United States: FDA Releases Third And Final Installment Of Draft Guidance For FSMA Intentional Adulteration Rule

The U.S. Food and Drug Administration (FDA) has released the third and final installment of its Draft Guidance to support compliance with the Mitigation Strategies to Protect Food Against Intentional Adulteration (IA rule). ¹Under the IA rule, the last of the major FDA Food Safety Modernization Act (FSMA) rules to be released, food facilities must develop and implement a food defense plan (or FDP) that identifies their significant vulnerabilities and mitigation strategies to address those vulnerabilities, and they must take steps to ensure those mitigation strategies are working.

FDA released the first four chapters of the Draft Guidance in June 2018. Those chapters (1) provided templates for various components of a food defense plan, (2) addressed how to develop a food defense plan, including one particular method for conducting a vulnerability assessment to identify significant vulnerabilities and actionable process steps (the Key Activity Type (KAT) method), and (3) included information regarding mitigation strategies for actionable process steps and monitoring.² The second installment of the Draft Guidance provided new content addressing an alternative vulnerability assessment approach, which could be more tailored to a facility by using the three factors in the regulation. The installment also provided guidance on training requirements for individuals performing various tasks under the rule. ³

This last installment of the IA rule Draft Guidance adds to the previous chapters, covering topics focused on food defense corrective actions, food defense verification, reanalysis, and recordkeeping. This memorandum provides an overview of the new material and is by no means a comprehensive summary. We encourage food facilities covered by the IA rule to read the final installment in its entirety.

Comments on the Draft Guidance will be accepted until June 15, 2020, and should be submitted to Docket Number FDA-2018-D-1398.

Background

FDA issued the IA rule on May 27, 2016. ⁴ Compliance requirements for large facilities began in July 2019 and inspections will begin in March 2020. Facilities that qualify as small businesses (i.e., businesses that employ fewer than 500 full-time equivalent employees) must comply with the rule by July 27, 2020 and very small businesses (defined for this purpose as those averaging less than $10 million in sales per year during the 3-year period preceding the applicable calendar year) are exempt from the rule, except that upon request they must provide documentation sufficient to show that the facility meets the exemption. The compliance date for these facilities to maintain such documentation is July 26, 2021.

FDA's Draft Guidance is intended to facilitate compliance for those facilities covered by the IA rule. The complete Draft Guidance consists of the following chapters:

1. The Food Defense Plan;
2. Vulnerability Assessment to Identify Significant Vulnerabilities and Actionable Process Steps;
3. Mitigation Strategies for Actionable Process Steps;
4. Mitigation Strategies Management Components: Food Defense Monitoring;
5. Mitigation Strategies Management Components: Food Defense Corrective Actions;
6. Mitigation Strategies Management Components: Food Defense Verification;
7. Reanalysis;
8. Education, training, or experience; and
9. Records.

FDA released chapters of the Draft Guidance in three installments:

• The first installment, which included the introduction and chapters 1 through 4, focused on the components of the food defense plan, how to conduct vulnerability assessments using the key activity type (KAT) method, how to identify and implement mitigation strategies, and food defense monitoring requirements.
• The second installment explained a vulnerability assessment approach that can be more tailored to a facility by using the three fundamental elements in the regulation (potential public health impact, degree of physical access to the product, and ability of an attacker to successfully contaminate the product), and included chapter 8 on education and training.
• The newly released third and last installment includes the remaining chapters (5, 6, 7, and 9), which provide greater detail on how to take corrective actions, how to verify that a facility's system is working, food defense plan reanalysis requirements, and recordkeeping requirements. The installment also includes two appendices (Appendix 2 and Appendix 3), which provide the Food Defense Mitigation Strategies Database (FDMSD) ⁵ and an explanation of how to determine status as a Very Small Business or Small Business, respectively.

For those familiar with the "management components" of monitoring, verification, and recordkeeping in the food safety context, the content in part 3 of the food defense guidance will likely feel familiar.

Corrective Actions

In Chapter 5, FDA notes how food defense corrective actions differ from food safety corrective actions. Specifically, intentional adulteration of food requires both:

1. the opportunity for a contamination event; AND
2. someone with intent to cause harm attacking the food at the point where the mitigation strategy was not properly implemented at the time it was not properly implemented.

Because of the different nature of intentional adulteration, FDA explains that food defense corrective action procedures do not need to ensure that all affected food is evaluated for safety before it enters interstate commerce. Further, FDA expects most corrective action procedures will be "simple and easy to undertake."

