On May 27, 2016, the Food and Drug Administration issued its final rule to implement the intentional adulteration provisions in Sections 418, 419, and 420 of the Federal Food, Drug, and Cosmetic Act (FD&C Act), each of which was created by the FDA Food Safety Modernization Act (FSMA).1 FDA issued a proposed rule to implement the intentional adulteration provisions in December 2013.2 The final rule creates new Part 121 of Title 21 of the Code of Federal Regulations (CFR). Although the final rule retains many essential features of the proposal, FDA has made a series of specific changes in response to stakeholder comments.
The final rule is effective July 26, 2016. Companies generally have 3 years from the effective date to comply with the final rule, i.e., July 26, 2019. Small businesses (< 500 full-time equivalent employees) must comply within 4 years, i.e., July 27, 2020. Failure to comply with the applicable requirements once the compliance date passes constitutes a "prohibited act" under Section 301 of the FD&C Act.3
I. Key Differences Between Proposed Rule and Final Rule
Throughout the final rule and as discussed in detail in the preamble to the rule FDA has added revisions and clarifications to respond to specific stakeholder comments and concerns. Although the core components of the intentional adulteration requirements remain substantially similar to those in
1 Mitigation Strategies to Protect Food Against Intentional Adulteration; Final Rule, 81 Fed. Reg. 34166 (May 27, 2016), available at: https://www.gpo.gov/fdsys/pkg/FR-2016-05-27/pdf/201612373.pdf.
2 Focused Mitigation Strategies To Protect Food Against Intentional Adulteration; Proposed Rule, 78 Fed. Reg. 78014 (Dec. 24, 2013), available at: http://www.gpo.gov/fdsys/pkg/FR-2013-1224/pdf/2013-30373.pdf.
3 FD&C Act 301(uu) and (ww).
KELLER AND HECKMAN LLP
the proposal, a non-exhaustive description of key differences between the proposal and the final rule is provided below:
Longer Compliance Timelines: Under the proposal, facilities generally would have had one year from the effective date to comply with the new requirements. In response to stakeholder requests, FDA has extended the compliance timeline to three years for most facilities and four years for small businesses.
Clarified Exemption for "Very Small Businesses": Under the proposal, a "qualified facility" would have been exempt from the new requirements. In the final rule, FDA has removed the term "qualified facility" and replaced it with "very small business." The Agency has clarified that a "very small business" (averaging less than $10 million per year (adjusted for inflation) in both annual sales of human food plus the market value of human food manufactured, processed, packed, or held without sale) is exempt from the new requirements, except that the facility is required to provide documentary proof that it qualifies for this exemption, upon request.
New Exemption for Certain On-Farm/Low Risk Activities Performed by Small and Very Small Businesses: FDA has established an exemption from the new requirements for on-farm manufacturing, processing, packing, or holding by a small or very small business of eggs and game meats if such activities are the only activities conducted by the business subject to Section 418 of the FD&C Act (i.e., hazard analysis and risk-based preventive controls).
Deletion of "Key Activity Types": In the proposal, FDA identified four specific "key activity types" that the Agency determined to be associated with vulnerabilities that would require facilities to implement mitigation strategies: (1) bulk liquid receiving and loading; (2) liquid storage and handling; (3) secondary ingredient handling; and (4) mixing and similar activities. In the final rule, FDA has removed these key activity types from the text of the regulations, finding them more appropriate for inclusion in guidance. However, facilities still may use key activity types in their vulnerability assessments.
Identification of Elements to Evaluate in Vulnerability Assessments: The final rule specifies three elements that must be evaluated when a facility conducts a vulnerability assessment: (1) the potential public health impact (e.g., severity and scale) if a contaminant were added; (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product.
"Inside Attacker" Potential Must be Considered: Although the proposed rule did not cover acts of disgruntled employees, FDA specifies in the final rule that the vulnerability assessment must consider the possibility of an inside attacker.
KELLER AND HECKMAN LLP
Shift from "Focused Mitigation Strategies" to "Mitigation Strategies": Although the proposal would have required facilities to implement "focused mitigation strategies"
at each actionable process step, the final rule characterizes these food defense measures simply as "mitigation strategies."
