Tuesday, June 7, 2016

FSMA Update: Mitigation Strategies to Protect Food against Intentional Adulteration

Written by Errin McCaulley - Research Assistant

On May 27, 2016, The Food and Drug Administration (FDA) released its last final rule under the Food Safety Modernization Act (FSMA) titled Mitigation Strategies to Protect Food against Intentional Adulteration (81 Fed. Reg. 34,165). This final rule mandates compliance requirements that are similar to a  Hazard Analysis and Critical Control Point (HACCP) program, albeit more flexible. Whereas traditional HACCP programs focus on the analysis of hazards in food production, such as biological and chemical hazards, and the identification of critical control points (CCPs) to mitigate these hazards, the final rule on intentional adulteration is concerned with vulnerabilities which, if exploited, could result in the deliberate tampering of food products.

Because this final rule deals with potential acts, such as terrorism, and not identified or present hazards, as in HACCP, FDA added flexibility throughout this final rule to ease the burden of compliance. This final rule is intended to prevent the intentional introduction of harmful agents into the food supply during the manufacturing/processing, packing, or holding of human food. FDA requires, absent certain exemptions, that all facilities that must register under 21 U.S.C. § 350d (§ 415 FD&C Act) are required to implement this final rule. FDA did, however, provide for a handful of exemptions (see 81 Fed. Reg. 34,220-21) which will be codified as 21 C.F.R. § 121.5.

The requirements of FSMA’s last rule are not as robust as either the Preventive Controls for Human Food (PCHF) or Preventive Controls for Animal Food (PCAF) final rules which preceded it; rather, FDA responded to numerous comments and added flexibility throughout this final rule.

First, covered facilities must create a “food defense plan” as drafted by a “qualified individual” (21 C.F.R. § 121.126). The food defense plan must contain the written vulnerability assessment, the written procedures for (1) “food defense monitoring,” (2) “food defense corrective actions,” and (3) “food defense verification” (Definitions of quoted terms can be found at 34,219 of this final rule).

Second, a qualified individual must carry out a vulnerability assessment for each type of food manufactured, processed, packed, or, in the event of liquid storage tanks, held at the facility and identify “significant vulnerabilities” at each “actionable process step” (21 C.F.R. § 121.130). A vulnerability assessment must consider (1) the potential impact a contamination of the assessed food could have on the public health, (2) the physical accessibility of the food product being assessed, and (3) a determination of an attacker’s ability to carry out a contamination of the assessed food product. FDA, in response to several comments, stressed that the focus of a vulnerability assessment is upon the potential inside attacker, such as an employee, rather than an attacker from outside the facility.

Third, a qualified individual must craft mitigation strategies aimed at minimizing the vulnerabilities identified during the assessment and ensure their implementation (21 C.F.R. § 121.135). This provision also requires a written explanation as to how the mitigation strategy sufficiently minimizes the vulnerability. In response to several comments, FDA clarified that, while perhaps not fulfilling all requirements for mitigation strategies, facilities that are already parties to a security program, such as Customs-Trade Partnership Against Terrorism (C-TPAT) or Chemical Facility Anti-Terrorism Standards (CFATS), may be able to use certain procedures from these programs as mitigation strategies.

Fourth, along with the creation of mitigation strategies, facilities are also required to establish and implement the “management components” for mitigation strategies which include written procedures for (a) “food defense monitoring” (21 C.F.R. § 121.140), (b) “food defense corrective actions” (21 C.F.R. §121.145), and (c) “food defense verification” (21 C.F.R. § 121.150). In response to concerns raised by several comments regarding food defense verification, FDA modified the proposed rule’s language to emphasize that the purpose of verification in this final rule is not to verify the effectiveness of the mitigation strategies, but rather to ensure that the procedures a facility puts in place, such as food defense monitoring, are being carried out properly.

The last major requirement of this final rule concerns the reanalysis of the food defense plan (21 C.F.R. § 121.157). A qualified individual must carry out a reanalysis of the food defense plan as a whole at least once every three years. A reanalysis of the food defense plan in part is required in the event a mitigation strategy is implemented improperly, a change is made to the facility, such as construction, and a new vulnerability could reasonably arise. Further events which would require either a complete or partial reanalysis of the food defense plan are listed in § 121.157.

The final rules under FSMA, including this most recent one, require record retention for a period of no less than two years. Under this final rule, except for the food defense plan, all records may be kept off-site from the facility, as long as their retrieval is possible within twenty-four hours, and electronic medium is permitted. Finally, after reviewing numerous comments regarding records, FDA is allowing the use of existing records, to avoid the need for duplication, and facilities that already take part in a security program, such as C-TPAT or CFATS, may use applicable records, either combined or separate, to form the records required under this final rule.

The effective date of this rule is July 26, 2016. The compliance dates are as follows: facilities, excluding “small” (<500 full-time equivalent employees) and “very small” (<$10,000,000 in annual sales of human food for last three years, including market value of human food manufactured, processed, packed, or held without sale), have three years from the effective date to comply (July 26, 2019); small businesses have four years from the effective date to comply (July 26, 2020); and very small businesses are exempt from the requirements of this rule, although FDA may, upon request, require documentation from a very small business which show the facility meets the requirements of the exemption.

No comments:

Post a Comment