After the Food Safety Modernization Act was passed, there was a great deal of angst and fear in the food industry about the impending implementation of hazard analysis, risk-based preventive controls. 

Why the angst? People thought that HARPC was new and would force processors to adopt completely new and different food safety management systems. The reality was people did not have to make major changes to their HACCP programs or food safety management systems. In fact, HARPC sort of vanished. As an instructor for the PCQI (preventive controls qualified individual) program, I can attest that there is absolutely no mention of HARPC in the course materials. 

Since FSMA was enacted in 2011, there have been a number of regulations passed to ensure enforcement. The Preventive Controls for Human Food regulation, found in 21 CFR Part 117, emphasizes the utilization of risk assessment as a means for establishing the hazards that need to be controlled through traditional critical control points or process preventive controls, allergen preventive controls, sanitation preventive controls, supplier preventive controls or any hazard controls. The regulation also mandates that processors utilize a risk assessment protocol that includes two elements: likelihood of occurrence and severity of occurrence. In fact, 21 CFR Part 117.130 (c) reads:

“The hazard analysis must include an evaluation of the hazards identified in paragraph (b) of this section to assess the severity of the illness or injury if the hazard were to occur and the probability that the hazard will occur in the absence of preventive controls.”

The emphasis on risk assessment is not new, or it should not be thought of as new. As far back as 1994, Dr. Russell Cross of the U.S. Department of Agriculture made the following statement:

“We believe that the HACCP system, coupled with strong risk assessment programs is the food safety system of the future … and the future is now.” 

But very few processors adopted a risk-based approach within their food safety management systems. They would do hazard analyses, but there was really no documented risk assessment, nor was there pressure from regulators to go that route. I used the words “very few” intentionally because there are a few multinationals that adopted a risk-based approach to ensuring and updating food safety systems globally.

In response to pressure to develop a new internal audit that would not only better ensure the safety and quality of products globally but also would assess how operations throughout the world could continuously improve, one company developed a risk-based audit that utilized FMEA or failure mode, effects analysis. The FMEA program has three basic principles:

1. A systemized group of activities intended to recognize and evaluate the potential failure of a product, process or design and its potential effect on customers and consumers
2. A systemized group of activities intended to identify actions that would mitigate the chance of a potential failure from occurring
3. A systemized group of activities intended to document and continuously improve the product, process or design

The program was designed to mandate that each and every element making up the food safety management system was to be subjected to a risk assessment using FMEA. What made this assessment even more powerful is that the company included three elements: likelihood of occurrence, severity of occurrence and the ability to detect issues. Each element had a defined one to 10 rating. 

Without a written assessment, the company simply would not score well on that section, even if it had a documented program that was working well. When the audit was rolled out, it did not make operations around the world very happy because no one had done the necessary risk assessments. Companies that had scored in the high 80s or 90s on third-party audits were now scoring 15 to 25, but long term the overall goal was achieved: continual improvement throughout the corporation. The program has been so well received that it was continued even after a merger. And the adoption of the internal audit scheme undoubtedly made complying with FSMA and its supporting regulations easier.

Risk assessment is now an integral part of most processors’ food safety management systems. This has been driven by regulations like the Preventive Controls for Human Foods found in 21 CFR Part 117, the GFSI audit schemes, ISO 22000, and industry demand for enhanced food safety throughout the food chain. 

So, risk assessment should be an integral element in each and every food processor’s food safety management system. There is no one way that this should be done, but it should include severity versus likelihood of occurrence. To companies that proactively incorporated risk assessment into their food safety programs, I say, “Kudos.”