Are you ready for the FSMA final rules?
Only one of seven FSMA final rules remains in limbo. Fortunately, FDA has stated it will teach while determining compliance.
If you feel your company is not completely ready for FSMA, you’re not alone. In a recent SafetyChain Software and The Acheson Group (TAG) survey, more than two-thirds of respondents (68 percent) said they were “somewhat ready” for FSMA. The survey included more than 400 respondents, including food processors and manufacturers, produce growers/packagers/shippers, warehouse and distribution companies, animal food manufacturers, domestic suppliers, foodservice companies, retailers, import manufacturers, and import and domestic brokers. Only 25 percent of respondents indicated they were ready for FSMA, and 6 percent said they weren’t ready at all. Be that as it may, FDA isn’t quite yet ready either. Although the guidance documents would help processors understand what they must do to comply, they have yet to be released, holding up the process, according to David Acheson, CEO of TAG.
Meanwhile, it’s evident that the TAG/SafetyChain poll is a pretty accurate picture of processors’ readiness for FSMA. “Only a few companies fully understand the complexities of these regulations and what they need to accomplish to be compliant with FSMA,” states Jim Cook, food scientific and regulatory affairs manager for SGS, a worldwide organization that offers training and education for cGMP and HARPC and auditing programs for major GFSI schemes.
Many companies believe it will be business as usual as long as they have a HACCP plan, prerequisite programs and GFSI certification. However, some of these prerequisites are preventive controls (PCs), and a program must be established for them. Consequently, these facilities will be only partly compliant. Fortunately, FDA has stated it will teach while determining compliance. “Providing there is no risk to consumers, FDA most likely will allow a facility to become compliant,” notes Cook.
HARPC still a stumbling block for some
Apparently, the HACCP-to-HARPC migration is either not as easy as originally thought, or manufacturers are unsure how to accomplish the task.
“People are seeing HARPC as a bit of a challenge,” says Acheson when describing the results of the TAG/SafetyChain survey. (See table, “FSMA compliance challenges” on page 94.) “It’s not like ‘This is easy, done, got it all figured out.’ The majority of respondents are saying, ‘You know, this isn’t quite as easy as we thought.’”
“Going from HACCP to HARPC is a natural progression; HARPC is simply HACCP plus the prerequisite programs,” offers Jim Gorny, Produce Marketing Association vice president, food safety & technology. “In the past, you needed GMPs before you could do HACCP. HARPC is basically a combination of the two.” The real trick is knowing which records are required and which are important to have as proof of complying with the regulations.
Under HARPC, producers/processors will need to establish what preventive controls have been applied, and then validate and verify them. In addition, monitoring and recordkeeping will be absolutely necessary. “FDA will often say, ‘If it isn’t written down, it didn’t happen,’” explains Gorny. “All these things will require documentation, and that’s the big shift. You have to know what your preventive controls are and make sure they work. This puts the burden on the food company, and so, you need a certain technical level at your facility to develop [the HARPC plan and documentation].” Organizations like the Food Safety Preventive Controls Alliance can provide information on the new systems under FSMA, adds Gorny.
For many companies, there are business advantages to a risk-based system such as HARPC, and they may already have a system in place that approximates it. “Most companies have been doing what is required for HARPC for a long time,” says Mike Edgett, Infor industry & solutions strategy director. “They just don’t have it all packaged up in a nice, concise plan they can share with FDA. HARPC puts discipline behind the process, which is exactly the spirit of the law.”
When processors put software systems in place (e.g., Infor, VAI, SafetyChain), managing process data and correlating it to food safety and smart business decisions plus control risk become easier. Joe Scioscia, VAI (Vormittag Associates Inc.) vice president of sales, believes technology plays an important role in helping companies define their processes and may make the road to HARPC easier. “HARPC is similar to HACCP, so processors are not having a lot of difficulty making the shift,” says Scioscia. “Most understand the ‘known or reasonably foreseeable’ hazards for each type of food subject to the regulation and have written plans for preventive controls.”
According to Jill Bender, SafetyChain vice president of marketing, if companies are GFSI certified, the leap from HACCP to HARPC is not as onerous. “From what we’ve seen within the industry and our own customer base, food and beverage companies have been migrating toward a risk-based preventive controls approach in the past few years for a multitude of reasons, such as GFSI requirements, the upcoming FSMA standards or internal initiatives.”
