From The Editor | June 8, 2017

FSMA's Food Defense Rule: Answers To Your Questions

Sam Lewis

By Sam Lewis, associate editor
Follow Me On Twitter @SamIAmOnFood

FSMA's Food Defense Rule: Answers To Your Questions

Be sure to view the entire web chat or check out Part One of this series

On Tuesday, May 23, the Grocery Manufacturers Association (GMA) and the National Milk Producers Federation (NMPF) partnered with Food Online for a live web chat, Food For Thought: FSMA’s Food Defense Rule. In this 45-minute live Q&A, Warren Stone, senior director of science policy, compliance, and inspection at GMA, and Clay Detlefsen, VP of regulatory affairs and counsel at NMPF joined Food Online’s editor, Sam Lewis, to answer the food industry’s questions on the topic.

Sam: Warren, what are some of the measurements or the verification activities for food defense? How do you know your plan and your measures are effective?

Warren: That's a very good question and I'm glad whoever asked that, did. Verification in food defense is much, much different than verification in food safety activities. Those of you who are acquainted in the food safety arena know that verification usually is mentioned in the same sentence with its half-brother, validation. The food defense rule does not have any measures for validation. For example, there are those out there that can perform calculations to determine that a pasteurizer process is, in fact, eliminating a certain logarithmic number of a certain pathogenic bacteria. There is nothing like that level of scientific detail required by the food defense rule. And food defense in general operates with more the behavioral sciences than the physical sciences.

If we go back to the definition of verification: are you doing what you said you're doing? Let's just assume you've identified two mitigation strategies and two actionable process steps. You've decided that process step number one needs to be monitored on a weekly basis, and actionable process step number two needs to be monitored on a bi-weekly basis. If you go back over your records, did you, in fact, do that at the frequency you determined?

Now remember, I mentioned that you have to have correction actions, too. What do you do if things aren't going the way you wanted them to? If you find out that the mitigation strategy you implemented on one of those lines is, in fact, not working for whatever reason, what do you do about it? The regulation has a lot of flexibility in it regarding that.

The terminology is that that corrective action needs to be as appropriate to the nature of the situation. That's not the exact wording, but you get the idea. Did you, in fact, when you needed a corrective action, employ the one that is part of your food defense plan? That would be another step in verification.

 I didn't go into them for the sake of time, but there are four other items mentioned in the rule that could require reanalysis. If one of those has, in fact, occurred, did you perform reanalysis? Again, you see all these questions seem to come back and answer: are you doing what you said you're doing? Are you monitoring at the frequency you said you were? If things aren't as you wish, are you employing the corrective actions that are in your plan? And did you reanalyze the plan when, in fact, it was supposed to occur?

I would probably add records review as a verification activity so that you're reviewing these records as they're being generated, or shortly thereafter, and not waiting for the FDA to come in the door six months from now and find out you haven't looked at those records.

Anyway, those would all be examples of verification. Are you doing what you said you're doing? If I could reiterate, there's no requirement in the rule for validation in the scientific food safety sense of the word.

Clay Clay: Warren's spot on. In a lot of meetings, the FDA has talked about how they really intend to be flexible in this area. One of the things that they frequently throw out, let's say your food defense plan has a mitigation strategy of keeping a certain door in the facility locked, and that during your monitoring of the various mitigation strategies, you notice that that door is being left unlocked. Well, a correction would be to lock the door. But that doesn't really solve the problem; it solves that particular instance of the problem. If you keep finding that door unlocked, then you're going to have to take a corrective action and make sure that that door doesn't keep getting unlocked.

Ultimately, with more monitoring, if whatever the corrective action you have applied to that shows that that door is no longer being unlocked, that is, in essence, your verification. The FDA really does want to try and keep things as simple and basic as just that. You can apply that into many other different circumstances.

Sam: As Clay mentioned, there are vulnerabilities. Clay, I'll throw this one your way to sort of piggyback on your response. What are the major vulnerabilities that are being identified? What are the threats that food makers should be paying attention to regarding intentional adulteration?

Clay: It's the incorporation of a deleterious substance into food. That deleterious substance can be any number of things, things that we commonly would view as poisons. It could be toxins derived from plants. It could be a variety of chemicals. It could even be radiological isotopes, which technically are chemicals as well.

All those sorts of things need to be considered, and each and every one is going to have different parameters. Some things may be sensitive to heat. Botulism toxin's a great one. You can actually wipe out botulism toxin through things like pasteurization, cooking, etc.

If the culprit is using something like that and you have, in essence, a thermal kill step in your process, maybe that's something you don't have to worry about. But there are many, many things that are highly, highly resistant to heat. There's just any number of other parameters and lots of bad things out there — deleterious substances, I believe, in the chemical arena. Some in Homeland Security have identified well over a hundred different chemicals that could be used to poison food. We all know that there are ample biologicals out there, as well. It's a very vast range of opportunities for the bad guys, and that means that we have to be very diligent within our facilities.

Warren Warren: That's a very good summary. It's almost as if you're concerned about a chemical substance being added to your process, you need to take it at exactly that.

