Embed Size (px)
Citation preview
8/10/2016
1
Implementing an Effective Food Defense and Security Plan
Session Number: 3315
Tuesday, September 13, 2016
Speaker: Donald J. Ostmann Sr., CPPNorth America Regional Security Director DuPont Company
Food Safety Modernization Act Implementing an Effective
Food Defense and Security Plan
The U.S. Food and Drug Administration (FDA) released the Food Safety Modernization Act (FSMA) Final Rule on Intentional Adulteration on May 27, 2016.
Food Security Professionals are now tasked with reducing supply chain food adulteration vulnerabilities and developing a “Food Defense Plan” as part of (or in addition to) their overall “Security Plan” for the site.
This includes where and when to conduct vulnerability and security assessments of their facilities to then implement mitigation strategies.
Resources are available to Security Professionals and Food Defense Practitioners to minimize risk exposure and meet regulatory requirements.
Food Safety Modernization Act Implementing an Effective
Food Defense and Security Plan
8/10/2016
2
The proposed rule was published on December 24, 2013.
Final Rule was published on May 27, 2016.
The rule establishes requirements to prevent or significantly minimize acts on the food supply chain intended to cause large‐scale public harm by requiring facilities to address vulnerable processes in their operations.
Background
The FDA Food Safety Modernization Act (FSMA) was signed into law on January 4, 2011 to better protect human and animal health by helping to ensure the safety and security of the food supply.
• Focus on ensuring that the U.S. food supply is safe by shifting the focus of federal regulators from responding to contamination to preventing contamination.
• The law also provides FDA with new enforcement authorities designed to achieve higher rates of compliance with prevention & risk‐based food safety standards and to better respond to and contain problems when they do occur.
Background
With some exceptions, this rule applies to facilities that manufacture, process, pack, or hold human food (both domestic and imported food) and those required to register as a food facility under section 415 of the FD&C Act.
This rule does not apply to farms, retail locations, or other food facilities not required to register under section 415 of the FD&C Act.
Who is Covered?
8/10/2016
3
Type of facility or operation Exempt Status
Averysmallbusiness(abusinessthathaslessthan$10,000,000intotalannualsalesoffood,adjustedforinflation)
Exempt,butwouldberequiredtoprovidetoFDA,uponrequest,documentationreliedontodemonstratethatthebusinessisverysmall.
Theholdingoffood,excepttheholdingoffoodinliquidstoragetanks Exempt
Thepacking,re‐packing,labelingorre‐labelingoffoodwherethecontainerthatdirectlycontactsthefoodremainsintact
Exempt
ActivitiesofafarmsubjecttotheProduceSafetyRule.
Exempt
Manufacturing,processing,packing,orholdingoffoodforanimals
Exempt
Alcoholicbeveragesundercertainconditions Exempt
Exemptions and Modified Requirements
Food Defense Plan
• Security vulnerability assessment
• Mitigation strategies
• Procedures for food defense monitoring
• Food defense corrective action procedures
• Food defense verification procedures
• Recordkeeping & Documentation
Training for Personnel
Overview of Requirements
There were no requirements that food facilities implement mitigation strategies or measures to protect against intentional contamination.
FDA has provided guidance, tools, and resources for industry on food defense.
Previous Requirements?
8/10/2016
4
The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (the Bioterrorism Act) directs the Food and Drug Administration (FDA), as the food regulatory agency of the Department of Health and Human Services, to take steps to protect the public from a threatened or actual terrorist attack on the U.S. food supply and other food‐related emergencies.
Background
ALERTwas released in 2006 as an educational program to raise awareness regarding food defense. The program identifies five key elements in food defense planning:
• A—How do you ASSURE that the supplies and ingredients you use are from safe and secure sources?
• L—How do you LOOK after the security of the products and ingredients in your facility?
• E—What do you know about your EMPLOYEES and people coming in and out of your facility?
• R—Could you provide REPORTS about the security of your products while under your control?
• T—What do you do and who do you notify if you have a THREAT or issue at your facility, including suspicious behavior?
“ALERT” Program
FDA and USDA’s Food Safety and Inspection Service (FSIS) adapted a military targeting tool known as CARVER to assess vulnerabilities of the food and agriculture sector. CARVER is an acronym for the following six attributes used to evaluate the attractiveness of a target for attack: {Software tool originally released in 2007}
Criticality—measure of public health and economic impacts of an attack;
Accessibility—ability to physically access and egress from target;
Recuperability—ability of a system to recover from an attack;
Vulnerability—ease of accomplishing an attack;
Effect—amount of direct loss from an attack as measured by loss in production; and
Recognizability—ease of identifying a target.
