FDA Releases First in Series of Draft Guidances Regarding Mitigation Strategies to Protect Against Intentional Adulteration

Kelley Drye Client Advisory

On June 20, 2018, the Food and Drug Administration (“FDA”) released draft guidance for companies required to comply with the FDA’s final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration” (“IA Rule”), which was promulgated in 2016 pursuant to the Food Safety Modernization Act (“FSMA”) amendments to the Federal Food, Drug & Cosmetic Act.[1]  FSMA directs FDA to promulgate regulations to protect food from intentional acts of adulteration where there is an intent to cause wide scale public health harm. The IA Rule specifies the requirements for any owner, operator or agent in charge of a domestic or foreign food facility that manufactures/processes, packs, or holds food for consumption in the United States,” who is required to register with FDA as a food facility, to prevent intentional adulteration of food, subject to certain exemptions.[2]

The guidance provides facilities subject to the IA Rule with suggestions for developing and implementing food defense plans (“FDPs”), vulnerability assessments (“VAs”), and certain components of required mitigation strategies.  FDA has indicated that the guidance is meant to be flexible and programs protecting against intentional adulteration can and should be tailored to the needs and requirements of each food facility.

This is the first of three guidance documents FDA plans to release regarding the IA Rule.  FDA guidance documents are not legally enforceable, however, they do provide recommendations for best practices.  FDA is accepting comments regarding this guidance through December 17, 2018.

I.          Food Defense Plans

            A.        What is a Food Defense Plan?

An FDP is a set of written documents that is based upon food defense principles,” which includes the following:

  • Vulnerability assessment (“VA”): an assessment that identifies vulnerabilities in a facility’s food manufacturing processes and provides actionable process steps, which are places in the process where a facility can implement mitigation strategies to minimize or prevent the vulnerability;[3]
  • Mitigation strategies: strategies that significantly minimize or prevent significant vulnerabilities at actionable process steps;[4]
  • Food defense monitoring procedures: procedures, including the frequency with which they are to be performed, for monitoring mitigation strategies to assess whether mitigation strategies are operating as intended;[5]
  • Food defense corrective action procedures: responsive actions taken if the mitigation strategies are improperly implemented based on the nature of the actionable process step and the mitigation strategy;[6] and
  • Food defense verification procedures: verification activities to ensure that monitoring is being conducted and appropriate decisions about corrective actions are being made.[7]
            B.        Who Develops a Food Defense Plan?

Individuals who develop FDPs must meet certain requirements related to education, training and experience.[8]  These requirements apply to anyone who does any of the following:

  • Prepares an FDP;
  • Conducts a VA;
  • Identifies and explains mitigation strategies; and
  • Performs the reanalysis.[9]

Individuals who do any of the above are required to have (1) education, training, or experience, or a combination of the three, to properly perform the activities, and (2) successful completion of a training program that is at least as adequate as an FDA-recognized curriculum.  Alternatively, an individual may rely on previous experience if that experience is equivalent to the knowledge one would receive from an FDA-recognized curriculum.  The individual enlisted to perform the specified activities does not have to be an employee of the covered facility, but FDA does recommend having a qualified individual onsite to provide expertise and insight regarding food defense.[10]

While it may be appropriate to have a single individual responsible for an FDP at smaller facilities, other facilities will require a team to help develop and administer the FDP.  The guidance recommends that recommends that food defense team members be knowledgeable about general food defense principles and concepts, and include members who are directly involved with food processes and daily operations at your facility.

            C.        Formatting and Analyzing the Food Defense Plan

The FDP does not have to take a specific format.  The guidance indicates that whatever format works best for the specific facility is sufficient to the extent that it meets the facility’s needs and the IA Rule requirements.  The FDP also does not have to be created from scratch.  If a facility has existing records that meet the IA Rule requirements, those would be sufficient.

