Federal Register.)

Brackett went on to discuss some of the key components of the rule and changes from the proposed rule. One essential aspect is in the risk assessment. Differing from that of the food safety preventive controls, for each IA risk, assessment must be made of potential public health impact along with degree of physical access; that is, the ability of a perpetrator to contaminate the process/product and get away undeterred. Added to the proposed rule is the need to consider the possibility of an insider attack, the written outcome of the assessment and explanation of how a mitigation strategy minimizes the vulnerability, and the removal of a distinction between broad and focused strategies, because “the line is grey,” he said.

A major change from the proposed rule was that of compliance dates, with facilities, other than small and very small, having three years to come into compliance rather than one year. (Small facilities have four years, and very small have five.) The change was made because FDA understands that a lot of facilities have to start at the ground level, Brackett said. “We recognize the novelty of the rule; the novelty of the requirements.”

Discussing FDA inspections for compliance, Barthel said that FDA is developing a framework based on current thinking, but “we will adjust, modify and refine in the future as needed.” Food defense presents a very different risk, so those differences need to be taken into consideration, he said. But because the rule does not prescribe specific vulnerability assessment methods or mitigation strategies, “the inspectional staff will require specialized training to determine compliance.”

The industry has learned that there are more vulnerabilities associated with intentional adulteration than are covered by locks, keys, and IDs.
© stlee000 | Thinkstock.com

Recognizing that different processes and facilities have differing levels of risk, the current thinking is to have a tiered approach, with a “quick check” inspection for all covered facilities to ensure a plan is in place, he said. Tier 1 facilities, for which IA risk is determined to be highest, would have more in-depth inspection, with a full review and facility explanation of the plan and mitigation strategies, review of records, etc. This, Barthel acknowledged, will require specialized experts and training.

MELDING FOOD SAFETY AND FOOD DEFENSE. Another change that has been gradually evolving, but is solidified with FSMA’s IA rule is the perspective on the coalescence of food safety and food defense. The first real focus on food defense came after the September 11, 2001, attacks on America, at which time it was initially termed “food security” and focused primarily on physical security of the facility, e.g., gated parking lots, ID tags, visitor sign in and passes, etc.

Today, said FPDI Research Director John Larkin, “Food defense is not just about accessibility; it’s also about vulnerability. So if, in the past you had hired security, that’s a lot different than looking at a food processing line and where the vulnerabilities exist and how many could affect the food.”

As discussed at the conference by Food Defense LLC Principal David Park, the messaging in the past also was that food safety and food defense were two separate initiatives: “You can’t mix the two.” Since then, however, the industry has learned that there are more vulnerabilities associated with intentional adulteration of food than are covered by locks, keys, and IDs. Additionally, preventive controls developed for food safety can be just as beneficial for, or adapted to, food defense, thus changing the thinking to: “You can meld the two.”

Even the wording of FSMA brings the two together, stating, “For both food safety and food defense, the framework for preventing adulteration, whether it is intentional or unintentional, is the same: (1) An analysis is needed to identify the hazards for which measures should be taken to mitigate the hazard; (2) appropriate measures must be identified and implemented; and (3) management components are needed to ensure systematically that the measures are functioning as intended.”

“I think the biggest change is that, in the past, food defense was voluntary and it’s now a requirement. From a mindset standpoint, that requires a shift,” Larkin said. “And with that shift, you probably should seriously consider how to integrate it with food safety because there will be a lot of overlap.”

However, for intentional adulteration, Park explained, assessment of IA risk is based on assessment of vulnerabilities, threat, consequence, capability and intent:

  • Risk = Vulnerabilities (to assets) + Threat + Consequence;
  • Threat = Capability + Intent.

But by melding this with food safety, we develop total food protection, with risk assessment including all vulnerabilities, all threats, and all consequences so that:

  • Food Safety + Food Defense = Food Protection

The two are also somewhat co-dependent, Park said. “If food safety is not in control, chances are it is likely that food defense is not in control.” But a key difference for food defense, and one that has changed from the early days of “food security” is, he said, “We have to adapt to evolving threats even when we can’t control them.” Additionally, both because of their differences and because separate written plans are required by FSMA, food safety and food defense will have some different perspectives even where the methods are the same.

The author is Editor of QA magazine. She can be reached at llupo@gie.net.