A seventh attribute, ‘‘Shock’’, was added to the original six attributes to assess the combined health, economic, and psychological impacts of an attack on the food industry.
The methodology improved vulnerability assessment efforts because its process allowed for the identification and estimation of economic and psychological impacts throughout the food system.
CARVER+Shock Methodology
8/10/2016
5
Employees FIRSTwas released in 2008 as an food defense awareness training program for front‐line food industry workers about the risk of intentional food adulteration and the actions they can take to identify and reduce risks:
• F—Follow company food defense plan and procedures;
• I—Inspect your work area and surrounding areas;
• R—Recognize anything out of the ordinary;
• S—Secure all ingredients, supplies, and finished product; and
• T—Tell management if you notice anything unusual or suspicious.
“Employees FIRST” Training Tool
The final rule is aimed at preventing intentional adulteration from acts (including disgruntled employees or economically motivated adulteration) intended to cause wide‐scale harm to the public health, including acts of terrorism targeting the food supply.
Such acts could cause illness, death, economic disruption to the food supply absent mitigation strategies.
The FSMA Final Rule
World War I, German agents in the U.S. infected horses and cattle in transit across the Atlantic to France
1978, citrus fruit from Israel was deliberately contaminated with mercury affecting consumers in the Netherlands and Germany
1984, Oregon, members of a religious cult contaminated salad bars with Salmonella typhimurium in order to disrupt a local election
1996, a disgruntled US laboratory worker deliberately infected food to be consumed by co‐workers with Shigella dysenteria
Post 9/11 ‐ al Qaeda documents and manuals found in Afghanistan after the 2001 U.S. – led invasion revealed some interest in conducting chemical and biological attacks on food supplies
2002, the owner of a fast‐food outlet in China poisoned a competitor's breakfast foods with rat poison
2003, a US supermarket employee pleaded guilty to intentionally poisoning ground beef with an insecticide
Why do we need such a rule?A Historical Perspective
8/10/2016
6
EIJING (AP) —A Chinese court on Monday sentenced a former food plant worker to life in prison for poisoning frozen dumplings that sickened 10 people in Japan in 2008 and strained relations with Tokyo just months before the Beijing Olympics.
The incident prompted a recall of millions of bags of dumplings, and Chinese food products were taken off shelves in Japan out of safety worries.
A court in the northeastern city of Shijiazhuang sentenced Lu Yueting, 39, to life in prison, the official Xinhua News Agency said.
Lu had been dissatisfied with his wages and injected insecticide into several boxes of frozen dumplings in late 2007 to get attention from his managers.
The products were later sold in Japan and in the Chinese city of Chengdu, sickening at least four other people there.
Lu was detained in 2010 after more than two years of investigation. He contaminated the dumplings with methamidophos, a type of pesticide, compounding widespread fears about the safety of Chinese food exports.
China Food Worker Gets Life Sentence for Poisoning Dumplings
01/20/2014
Eleven fresh and further processing poultry plants in five southern states owned by Wayne Farms LLC are on guard after foreign materials found in the company’s Laurel, MS, facility are being investigated as possible sabotage.
The U.S. Department of Agriculture’s (USDA’s) Inspector General (IG) has been brought in to lead the investigation of the March 3 incident. A spokesman for Wayne Farms said the company is “working in collaboration” with the IG’s investigation and cannot comment further until it is complete.
When the material was found by the on‐site USDA inspectors at the beginning of the second shift, all the product involved was immediately put on hold without the need for a recall.
The Laurel plant where the foreign material was found is going through cutbacks due to the closure of deboning lines, which will result in layoffs of 500 workers by June.
USDA has not disclosed the foreign substance found at Wayne Farms.
While not frequent, it is not all that usual for food to be recalled for contamination with non‐food substances. However, the deliberate planting of any such material is extremely rare.
USDA Inspector General investigates possible Poultry Sabotage
03/11/2016
Food defense differs from food safety, which is the effort to prevent unintentional contamination of food products by agents reasonably likely to occur in the food supply (e.g., E. coli, Salmonella, Listeria).
Food Defense
8/10/2016
7
While companies are required to create a Food Defense Plan, the FDA has taken an approach similar to Hazard Analysis Critical Control Point (HACCP) system, an approach adopted by industry for the identification, evaluation and control of food safety hazards. The FSMA rules advance and strengthen those safeguards.