The IA Rule requires a facility to reanalyze its FDP every three years.[11]  In addition, the FDP must be reanalyzed anytime there is a significant change to the facility’s activities that could expose new vulnerabilities, whenever mitigation strategies prove to be inefficient, or whenever the FDA specifically requires reanalysis.  The IA Rule also mandates specific retention policies for current and discontinued FDPs.[12]

II.        Vulnerability Assessments

            A.        What is a Vulnerability Assessment?

Vulnerability Assessments (“VAs”) are evaluations of a facility’s processes and procedures to identify mitigation strategies to minimize or prevent points where a process might be vulnerable to exploitation that could lead to wide-scale public health harm.  The guidance indicates that this assessment can be flexible based on the needs of the facility, as long as it is compliant with the IA Rule.

VAs are required for each type of food that is manufactured, processed, packed, or held at a facility and should analyze the points, steps, and procedures that are involved in such activities.[13]  The evaluation of these points, steps, and procedures must consider the following:

  • the potential public health impact if a contaminant were added at that point in the process;
  • the degree of physical access to the product; and
  • the ability of an attacker to successfully contaminate the product.[14]

In conducting a VA, the guidance suggests that a facility take the following steps:
  1. Assemble a food defense team of individuals with a full understanding of the day-to-day operations of the facility.
  2. Describe the product under evaluation.
  3. Develop a process flow diagram that depicts the points, steps, and procedures associated with food processing.
  4. Describe the process steps at each point in the process flow diagram.
           B.        Using Key Activity Types to Conduct a Vulnerability Assessment

The FDA also suggests using the Key Activity Types (“KATs”) method to identify significant vulnerabilities and actionable process steps.  The FDA developed the KAT method after analyzing vulnerability assessments completed in different food industries. There are four KATs:

  • Bulk liquid receiving and loading: liquid receiving at the facility from an inbound conveyance or loading into an outbound conveyance;
  • Liquid storage and handling: storage or holding of liquids in storage tanks or reusable containers in the facility that are not sealed with tamper-evident packaging;
  • Secondary ingredient handling: any point in the processes where additional ingredients are added to the product stream after being manipulated by human contact; and
  • Mixing and similar activities: any point in the process that involves mixing, grinding, homogenizing, or coating a food product.

Using the KATs in conducting a VA means that the facility identifies these key points in the food manufacturing process.  The IA Rule requires that the VA includes a written explanation for why each point, step, or procedure in the food manufacturing process was or was not identified as an actionable process step.[15]

III.       Mitigation Strategies for Actionable Process Steps

            A.        What are Mitigation Strategies?

Once a facility conducts a VA, it must identify mitigation strategies to minimize or prevent identified vulnerabilities. These mitigation strategies are implemented to prevent intentional adulterations, and are different from preventive controls in that preventive controls are intended to minimize or prevent the occurrence of an unintentionally introduced food safety hazard.  Mitigation strategies should be customized to the specific process step they address, tailored to the facility’s practices and procedures, and directed toward the vulnerability.  Again, there is the opportunity for flexibility in developing mitigation strategies.

Any actionable process step a facility identifies must have a mitigation strategy and a written explanation of how the mitigation strategy is effective in minimizing or preventing the vulnerability associated with that actionable process step.[16]  The written explanation can be brief, but must provide a sufficient description of how the strategy is effective.

            B.        Types of Mitigation Strategies

There are a number of mitigation strategies a facility can implement that vary based on the specific actionable process step the strategy is intended to address.  The guidance provides examples of two main types of mitigation strategies: personnel and operations-based mitigation strategies, and technology-assisted mitigation strategies.

  • Personnel and operations-based mitigation strategies.  These strategies focus on ways that personnel and operation structure can help prevent actionable process steps.  Examples include the implementation of a vetting process to establish who is allowed to work at particularly vulnerable points in the food manufacturing process, training personnel to be able to adequately observe and protect actionable process steps, and implementing procedures to ensure that actionable process steps are not compromised.
  • Technology-assisted mitigation strategies. These strategies use a physical access barrier to prevent food adulteration.  Such strategies may include adding a security clearance for specific points or procedures in the food manufacturing process, using tamper-evident tapes or seals for ingredient storage containers, and implementing alarms for specifically vulnerable processes to indicate when someone has unauthorized access to such processes.

