© Beth Walrond

Of FSMA’s seven pillars, the Mitigation Strategies to Protect Food Against Intentional Adulteration Rule (known as the food defense or IA Rule) was one of the last to be fully implemented.

While the rule is the first of its kind, it does build on the Bioterrorism Act of 2002, resulting from the terrorist attacks of Sept. 11, 2001. That rule set up basic food defense protocols for production facilities such as fencing, employee and visitor ID checks, locked doors or security guards to defend the food supply from someone looking to do mass harm.

“The intentional adulteration rule goes one step beyond that,” said Christopher Snabes, director of food safety at The Acheson Group. “It assumes there’s already somebody on the inside. It could be a trusted employee. It could be a contractor who had legitimate access.”

So, how do you prevent someone you’ve brought in from getting to the point where they can potentially get to your actionable process steps (APS)?

“This seems like a big task, but it’s not that hard,” said Snabes.

The IA Rule lays out doing a vulnerability assessment to look at each point, step or procedure in a manufacturing facility and see if they qualify as one of four key activity types (KAT): bulk liquid receiving and unloading, liquid storage and handling, secondary ingredient handling and mixing and similar activities. Once done, mitigation strategies are set up for each APS.

“They’re the most vulnerable [steps], and they’re the most common regardless of the type of food being made,” said Snabes. “It could be any commodity under the sun. Of course, the FSMA rule only covers FDA foods.”

Those four KATs were the result of years of research done by FDA, FSPCA, academia and the food industry itself to find the most common activities in most food processing plants that might be vulnerable to tampering.

“They’re real simple,” said Snabes. “You look to see if you have any of those four actions at each point, step and procedure in your facility. You could do a vulnerability assessment and find out: Guess what? I don’t have any KATs. So, you just keep that written assessment as proof that you don’t need a food defense plan.”

Snabes said there are actually a few different ways to do a vulnerability assessment. You can look at each step in your facility and ask yourself: Is it a KAT? Some steps qualify under more than one KAT, leading to more KATs in a single step. A potential drawback is if you take each KAT individually, you might determine you have 45 of them in a facility.

“That means now I’ve got to implement 45 mitigation strategies,” said Snabes. “Which could [take] a lot of time and personnel. You might have to invest in new equipment, or you might have to invest in relocating materials and machinery. And that can be kind of expensive.”

Instead, Snabes said the “three-element approach” to a vulnerability assessment is a way to look at each step and assign it a score (1, 3, 5, 8 or 10) based on three parts of the step: evaluating potential public health impact, degree of physical access and ability to successfully contaminate. Then, using a sum total of scores, you can determine whether the step needs a mitigation strategy. For example, if an attacker wanted to contaminate 2,000 16-ounce boxes of cereal where the serving size is one ounce, that’s potentially 32,000 servings that could cause injury or death. Anything more than 10,001 injured people is a 10 score. If that person also has easy access (10) and the adulterant needed for that scale of harm is a couple hundred grams (10), the step would get a score of 30, requiring mitigation strategies.

Snabes said this allows you to be more specific and identify KATs that might not need a mitigation strategy if they rank low.

“If you apply the three-element approach [to the example with 45 KATs], you might cut that number down to five APSs. You just freed up a lot of time, personnel and money.”

“[The Intentional Adulteration Rule] assumes there’s already somebody on the inside.” Christopher Snabes, Director of Food Safety, The Acheson Group

Another approach combines the two. First, look at each step and determine if it’s a KAT. Then apply the scoring system just to those. There are also courses manufacturers and suppliers can take to be trained on identifying KATs via all three methods.

Once your APSs are identified, Snabes said, it’s just a matter of mitigating the vulnerabilities. Some techniques can be as simple as implementing different colored smocks and hats to easily identify if someone is somewhere they shouldn’t be; camera systems; and a buddy system, where two people work together on one step.

And, as with everything, Snabes said, it’s important to have a written food defense plan. It doesn’t need to be as complex as a HACCP or preventive controls plan, there are tools offered to help writing them, including one from FDA itself.

While Snabes said FDA hasn’t done many strictly food defense inspections, it’s likely to come up during any visit.

“They’re going to spend 10 minutes and ask you a couple of questions about food defense,” he said. “Some of them could be: Do you have a written food defense plan? Did you do a vulnerability assessment? Did you identify any actual process steps? Have you had a food defense incident?”

Snabes also recommended checking with any international suppliers, as they must have a food defense plan. He also said it’s good to include a person from your company’s human resources department on the food defense team, as they’d have inside info on individuals who may or may not be trustworthy.

“The thing about this rule is we assume a couple of things,” said Snabes. “We assume the inside attacker knows how your food is being produced. We assume that they can bring in sufficient quantity of substance to cause mass harm. And you assume they can get in.”