As Clay mentioned, even in the example he put forth, there are lots of thermally-resistant deleterious substances out there, too. If you try and write vulnerability assessment based on a given contaminant, you're going to get tied up in your bed sheets quite quickly. Try and keep it simple. When you see the need for more detail, go ahead and give it to that, but you might not need that same detail in your entire plan. You don't need a separate corrective action for every toxin. You need to know: what am I going to do if the wheels fall off the bus here?

Clay: I completely agree with that. If you're going to do a vulnerability assessment on each and every potential agent, yeah, you are definitely going to be tied up in knots. Grouping or doing it in a general sense is clearly the way to go. That's what the FDA has and will be advocating as we move forward.

Sam: Thank you guys. We had a question come in regarding the Food Defense Plan Builder. I'll read it verbatim. “From my understanding, the Food Defense Plan Builder is based on the proposed rule, and therefore, using it for the final rule will not ensure the company is compliant with the final rule. Do you still recommend using Version One until the second version is available? And is there anything specific you need to customize to ensure your compliance?”

Clay: I think using version one of the Food Defense Plan Builder Tool is still a good idea if it is, in fact, available. It's kind of like, when you're learning to ride a bike; many people start out with training wheels. That will give you a fantastic opportunity to understand how everything comes together and how the tool will ultimately work.

Yes, the FDA did make that software tool based on the proposed rule — or at least it was done early on and had nothing to do with the final rule, which definitely deviated considerably from what was proposed. However, the FDA is working on a second version of that tool. That will hopefully address the vast majority of those issues. I view version one of the tool as an excellent training tool, something that will really get you familiar with how everything interacts.

Why is it a good tool? We did a lot of vulnerability assessments with the FDA, Homeland Security, USDA, and the FBI. And by “we,” I mean food industry people. It was a collaborative, government-industry process. We went and walked through using, at that time, the CARVER+Shock Vulnerability Assessment model, and we would identify: this is an actionable process step, and we need to do certain mitigation strategies. We'd sit there in the room, industry, in particular, would brainstorm. “Well, if that's the piece of equipment of concern, then what we should probably do is either this, this, or that.” The FDA and USDA went to great efforts to compile all of those.

In essence, the software tool taps into the collective learnings of the government and industry professionals that went through all those vulnerability assessments. You'll see some great stuff in there right now, especially with respect to mitigation strategies associated with particular pieces of equipment. In and of itself, I think that will give you great insight into some of the things you might want to pursue.

Warren: Food defense in the food industry is still an embryonic science. We've seen from a lot of our chats with industry people and companies, both big and small, that some companies have a lot of expertise in this, and there are those that have very, very limited expertise.

Food safety, we've been at this for over a hundred years, and there are eons and eons and eons of data, successes and failures, that we can draw upon. But, food defense is not like that. If you have not had any training in food defense, I agree entirely with Clay. The version one is a great way to get in there, get started. I like his example, his analogy of training wheels. Yeah, it gets you in there. It gets you looking at your factory environment. It gets you thinking in a food defense manner. I would anticipate that the changes you're going to have to make when version two comes out, which is supposed to generate an outcome that is more compliant with the final goal, that I would anticipate those changes are going to be minimal.

Sam: Thank you both. Regarding building food defense plans, we had a question come in that says, “Our facility has a food defense procedure that meets BRC requirements. Would this also meet FSMA's Food Defense rule in general?" I know there are some gap assessments that need to be done between some GSFI benchmarks and FSMA, but, Clay, could you touch on that?

Clay: I'm not as familiar with the BRC system; I am more familiar with the SQF Food Defense protocols. When the final rule came out, I took a copy of the final rule, and I went to basically the nearest dairy processing plant to my office and sat down with plant personnel and looked at what the rule was going to require and what the company was doing. I would say 90 percent to 95 percent of what the rule appeared to be requiring was being addressed by SQF. I suspect the same would apply to BRC and many of these other schemes that are out there. I think that will take you a long way there. You're probably not going to be 100 percent compliant, but I have to think that the SQFs, the BRCs, the GFSIs, and probably a number of other third parties out there are making tweaks in changes to their systems to basically take you across the finish line.

Warren: I think Clay is correct, but you're going to find if you are compliant with those that you're pretty close to compliance with the Intentional Adulteration (IA) Rule. But, the FDA did say right in the preamble that you have to be compliant with the IA Rule.

If you are inspected in 2019, the answer the FDA does not want to hear is, "Well, we're BRC certified." You're going to have to show them your food defense plan, and it's going to have to include the elements I talked about earlier. What Clay did, I think is a very good approach. Sit down and go through the rule. Go through what you're doing and see if you're doing it because there is no free pass. There is no “get-out-of-jail-free card.” Chances are, if you're under BRC certification, you've already done a lot of the homework, and you probably won't have to do a whole lot more to get into compliance with the IA Rule. But, you have to be in compliance with the IA Rule. Being BRC compliant isn't going to cut you any leeway with the FDA.