Facilities may implement facility-wide mitigation strategies, such as fences to limit access to the property, and requiring employees to wear ID badges.  These strategies are not necessarily required by the IA Rule, but facilities may use them to address specific vulnerabilities at actionable process steps.  Mitigation strategies should generally be designed to either: (1) minimize the accessibility of the product to an inside attacker; (e.g., physically reducing access to the product, such as by locking storage tanks); or (2) reduce the opportunity for an inside attacker to contaminate the product (e.g., increasing observation of the area through supervision or use of the buddy system).

A facility may have existing measures in place to mitigate certain actionable process steps. These are acceptable if they address specific vulnerabilities and otherwise meet requirements under the IA Rule. When identifying mitigation strategies, existing measures are a good place to start.

IV.       Food Defense Monitoring

The final chapter of the most recent guidance discusses food defense monitoring, which is required to assess the effectiveness of mitigation strategies.[17]  As is the theme throughout the guidance, the type of monitoring a facility implements is flexible based on the facility’s needs. Regardless, any food defense monitoring procedures should address the following questions:

  • What will be monitored? What to monitor should be based on the implementation and nature of the mitigation strategy. This is flexible as long as the monitoring assesses the effectiveness of the mitigation strategy.
  • How will the monitoring be done? Facilities have flexibility in determining how to monitor their mitigation strategies. How to conduct this monitoring depends on what the mitigation strategy is intended to protect and how it is implemented.
  • How often will the monitoring be done? How often the monitoring is completed is flexible, but the monitoring should be completed often enough that the facility can ensure that the mitigation strategies are being performed consistently.[18]
  • Who will do the monitoring? A facility can determine who conducts the monitoring, but that person must have the education, training, or experience necessary to conduct his or her duties.[19]

Monitoring strategies must be documented.[20]  Depending on the type of monitoring, a facility may also create an exception record that demonstrates a deviation, as opposed to an affirmative record that demonstrates that the mitigation strategy is functioning as intended.[21] Whether or not exception records are appropriate depends on the type of mitigation strategy implemented. For example, a static situation that is not under constant monitoring would not be an instance where an exception record approach would be helpful.  Instead, a record that affirms that such mitigation strategy is effective would be more appropriate in this situation.

V.        Compliance Dates

The compliance dates for the IA Rule depend on the size of the business and are as follows:

Size of BusinessCompliance Date
Very smallJuly 26, 2021
SmallJuly 27, 2020
Other businesses that do not qualify for exemptionsJuly 26, 2019

As noted above, FDA will accept written comments on this portion of the draft guidance until December 17, 2018.   The agency also plans to release additional chapters of the draft guidance in the near future, including chapters on reanalysis, education, training, experience requirements, and records.

For more information about this advisory, please contact:

Donnelly McDowell
(202) 342-8645

[1]               21 C.F.R. Part 121.
[2]               21 C.F.R. § 121.1. Note that there are a number of exemptions under the IA Rule, including very small businesses, the holding of food, packaging or labeling of food, farm activities that are subject to section 419 of the Food Drug & Cosmetic Act, alcoholic beverages that meet specific conditions, animal food, and low-risk activities at farm mixed-type facilities. 21 C.F.R. § 121.5.
[3]               21 C.F.R. § 121.130.
[4]               21 C.F.R. § 121.135.
[5]               21 C.F.R. § 121.140.
[6]               21 C.F.R. § 121.145.
[7]               21 C.F.R. § 121.150.
[8]               21 C.F.R. § 121.4(c).
[9]               21 C.F.R. § 121.4(c)(3).
[10]             See Guidance at 19. 
[11]             21 C.F.R. § 121.157(a).
[12]             See 21 C.F.R. §§ 121.310–121.315.
[13]             21 C.F.R. § 121.130(a).
[14]             Id.
[15]             21 C.F.R. § 121.130(c).
[16]             21 C.F.R. § 121.135(a).
[17]             21 C.F.R. § 121.3.
[18]             21 C.F.R. § 121.140.
[19]             21 C.F.R. § 121.4(b)(1).
[20]             21 C.F.R. § 121.140(c).
[21]             Guidance at 66.