SafetyChain

A Guide to the FSMA Intentional Adulteration Rule (IA Rule)

Christopher Snabes
Contributing Writer

The FSMA Intentional Adulteration Rule (IA Rule) was established to minimize the potential of mass harm caused by intentional contamination of the US food supply. The FDA has announced September 2024 as the target start of comprehensive enforcement of the FSMA Intentional Adulteration Rule, with a detailed review of the written food defense plan and its implementation on the floor.

Up until September 2024, the FDA has only conducted Food Defense Quick Checks. After the deadline, the FDA will pivot into comprehensive inspections conducted by a Food Defense Inspection Team, consisting of one supervisor and five highly trained Consumer Safety Officers (CSOs). 

The CSOs will issue two “Notice of Inspection” forms (FDA Form 482) upon arrival, one for food safety and one for food defense, and both will be completed by the same CSO on the same day. The CSOs will also be prepared to issue Inspectional Observations forms (FDA Form 483a) should they observe any conditions that, in their judgment, may constitute violations. You will then have 15 business days to address the issue(s).

Are you ready?

Christopher Snabes, Director of Food Safety at TAG, is one of less than 100 people in the world who is certified by the FDA and FSPCA to be an instructor on the IA Rule and food defense vulnerability assessments. In our webinar, Preparing for the FDA’s Enforcement of the Intentional Adulteration Rule, Snabes gives an inside scoop on what to expect from these comprehensive inspections. 

In this blog, we’ll provide an in-depth overview of the FSMA Intentional Adulteration Rule, including what it is, who it applies to (and when), and how to prepare a compliant FDA Food Defense Plan that adheres to the IA Rule.

What Is The FSMA Intentional Adulteration Rule?

The FSMA Intentional Adulteration Rule minimizes the potential of wide-scale public health harm caused by a person or persons who try to intentionally contaminate the US food supply. 

The greatest risk of intentional adulteration is from an inside attacker. An insider attacker has the following attributes that must be taken into account in compliance actions with the IA Rule:

  • legitimate access to the facility (e.g., an employee, contractor, driver, authorized visitor), 

  • a basic understanding of the facility’s operations and the food product(s) under production, 

  • the ability to acquire and deploy a lethal contaminant, 

  • and the intent to cause wide-scale public health harm.

Contaminants may be biological, chemical, radiological, or physical in nature. Below are some examples of each.

  • Biological contaminants: parasites, pathogens (including biological pathogens

  • Chemical contaminants: pesticide and drug residues, heavy metals, environmental contaminants, histamine due to decomposition, chemicals used to clean manufacturing equipment, natural toxins (e.g., mycotoxins), and synthetically derived compounds)

  • Radiological contaminants: radionuclides in solid, powdered, or liquid form

  • Physical contaminants: “hard/sharp” physical contaminants or “choking” contaminants, such as glass, metal, plastic, wood, and stone that can cause dental damage, laceration of the mouth or throat, laceration or perforation of the intestine, choking, or death.

To account for the risk of intentional adulteration, particularly from an inside attacker, the FDA is requiring relevant facilities to update their Food Defense and Food Safety Plans to include this rule. Among other requirements, Food Defense Plans require “Actionable Process Steps” (APS) that detail which plant processes have more risk and how that can be mitigated. 

Which Manufacturers Are Affected By The IA Rule?

Applicable Facilities

The IA Rule applies to FDA-regulated foods in the following facilities that manufacture, process, pack, or hold applicable human food (some exemptions below):

  • Human Food Facilities, Domestic, and International currently regulated by the FDA who follow FSMA (for USDA/FDA dual registered facilities, it only covers the FDA-regulated foods being manufactured

  • Acidified foods

  • Bottled Water

  • Dietary Supplements

  • Infant Formula

  • Juice HACCP

  • Low-Acid Canned Food

  • Seafood HACCP

  • Farms that produce Milk

Note: the only IA rule requirement for a very small business is that it must, upon request, provide official review documentation sufficient to show that the facility meets the criteria for the exemption; such documentation must be retained for 2 years. The IA rule’s requirements otherwise do not apply to a very small business.

Prioritized Facilities

Importantly, due to the size constraints of the CSO, only a limited number of facilities will be initially prioritized for inspection. The prioritization will be determined based on a matrix being developed by the FDA based on approximately 43 matrix elements, which will not be made public. 

However, one potential matrix element that the agency has discussed as an example of being a potential cause for a prioritized inspection is whether the facility has been documented in the past as having had an inadequate food safety plan.

Exempt Facilities

Facilities not subject to the IA Rule include:

  • Very small businesses that meet the exemption criteria, as discussed above (less than $11.2 million in revenue).

  • The holding of food, except the holding of food in liquid storage tanks. Examples of holding food that are not covered by the IA rule include the storage of whole grains, shell eggs, fruits and vegetables, and packaged foods (including packaged orange juice). Examples of holding foods that are covered by the IA rule include the storage of liquid milk, juice, or syrup in storage tanks.

  • The packing, re-packing, labeling, or re-labeling of food where the container that directly contacts the food remains intact. An example of packing is placing a variety of individually wrapped bite-sized candies into a larger variety pack.

  • Farms that are subject to section 419 of the FD&C Act (Notably, dairy farms are subject to the IA Rule.)

  • Alcohol facilities

How To Prepare For The Enforcement Of The FSMA Intentional Adulteration Rule

Complete A Vulnerability Assessment

Conducting a valid vulnerability assessment (VA) is the first step in preparing for the FSMA IA rule. A valid VA considers public health impact, degree of physical access to an Actionable Process Step (APS), and ease of introduction of a contaminant at the APS with the underlying assumption that it will be conducted by an inside attacker. 