Sanitary Transport Rule
By the time you read this, FDA’s Proposed Rule on Sanitary Transportation of Human and Animal Food will have become a final rule and law. Its goal is to prevent practices that create food safety risks, such as the failure to refrigerate food properly, the inadequate cleaning of vehicles between loads and the failure to protect food during transportation.
Published to implement the Sanitary Food Transportation Act of 2005 (SFTA), the FSMA rule establishes criteria for the safe, sanitary transportation of both human and animal food, i.e., requirements for vehicles and transportation equipment, transportation operations, information exchange, training, records and waivers.
With some exceptions, the rule applies to shippers, receivers and carriers that transport food in the US by motor or rail vehicle, whether or not the food is transported across state boundaries. It also applies to a person outside the US (such as an exporter) who ships food to the US in an international freight container and arranges for the transfer of the intact container onto a motor or rail vehicle for ultimate consumption in the US.
“The rule details the specific responsibilities of the shipper, transporter and receiver,” says PMA’s Gorny. For example, the supplier or shipper must communicate with the transporter in writing (or electronically) what storage temperature and/or other conditions must be met during transit. And, the transporter must be able to prove to the shipper and the receiver these conditions were met during transit.
“This area is well addressed by GFSI audit programs, and SGS auditors will continue to monitor GFSI-certified suppliers for compliance,” says SGS’s Cook. “Additional training for certain companies will be necessary, and some operations may require help in developing programs, documentation and data collection.” These are areas where the SGS Transparency-One program can help. “Training records will be required for all the FSMA rules, and data collection of this information will be essential,” states Cook. SGS offers supervision of cargo loading and unloading to help verify compliance with sanitary transport programs. All programs can be audited for compliance to the rules and to help assure they are being performed as written.
An asset management system can also provide a solution. “Many companies use this type of system to manage a fleet of vehicles and make sure it is being maintained properly,” says Infor’s Edgett. “Adequate maintenance is critically important, if you are trying to ensure transportation metrics such as temperature control.”
SafetyChain’s system enables the gathering and reporting of temperature data along the entire supply chain, says Bender. As a user fills out one of the software’s mobile forms, the data is verified against program specifications in real time, revealing noncompliant events immediately. “Additionally, automated workflows can be set up to notify key stakeholders that a noncompliant event has occurred and automatically generate and track a CAPA [corrective and preventive action] until it is successfully completed.” (For more details on the sanitary transport of food, see “Where and how safe is your cargo?” FE, December 2015).
Intentional Adulteration Rule
“After 9/11, there was a lot of activity in the food industry with regard to preventing intentional adulteration,” recalls PMA’s Gorny. For instance, the Bioterrorism Act of 2002 was passed, with its Title III geared toward protecting the safety and security of our food and drug supply. Plus, Section 302, an amendment to the Federal Food, Drug and Cosmetic Act, includes: “The Secretary shall give high priority to increasing the number of inspections under this section for the purpose of enabling the Secretary to inspect food offered for import at ports of entry into the US, with the greatest priority given to inspections to detect the intentional adulteration of food.” At the end of May, the FSMA Proposed Rule for Focused Mitigation Strategies to Protect Food Against Intentional Adulteration becomes a final rule.
Authored by The British Standards Institution, PAS 96:2014, a “Guide to protecting and defending food and drink from deliberate attack,” provides a comprehensive review of threats, their causes and methods to mitigate and deter them. SGS offers PAS 96 food defense training throughout the world and has developed a checklist based on the proposed intentional adulteration 21 CFR 121 requirements. It also has performed audits and trained companies and their facilities in Customs Trade Partnership Against Terrorism (C-TPAT) audits. While these audits don’t meet most of the intentional adulteration requirements, they do provide a framework and general food defense programs that will aid in compliance. “During our presentations, we tell companies the FDA has the training and tools to help operations comply with this part of the regulation,” says Cook.
FDA’s proposed rule on food defense requires domestic and foreign facilities to address vulnerable processes in their operations to prevent acts on the food supply intended to cause large-scale public harm. The FSMA proposed rule requires the largest food businesses to have a written food defense plan that addresses significant vulnerabilities—often in the areas of bulk liquid receiving and unloading, liquid storage and handling, secondary ingredient handling and mixing, and similar activities.
Vigilance helps detect and deter potential incidents, so many processors are now adding video cameras above sensitive areas where an internal threat could wreak havoc.