Enhanced Flexibility in Mitigation Strategy Management Components: FDA
revised the food defense monitoring, corrective actions, and verification requirements to provide that they are required "as appropriate to ensure the proper implementation of the
mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system." Additionally, the requirement to document
food defense monitoring now permits the use of exception records.
II. Summary of Requirements in the Final Rule
Although a detailed description of all requirements in the final rule is beyond the scope of this summary memo, below we provide a synopsis of key requirements and definitions intended to implement the rule.
The final rule establishes criteria for "food defense" plans that facilities must implement to address hazards that may be introduced with the intention to cause wide scale public health harm. The rule applies generally to facilities that manufacture, process, pack, or hold human food for consumption in the United States and that are required to register under Section 415 of the FD&C Act.
Certain facilities are exempt from compliance with the intentional adulteration requirements, as follows:
"Very Small Business" (averaging less than $10 million per year (adjusted for inflation) in both annual sales of human food plus the market value of human food manufactured, processed, packed, or held without sale) Holding of food, except the holding of food in liquid storage tanks Packing, re-packing, labeling, or re-labeling of food where the container that directly contacts the food remains intact Activities of a farm subject to Section 419 of the FD&C Act (produce safety standards) Alcoholic beverages at a facility required to obtain a permit from, register with, or obtain approval from the Secretary of the Treasury as a condition of doing business in the
21 CFR Reference 121.5(a)
Applicability of Food Defense Requirements
Exempt, except that facility is required to provide for official review, upon request, documentation sufficient to show that the facility qualifies for this exemption
Exempt, and exemption also applies to food at alcoholic beverage facilities provided that such food: (1) is in prepackaged form that prevents direct
KELLER AND HECKMAN LLP
Manufacturing, processing, packing, or holding of food for animals other than man Manufacturing, processing, packing, or holding of the following foods on a farm mixed-type facility, when conducted by a small or very small business if such activities are the only activities conducted by the business subject to Section 418 of the FD&C Act: (1) eggs (in-shell, other than raw agricultural commodities, e.g., pasteurized); and (2) game meats (whole or cut, not ground or shredded, without secondary ingredients)
human contact with the food; and (2) constitutes not more than 5% of the overall sales of the facility. Exempt
For covered facilities, the final rule requires the owner, operator, or agent in charge of the facility (shortened to "the facility" in this memo) to prepare and implement a written food defense plan. 21 CFR 121.126. The food defense plan and its elements must be prepared, implemented, and reanalyzed by a "qualified individual," which means someone who has the education, training, or experience (or a combination thereof) necessary to perform required food defense activities, as appropriate to the individual's assigned duties. 21 CFR 121.3. A food defense plan must include the following elements, each of which is associated with recordkeeping obligations:
1. Vulnerability Assessment (21 CFR 121.130)
Facilities must conduct a vulnerability assessment for each type of food manufactured, processed, packed, or held, using appropriate methods to evaluate each point, step, or procedure in the operation to identify significant vulnerabilities and actionable process steps.4 Appropriate methods must include the evaluation of the following three factors, at a minimum: (1) the potential and public health impact (e.g., severity and scale) if a contaminant were added); (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product. The assessment must consider the possibility of an inside attacker, e.g., intentional contamination caused by a disgruntled employee.
4 A "significant vulnerability" is a vulnerability that, if exploited, could reasonably be expected to cause wide scale public health harm. An "actionable process step" is a point, step, or procedure in a food process where a significant vulnerability exists and at which mitigation strategies can be applied and are essential to significantly minimize or prevent the significant vulnerability. 21 CFR 121.3.
KELLER AND HECKMAN LLP
Although FDA no longer identifies four specific key activity types as focal points for vulnerability assessments in the final rule, the Agency notes in the preamble that "using key activity types remains as one appropriate vulnerability assessment method" and FDA intends to include the key activity types in guidance in the future. Thus, facilities may still continue to use FDA's previouslyidentified key activity types as the starting point for their vulnerability assessments, namely:
o (1) Bulk liquid receiving and loading;
o (2) Liquid storage and handling;
o (3) Secondary ingredient handling (e.g., a staging, preparation, addition, or rework step where a contaminant added to a relatively small quantity of food has the potential for distribution into a larger volume of food); or
o (4) Mixing and similar activities (e.g., blending, homogenizing, grinding).