Each covered facility is required to prepare and implement a food defense plan. This written plan must identify vulnerabilities and actionable process steps, mitigation strategies, and procedures for food defense monitoring, corrective actions and verification.
A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented.
Key Provisions of the Rule
The need to identify vulnerabilities and actionable process steps for each type of food manufactured, processed, packed or held at the food facility.
Key Provisions of the Rule:Vulnerability Assessment
For each point, step, or procedure in the facility’s process, these elements must be evaluated:
• The severity and scale of the potential impact on public health.
• Volume of product
• How fast the food moves through the distribution system
• Potential agents of concern and the infectious/lethal dose of each
• The degree of physical access to the product.
Things to be considered would include the presence of such physical barriers as gates, railings, doors, lids, seals and shields.
• The ability to successfully contaminate the product.
Key Provisions of the Rule:Vulnerability Assessment
8/10/2016
8
These should be identified and implemented at each actionable process step to provide assurances that vulnerabilities will be minimized or prevented.
• The mitigation strategies must be tailored to the facility and its procedures.
The final rule removes the distinction between “broad” and “focused” mitigation strategies.
• The original proposal only required “focused” mitigation strategies because “broad” mitigation strategies, such as a fence around the entire facility, did not protect specific points from being attacked by an insider.
The final rule recognizes that a mitigation strategy, applied in a directed and appropriate way to protect the actionable process step from an insider attack, would sufficiently minimize the risk of intentional adulteration.
Key Provisions of the Rule:Mitigation Strategies
Steps must be taken to ensure the proper implementation of each mitigation strategy. In each of these areas of food defense, the facilities are given more flexibility in the final rule to establish the actions most appropriate to their operation and product.
• Monitoring: Establishing and implementing procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies.
• Corrective actions: The response if mitigation strategies are not properly implemented.
• Verification: Verification activities would ensure that monitoring is being conducted and appropriate decisions about corrective actions are being made.
Key Provisions of the Rule:Mitigation Strategy Management Components
Facilities must ensure that personnel assigned to the vulnerable areas receive appropriate food defense awareness training.
Facilities must establish & maintain records for: the Food Defense Plan
Food Defense monitoring
Corrective Actions
Verification Activities
Personnel Training
Key Provisions of the Rule:Training & Recordkeeping
8/10/2016
9
Awareness Training
Awareness Training
Very small businesses (Averaging less than $10,000,000 per year, in both sales of human food plus the market value of human food
manufactured, processed, packed, or held without sale, e.g., held for a fee):
Five years (July 26, 2021)
Small businesses (a business with fewer than 500 full‐time equivalent
employees):
Four years (July 27, 2020)
All other businesses:
Three years (July 26, 2019)
Compliance Dates
8/10/2016
10
FDA has established an Intentional Adulteration Subcommittee with the Food Safety Preventive Controls Alliance to develop food defense training resources for industry and regulators alike.
The agency intends to publish guidance documents to provide information relevant to the provisions of the final rule, such as conducting a vulnerability assessment, identifying and implementing mitigation strategies, and writing procedures for food defense monitoring, corrective actions and verification.
FDA tools and resources currently available on our website (www.fda.gov/fooddefense) that were developed for our voluntary food defense program.
The FDA FSMA Food Safety Technical Assistance Network is already operational and provides a central source of information to support industry understanding and implementation of FSMA. Questions submitted online or by mail will be answered by information specialists or subject matter experts.
Assistance to Industry
The Food Defense Mitigation Strategies Database is an online, searchable listing of mitigation strategies that can be applied to different steps in a food operation to reduce the risk of intentional adulteration.
Assistance to Industry
Mitigation Strategies Database
8/10/2016
11
Mitigation Strategies Database
Mitigation Strategies Database
Mitigation Strategies Database
• Access Controls• ID Badges• Criminal Background Checks• Site Visitor Policy
8/10/2016
12
Food Defense PlanAssessment Process
Identification of those points at highest risk, i.e., actionable process steps.
For each point, step, or procedure, a facility must consider, at a minimum: Potential public health impact Degree of physical access to product Ability of an attacker (including insider threat)
to successfully contaminate the product Assessment results must be documented. Key areas, processes, and activities are considered
an appropriate method in conducting a vulnerability assessment.