“Organizations should consider who has access to critical control points,” says Hank Monaco, Tyco Integrated Security vice president, marketing. “In particular, they should pay close attention to the four key activity types FDA has identified as particularly vulnerable to adulteration: mixing and grinding activities that involve a high volume of food and have a high potential for uniform mixing of a contaminant, ingredient handling with open access to the product stream, bulk liquid receiving and loading, and liquid storage and handling. Access to these areas should be limited to critical employees only.”
Intentional adulteration can take several forms, such as the acts of disgruntled employees, consumers or competitors and economically motivated adulteration (EMA). Acts of disgruntled employees and the like are generally directed at attacking the reputation of a food company, while an EMA takes place for monetary gain. None of these intentional acts aim to cause widespread harm. (For more on EMAs, see “VACCP: HACCP for vulnerability assessments,” FE, February 2016.)
Protecting against intentional adulteration requires a shift in perspective from what is considered food safety. FDA suggests an approach that targets processes within a facility that are most likely to be vulnerable, rather than targeting specific foods or hazards. Therefore, each facility needs to create its own written food defense plan with actionable process steps, using FDA-identified key activity types or conducting their own facility-specific vulnerability assessments (see chart, “How to prepare and implement a written food defense plan on page” 92). The food defense plan must also include focused mitigation strategies, monitoring procedures, corrective actions, verification, training and record-keeping.
Since many of these activities require documentation, automating the process can make it easier. “SafetyChain’s operating system provides the necessary, robust document management and workflow approval and task engines to maintain audit readiness for the intentional adulteration rule,” says Bender. The software does this by keeping companies current for risk assessments, facility and employee practices, inspections and all CAPA time-sensitive completion requirements.
“Organizations should employ technology to alert the appropriate individuals of intentional and unintentional instances of food adulteration,” advises Monaco. “Response time is critical. Every passing minute is a minute when more health risks could develop, which could lead to a greater chance of negative impact on a brand and, more importantly, public safety.”
Moving forward with FSMA
Generally speaking, there have been delays in adopting FSMA, largely because processors have been waiting for final regulations and guidance, says Infor’s Edgett. “They recognize the value of having better preventive measures in place. The challenge now is documenting them to the satisfaction of FDA, which will not be easy without software to help manage the data.”
“Larger food and beverage companies are well on their way to complying with FSMA,” says Monaco. “For them, regulatory compliance is, of course, important, but preventing food safety goes far beyond compliance; it goes straight to the core of protecting valuable brands. However, many smaller companies do not have the expertise, staff and/or resources that may be required to fully comply with all the new FSMA regulations. This is a concern for the whole industry, because the security and safety of the food supply chain are only as strong as its weakest link.”
Many companies are working together in collaboration programs through various associations to develop general HARPC programs for products or product categories, says SGS’s Cook. Once the programs are completed, the companies will make them facility/company specific. Some companies also are expanding personnel training, ensuring key members are trained in HARPC.
“Unfortunately, many companies are just trying to figure out if they must comply with the preventive control rule, and a few will continue not to comply, even after FDA requires them to,” notes Cook. “We’ve seen this with Seafood HACCP. After almost 20 years, FDA is still issuing warning notices almost weekly for some area that is not in compliance.”
According to Cook, when it comes to compliance, two areas cannot be overlooked. First, upper management must provide the necessary tools and resources to the individuals formulating their food safety plans and support the actions of personnel when food safety issues arise. Failed audits and/or testing results—or documentation that reveals food safety issues—should not be tolerated. Instead, determining the proper corrective actions and ensuring these issues don’t arise again must be the new order of the day.
Second is continuous food safety improvement. FDA has made it very clear while these programs are written, they are never finished. Once developed, they are living, breathing documents and must be reanalyzed as necessary to ensure the continuous progress of providing safe food for consumers.
For more information:
“Where and how safe is your cargo?” Food Engineering, December 2015.
“TACCP: HACCP for threat assessments,” Food Engineering, March 2016.
“PMA FSMA Overview,” Dr. Jim Gorny, Produce Marketing Association, www.pma.com.
The Bioterrorism Act of 2002, FDA, www.fda.gov/RegulatoryInformation/Legislation/ucm148797.htm.
PAS 96:2014 (“Guide to protecting and defending food and drink from deliberate attack”), PDF download.