Intentional Adulteration Mitigation Strategies – Initial Draft Guidance

The FDA Food Safety Modernization Act contained provisions aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply.  This was the first time that covered companies were legally required to create a food defense plan.  Covered companies generally include both domestic and foreign companies that are required to register with FDA as food facilities under the Federal Food, Drug, and Cosmetic Act.  Each covered facility is required to prepare and implement a food defense plan.  This written plan must identify vulnerabilities and actionable process steps, mitigation strategies, and procedures for food defense monitoring, corrective actions, and verification.   A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented.

FDA has published notice of the availability of an initial draft guidance, Mitigation Strategies to Protect Food Against Intentional Adulteration: Guidance for Industry (June 2018), intended to help industry implement and comply with the intentional adulteration final rule (IA rule), codified at 21 C.F.R. Part 121.  To ensure that FDA considers your suggestions on this draft guidance before it begins work on the final version of the guidance document, your comment must be submitted electronically or in writing by December 17, 2018.    

This initial draft guidance is the first of 3 that FDA will publish in establishing the final version of the guidance document.  See Statement from FDA Commissioner Scott Gottlieb, M.D., on new guidance to help manufacturers implement protections against potential attacks on the U.S. food supply (June 19, 2018).  The finalized guidance will be a multi-chapter guidance to help food facilities required to comply develop and implement some of the components of a food defense plan, and meet other requirements under Part 121.  The remaining two installment drafts are expected to come out later this year.  Covered companies without a delayed compliance date must comply with Part 121 by July 26, 2019.  Smaller companies will have to comply one or two years later.       

The initial draft guidance contains the following chapters:

• Introduction
  • The Introduction includes definitions of terms used in the guidance. Terms not previously defined in Part 121, but important for the guidance, include:
    • CARVER + Shock: An adapted military targeting tool that assesses vulnerabilities of the food and agriculture sector. CARVER is an acronym for six attributes used to evaluate the attractiveness of a target for attack: Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability.
    • Food defense plan: A set of written documents that is based upon food defense principles and incorporates a vulnerability assessment, includes mitigation strategies, and delineates food defense monitoring, corrective action, and verification procedures to be followed. (21 CFR 121.126).
    • Food defense qualified individual: An individual who meets the requirements in 21 CFR 121.4(c)(1) and (2) to do or oversee the activities listed in 21 CFR 121.4(c)(3).
    • Fundamental elements: The three elements that must be evaluated for each point, step, or procedure in a facility’s food process when conducting a vulnerability assessment. (21 CFR 121.130(a)). These elements are (1) The potential public health impact (e.g., severity and scale) if a contaminant were added; (2) The degree of physical access to the product; and (3) The ability of an attacker to successfully contaminate the product. (21 CFR 121.130(a)).
    • Key Activity Types (KAT): The four activity types identified by FDA through an analysis of the results of over 50 vulnerability assessments as the activities consistently ranked as the most vulnerable, regardless of the food commodity assessed. The KATs reflect significant vulnerabilities to intentional adulteration caused by acts intended to cause wide scale public health harm. The four KATs are: bulk liquid receiving and loading, liquid storage and handling, secondary ingredient handling, and mixing and similar activities.
  • The Introduction also specifies the exemptions from Part 121.
• Chapter One—The Food Defense Plan
  • This chapter explains what a food defense plan (FDP) is; the required components of a FDP; and the individuals needed and useful for developing or overseeing the development of the FDP.
  • It provides the required FDP components in some detail:
    • Vulnerability assessment to identify significant vulnerabilities and actionable process steps, including an explanation of why each point, step, or procedure was or was not identified as an actionable process step (21 CFR 121.130);
    • Mitigation strategies for each actionable process step and written explanations of how each mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step (21 CFR 121.135);
    • Food defense monitoring procedures for the implementation of the mitigation strategies, as appropriate to the nature of the mitigation strategy and its role in the facility’s food defense system (21 CFR 121.140);
    • Food defense corrective action procedures that must be taken if mitigation strategies are not properly implemented, as appropriate to the nature of the actionable process step and the nature of the mitigation strategy (21 CFR 121.145); and
    • Food defense verification procedures for verification activities, as appropriate to the nature of the mitigation strategy and its role in the facility’s food defense system (21 CFR 121.150).
  • This chapter also confirms that there is no standardized or required format for an FDP, and note that an appendix to this guidance (see below) includes sample FDP worksheets for particular components of a FDP.
• Chapter Two—Vulnerability Assessment to Identify Significant Vulnerabilities and Actionable Process Steps
  • This chapter addresses how to conduct a vulnerability assessment (VA) to identify significant vulnerabilities and actionable process steps.
  • One appropriate method for conducting a VA is the KAT method. [Note:  Forthcoming FDA guidance will include information on conducting VAs using the three fundamental elements, as well as combination of the three fundamental elements and the KAT methods.]
  • Preliminary steps to a VA are:
    • Assemble a food defense team;
    • Describe the product under evaluation;
    • Develop a process flow diagram; and
    • Describe the process steps.
  • FDA analysis has resulted in two important findings:
    • Criticality, Accessibility, and Vulnerability were the three CARVER + Shock elements identified as the most important to consider when conducting facility-specific Vas; and
    • The four KAT consistently ranked as the most vulnerable, regardless of the food commodity assessed, and reflect significant vulnerabilities to intentional adulteration caused by acts intended to cause wide-scale public health harm.
  • Descriptions are provided for the four KAT:
    • Bulk liquid receiving and loading;
    • Liquid storage and handling;
    • Secondary ingredient handling; and
    • Mixing and similar activities.
  • Process steps that fit within one or more of the KAT are actionable process steps.
• Chapter Three—Mitigation Strategies for Actionable Process Steps
  • This chapter provides advice on how to identify and implement mitigation strategies for the actionable process steps identified during a VA.
  • The nature of mitigation strategies is different from the nature of preventive controls put in place for food safety purposes. Mitigation strategies are intended to minimize or prevent intentional adulteration, while preventive controls are intended to minimize or prevent the occurrence of an unintentionally introduced food safety hazard.
  • Mitigation strategies for the actionable process steps should be:
    • Customized to the process step at which they are applied;
    • Tailored to existing facility practices and procedures; and
    • Directed toward the actionable process step’s vulnerability, including vulnerability to an inside attacker.
  • In most circumstances, mitigation strategies should be designed to:
    • Minimize the accessibility of the product to an inside attacker; or
    • Reduce the opportunity for an inside attacker to contaminate the product; or
    • A combination of both.
  • Mitigation strategies found within FDA’s Food Defense Mitigation Strategies Database (see below) generally are designed to address degree of physical access and/or an attacker’s ability to contaminate the food.
  • Facility-wide security measures may be revised/adopted as food defense measures.
  • This chapter provides mitigation strategy example scenarios and worksheets.
• Chapter Four—Mitigation Strategies Management Components: Food Defense Monitoring
  • This chapter overviews implementing the food defense management component of the IA rule.
  • Food defense monitoring procedures should answer four questions:
    • What will be monitored?
    • How will monitoring be done?
    • How often will monitoring be done (frequency)?
    • Who will do the monitoring?
  • The chapter discusses implementing each.
  • The chapter also explains requisite food defense monitoring records, using the example scenarios from the previous chapter.
• Appendix—Food Defense Plan Worksheets
  • This appendix provides models for a FDP’s:
    • Cover Sheet;
    • Product Description;
    • Vulnerability Assessment Analysis Summary;
    • Mitigation Strategies; and
    • Mitigation Strategies Management Components.

Additional assistance with IA rule compliance is available at:

• Food Defense Plan Builder
• Food Defense Plan Builder Download
• Food Defense Mitigation Strategies Database
• Analysis of Results for FDA Food Defense Vulnerability Assessments and Identification of Activity Types