Regardless of the conclusion, the vulnerability assessment must be written and must include explanations regarding why each point, step, or procedure either was or was not identified as an actionable process step.
2. Mitigation Strategies (21 CFR 121.135)
Facilities must identify and implement written mitigation strategies at each actionable process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by such facility will not be adulterated under Section 402 of the FD&C Act. The food defense plan must include a written explanation of how each mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step.
FDA does not prescribe particular mitigation strategies that would be appropriate for a given facility. In the preamble to the final rule, the Agency clarifies that the same actionable process step may be protected in a variety of ways. For example, if a facility seeks to protect its liquid storage tank actionable process step, it may:
Determine that a lock significantly reduces access to the liquid food stored in the tank by rendering the hatch inaccessible and may include this explanation in its food defense plan; or
Develop a policy to require two or more employees to be in the area at all times, including in its explanation the rationale that this "buddy system" reduces the opportunity and ability of an attacker to bring a contaminant into the vulnerable production area without being detected.
KELLER AND HECKMAN LLP
3. Mitigation Strategies Management Components (21 CFR 121.138)
Facilities must establish the following mitigation strategies management components as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system: (1) food defense monitoring; (2) food defense corrective actions; and (3) food defense verification.
a. Monitoring ( 121.140)
As appropriate, the facility must establish and implement written procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies. Monitoring must take place with "adequate frequency" to ensure that the mitigation strategies are consistently performed. All monitoring must be documented in records subject to verification and records review. FDA permits the use of affirmative records demonstrating the mitigation strategy is functioning as intended, although exception records demonstrating the mitigation strategy is not functioning as intended may be adequate in some circumstances.
b. Corrective Actions ( 121.145)
As appropriate, the facility must establish and implement written corrective actions that must be taken if mitigation strategies are not properly implemented. All corrective actions must be documented in records subject to verification and records review.
c. Verification ( 121.150)
As appropriate, the facility must: (1) verify that monitoring is being appropriately conducted; (2) verify that appropriate decisions about corrective actions are being made; (3) review the records associated with monitoring and corrective actions and perform other appropriate verification activities to ensure that mitigation strategies are properly implemented and are significantly minimizing or preventing the significant vulnerabilities; and (4) verify reanalysis of the food defense plan.
All verification activities taken in accordance with the above need to be documented in records.
4. Reanalysis (21 CFR 121.157)
The facility must conduct a reanalysis of the food defense plan:
At least once every 3 years.
Whenever a significant change is made in the activities conducted at the facility such that the change creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability.
Whenever the owner, operator, or agent in charge becomes aware of new information about potential vulnerabilities associated with the food operation or facility.
KELLER AND HECKMAN LLP
Whenever a mitigation strategy, a combination of mitigation strategies, or the overall food defense plan is not properly implemented.
Whenever FDA requires reanalysis to respond to new vulnerabilities, credible threats to the food supply, and developments in scientific understanding, including, as appropriate, results from a Department of Homeland Security biological, chemical, radiological, or other terrorism risk assessment.
The facility must complete a reanalysis and implement any additional mitigation strategies needed (if any) before the change in activities at the facility is operative or, when necessary, within 90 calendar days after production (although the timeframe may be extended where "written justification" is provided).
5. Recordkeeping Requirements (21 CFR Part 121, Subpart D)
All records required under the food defense provisions are subject to specific recordkeeping requirements, including the requirement that the food defense plan be stored onsite at the facility. Other records may be stored offsite provided that such records can be retrieved and provided onsite within 24 hours of a request for official review. Records must be retained for at least 2 years after the date of preparation.
All records required under this part must be made promptly available to a duly authorized representative of the Secretary of Health and Human Services for official review and copying upon oral or written request. Records will be protected from public disclosure to the extent allowable under 21 CFR Part 20.
To the extent that existing records contain all of the information required under the food defense requirements, they do not need to be duplicated. The information required by the final rule does not need to be kept in one set of records, so to the extent that the new requirements may be met by supplementing existing records with new information, this approach is permissible.
We will continue to monitor and report on FDA's activities to implement the food defense requirements and other FSMA related activities.
4813-7498-6034, v. 1