The FDA on May 26 released the final of the seven rules that comprise the FDA Food Safety Modernization Act (FSMA), this last piece aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health. Essentially, it charges larger companies, both foreign and domestic, with coming up with a food defense plan.
Rather than targeting specific foods or hazards, the rule requires mitigation (risk-reducing) strategies for processes in certain registered food facilities. Economically motivated adulteration and that caused by disgruntled employees was addressed in the final preventive controls rules for human and animal foods.
The proposed rule was issued in December 2013, but was open to comment for months afterward. The agency since has refined it a bit, the changes in the final rule largely designed to provide either more information, where stakeholders requested it, or "greater flexibility for food facilities in determining how they will assess their facilities, implement mitigation strategies, and ensure that the mitigation strategies are working as intended."
"In developing the rule, FDA interacted with the intelligence community and considered vulnerability assessments conducted in collaboration with the food industry."
With few exceptions, this rule applies to both domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act. This rule is designed to primarily cover large companies whose products reach many people. Most small companies are exempt; so are farms. There are 3,400 covered firms that operate 9,800 food facilities.
In calling for food defense plans, the FDA has taken an approach similar to its Hazard Analysis Critical Control Point (HACCP) system, an approach adopted by industry for the identification, evaluation and control of food safety hazards. A written plan must identify vulnerabilities and actionable process steps, mitigation strategies and procedures for food defense monitoring, corrective actions and verification. A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented.
A vulnerability assessment is a key step in any plan's development. It should include:
- The severity and scale of the potential impact on public health.
- The degree of physical access to the product
- The ability to successfully contaminate the product.
- Mitigation strategies must be tailored to the facility and its procedures.
- Monitoring and verification should ensure appropriate decisions about corrective actions are being made.
- Training and recordkeeping are key components.
As for compliance dates, large businesses would have to comply three years after the publication of the final rule. Small businesses—a business employing fewer than 500 persons--would have to comply four years after the publication of the final rule. Some "very small businesses" would have five years to comply, while others may be exempt if they file appropriate documkentatio with FDA.
FDA has established an Intentional Adulteration Subcommittee with the Food Safety Preventive Controls Alliance to develop food defense training resources for industry and regulators alike. And the agency intends to publish guidance documents to provide information relevant to the provisions of the final rule, such as conducting a vulnerability assessment, identifying and implementing mitigation strategies, and writing procedures for food defense monitoring, corrective actions and verification.
In addition, FDA has a number of tools and resources online, including a Mitigation Strategies Database and FSMA Food Safety Technical Assistance Network.