FDA builds on the series of mitigation strategy scenarios introduced in Chapters 3 and 4 to provide examples of the types of corrective action procedures that may be implemented. Simple procedures include:

• Retraining employees on proper implementation of mitigation strategies; and
• Escorting unauthorized individuals out of a restricted area.

While failure to follow a mitigation strategy usually requires minimal corrective actions, FDA addresses a few circumstances that may require additional action. For example, if an unauthorized person is discovered in a restricted area, AND there is a question as to whether the food was contaminated by that unauthorized person, the incident should be reported to facility management.

Finally, the Guidance reiterates the regulatory requirement that all corrective actions must be documented.

Verification

Chapter 6 of the Guidance describes the four food defense verification activities required under the regulations in more detail, provides examples, and highlights areas of flexibility. The four verification requirements include verification:

1. that food defense monitoring is being conducted;
2. that appropriate decisions about food defense corrective actions are being made;
3. that mitigation strategies are properly implemented and are significantly minimizing vulnerabilities; and
4. of reanalysis.

To this end, FDA notes that the food defense verification requirements are more flexible and less resource intensive than those needed for preventive controls. For example, FDA notes that record reviews do not have to occur weekly and can occur less frequently. FDA further explains that while records review will likely be the most common method for conducting verification activities, records review is not always required. For example, alternative methods include:

• Observation: Verification of food defense monitoring may involve employees or managers observing another employee conduct the food defense monitoring activity, and documenting the event by signing and dating a log.
• Penetration Audit: Verification of proper implementation of mitigation strategies could involve conducting a penetration audit, where the facility sends an unauthorized individual into the restricted area and observes whether the authorized employees identify and escort the unauthorized individual out of the restricted area. FDA notes that because the penetration audit is not specified in 12 CFR 121.150(a)(3)(i), the procedure and its frequency must be written.

The Guidance reiterates the regulatory requirement that all food defense verification activities must be documented. As with the chapter on Corrective Actions, Chapter 6 refers to and offers examples based on the mitigation strategy scenarios introduced in Chapters 3 and 4.

Reanalysis

The reanalysis requirements outlined in Chapter 7 largely align with the regulations. The Guidance explains both routine reanalysis (every three years), as well as situational reanalysis, which may be triggered by:

• significant changes in the activities conducted at the facility that may create a new vulnerability;
• new information about potential vulnerabilities;
• improper implementation of a mitigation strategy or the FDP as a whole; or
• as required by FDA.

The Guidance also provides additional detail on:

• voluntary reanalysis, which may occur at any time;
• determining how much of the FDP needs reanalysis;
• timeframe for completing a reanalysis; and
• documenting the reanalysis.

Recordkeeping Requirements

Chapter 9 addresses recordkeeping requirements, including how to identify the records that must be kept, as well as the format, location, and length of required retention.

Notably, the Guidance addresses records that are in FDA's possession. Any records that FDA obtains to determine compliance with the IA rule will be protected from public disclosure pursuant to 21 CFR Part 20, and any other applicable statutory and regulatory provisions. Moreover, FDA notes that FDPs generally will include information that meets the definition of "trade secret" in 21 CFR 20.61(a).

The Guidance also offers recommendations for how facilities can secure their records. FDA encourages facilities to limit access to the facility's FDP and associated records to only those who have a need to see or access the records to perform an assigned duty at the facility. Examples of limiting access include:

• keeping hard copies of records in a secured location when not in use;
• maintaining password-protected, electronic records on updated operating systems with current antivirus software; and
• controlling accesses when employees change duties or are no longer employed with the facility.

We will continue to monitor developments related to implementation of the IA rule. Please contact us if you have any questions or would like to discuss strategies your business can take to comply with the rule.

Footnotes

1. "Supplemental Draft Guidance for Industry: Mitigation Strategies to Protect Food Against Intentional Adulteration," (Feb. 2020), available at: https://www.fda.gov/media/135122/download.

2. See HL Memo – FDA Releases Draft Guidance for FSMA Intentional Adulteration Rule (June 25, 2018).

3. See HL Memo – FDA Releases Second Installment of Draft Guidance for FSMA Intentional Adulteration Rule (March 14, 2019).

4. 81 Fed. Reg. 34,116.

5. The FDMSD in the draft guidance is the same as provided online. FDA also notes that the FDMSD is not an exhaustive list, but does include mitigation strategies for common points, steps, and procedures that are often found at facilities covered under the IA rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.