Site Perimeter Fences, Gates, Turnstiles
Access Control
• Personnel & Delivery Vehicle Access
• Personnel Access (Criminal Background Checks)
On‐Site Security Workforce
Equipment & Technologies
• CCTV, Alarms, Fences, Gates, Turnstiles, Lighting
Emergency Procedures
• Off‐Site Response from Law Enforcement
Food Defense and Security PlanKey Areas and Processes
Operating Procedures
Laboratory/R&D Areas
Supply Chain Logistics
Shipping & Receiving
Storage
Warehouse Operations
Incident Reporting & Documentation
Utilities
Training
Recordkeeping
Automation & Process Controls and the Cyber Security Threat
8/10/2016
13
Food Defense PlanAssessment Process – Mitigation Strategies
Document measures/strategies to ensure significant vulnerabilities at actionable process steps are significantly minimized or prevented.
Must be implemented for each actionable process step.
Must include written explanation for how strategy minimizes vulnerability.
Food Defense PlanFood Defense Monitoring & Verification
Facility must have written procedures, including the frequency they are to be performed, for monitoring the mitigation strategies (as appropriate to the nature of the mitigation strategies).
Monitoring must be documented in records subject to verification.
Verification of monitoring and corrective actions.
Verification that mitigation strategies are properly implemented through records review or other activities.
Verification must be documented in records.
Food Defense PlanReanalysis
At least every three years.
Whenever there is a significant change that creates the potential for a new vulnerability or a significant increase in one previously identified.
When there is new information about potential. vulnerabilities associated with a food operation or facility.
When a mitigation strategy is not properly implemented.
Whenever FDA requires reanalysis to respond to new vulnerabilities, credible threats, or developments in scientific understanding.
8/10/2016
14
Additional Tools Available to the Food Defense Practitioner to Minimize
Risk Exposure
The Food Defense Plan Builder is a user‐friendly software program designed to assist owners and operators of food facilities with developing personalized food defense plans for their facilities. This user‐friendly tool harnesses existing FDA tools, guidance, and resources for food defense into one single application.
The Food Defense Plan Builder guides the user through the following sections: Company Information Broad Mitigation Strategies Vulnerability Assessment Focused Mitigation Strategies Emergency Contacts Action Plan Supporting Documents
Food Defense Plan Builder
8/10/2016
15
Computer based tool designed to assist (but does not put a facility in compliance with rule) owners/operators of a food facility to develop a personalized food defense plan.
A food defense plan is a written document used to record practices implemented to control/minimize the potential for an intentional contamination incident and thereby reduce the overall vulnerability of the facility’s food operation.
FDA’s Food Defense Plan Builder
Property Perimeter
Building Perimeter
Vehicles
Facility/Plant
Utilities
Laboratory
Process Computer Systems
Suppliers and Vendors
Incoming Shipments
Food Defense Plan
Outgoing Shipments
Live Animals
Returned Products/Goods
Ice/Water/Processing Aids
Storage/Warehouse
Hazardous Materials/Chemicals
Personnel Security
Food Defense Plan
8/10/2016
16
18+1 RBPS Represent the Core of CFATS:
(1) Restrict Area Perimeter(2) Secure Site Assets(3) Screen and Control Access(4) Deter, Detect, and Delay(5) Shipping, Receipt, and Storage(6) Theft and Diversion(7) Sabotage (8) Cyber(9) Response(10) Monitoring(11) Training(12) Personnel Surety(13) Elevated Threats (14) Specific Threats, Vulnerabilities, or Risks(15) Reporting of Significant Security Incidents(16) Significant Security Incidents and
Suspicious Activities(17) Officials and Organization(18) Records
+(19) Anything else specified by DHS
1. Leadership Commitment 2. Analysis of Threats, Vulnerabilities and Consequences 3. Implementation of Security Measures 4. Information and Cyber‐Security 5. Documentation6. Training, Drills and Guidance 7. Communications, Dialogue and Information Exchange 8. Response to Security Threats 9. Response to Security Incidents 10.Audits 11. Third‐Party Verification 12.Management of Change13.Continuous Improvement
Responsible Care® Security Code: Management Practices
An attack against the food or agriculture sector, however, requires a high level of cooperation between these disciplines to achieve their objectives of identifying the threat, preventing the spread of the disease or further contamination of a food product, preventing public panic, and apprehending those responsible.
{Handbook Background, Page 2}
8/10/2016
17
ASIS Food Defense & Agriculture Security Council
Questions?
Thank you
Sponsored by ASIS Supply Chain and Transportation Security Council