 Food fraud vulnerability assessments are NOT the same as food defense vulnerability assessments. The food defense vulnerability assessment conducted in accordance with the IA Rule will have a different scope and requirements than food fraud vulnerability assessments that your company may have completed in the past.

The following vulnerability assessment methods meet the VA requirements for the IA Rule:

  • Key Activity Type (KAT)

  • Three Fundamental Elements

  • Hybrid

The KAT is currently the most popular vulnerability assessment method, but the latter two are expected to gain more popularity as facilities begin to do their first 3-year re-evaluation. This is because the other two methods reduce the number of actual process steps you have, making it easier overall to implement your FDA food defense plan.

Important!

Facilities that only rely on a GFSI-recognized Food Defense Plan and/or a USDA Food Defense Plan do NOT meet the vulnerability assessment requirements for the Intentional Adulteration Rule.

In contrast to the GSFI and USDA Food Defense Plans, the FDA’s Food Defense Plan Builder (FDPB) can help you create an FDA food defense plan that is compliant with the IA Rule — with two important caveats: 

  • You must use Version 2.0 — Version 1.0 is NOT compliant with the IA Rule!

  • It is essential to take the required training before entering data into the FDPB to avoid errors. The FDA has partnered with the Food Safety Preventative Controls Alliance (FSPCA) to provide a free training for the IA Rule.  

Preliminary vulnerability assessment steps

Before conducting a VA, there are four preliminary steps to complete:

1) Assemble a food defense team. 

  • Food Defense Team should include individuals with expertise in the day-to-day operations of your facility. They should be from across a variety of different departments (e.g., quality assurance or quality control, laboratories, management, security, sanitation, maintenance, and other relevant departments) to help provide a complete understanding of the VA process. 

2) Describe the product under evaluation. 

  • Describe, in writing, the product in such a way that your team and others (such as colleagues, corporate office, auditors, and investigators) can clearly understand what foods will be in the VA, including the full names of the finished product and other helpful information. 

3) Develop a process flow diagram. 

  • Write down a list or process flow diagram that outlines the steps involved in processing your food product and its associated ingredients as they “flow” from receipt to product load out.

4) Describe the process steps.

  • From the process flow diagram, describe each process step in detail to help the VA determine whether there is vulnerability. Focus on information that could contribute to the accuracy of the VA, along with helping to identify and implement mitigation strategies and aid in preparing the explanation for why mitigation strategies significantly minimize or prevent a significant vulnerability. Examples could include whether a food is handled manually, whether the processing equipment is in a high-traffic area, and whether rework is incorporated into the product.

Sample Description for a raw juice surge tank step:

“A surge tank is used to control flow rates into the pasteurizer. The surge tank has a maximum capacity of 200 gallons, but typical volumes of juice in the surge tank range from 130-150 gallons. Resident time of juice in the surge tank is approximately 8-10 minutes. The surge tank is generally not accessed during operations, but a lid does provide potential access at the top of the surge tank. The surge tank is cleaned during each weekly cleaning cycle.” 

FDA's Mitigation Strategies to Protect Food Against Intentional Adulteration: Guidance for Industry

Key Activity Type (KAT)

The KATs are four activity types with reflect significant vulnerabilities to intentional adulteration caused by acts intended to cause wide-scale public health harm. The KATs were identified by the FDA through an analysis of the results of over 50 vulnerability assessments as the activities consistently ranked as the most vulnerable, regardless of the food commodity assessed.

The KATs as defined by the FDA are as follows: 

  1. bulk liquid receiving and loading, 

  2. liquid storage and handling, 

  3. secondary ingredient handling, 

  4. and mixing and similar activities. 

To conduct a VA using the KAT method, facilities must assess each point, step, or procedure to determine whether the activities fit within one or more of the KATs.

What happens if you do not identify any APSs?

For each step that you assess, you must write whether it is or is not an APS. Suppose all steps indicate that it does not meet the definition of any of the KATs. In that case, you just have to write a summary saying that your vulnerability assessment has shown that your facility does not have any KATs and therefore we do not need a written food defense plan. 

Three fundamental elements

As implied by its name, the Three Fundamental Elements method requires that your vulnerability assessment include consideration of the following three fundamental elements at each point, step, or procedure that you evaluate:

  • Element 1: Potential Public Health Impact 

  • Element 2: Degree of Physical Access to the Product

  • Element 3: Ability of Attacker to Successfully Contaminate the Product

The FDA recommends using the following table to assess potential public health impact (Element 1) for each point, step, or procedure under evaluation to help differentiate the potential extent of acute public health impact if a contaminant were introduced.

“Evaluating the degree of vulnerability within each of the three fundamental elements, along with the consideration of an inside attacker, provides you a way to identify significant vulnerabilities. If the point, step, or procedure under evaluation has significant vulnerabilities, it is an actionable process step.”

FDA's Mitigation Strategies to Protect Food Against Intentional Adulteration: Guidance for Industry

Hybrid

A hybrid model that combines elements from the KAT and Three Fundamental Elements methods is also acceptable. 

Mitigation Strategies and Mitigation Strategy Management

Each APS identified in the VA must have a mitigation strategy that is specific to your facility and procedures to minimize or prevent intentional adulteration, with particular emphasis on preventing intentional adulteration committed by an insider attacker. Broad mitigation strategies, such as a fence or another barrier around the entire facility, are an example of an insufficient mitigation strategy because it will not aid in the defense of an insider attacker with legitimate access to the facility.

To ensure the mitigation strategies are properly implemented, the IA Rule also requires sufficient mitigation strategy management. This includes appropriate monitoring, corrective actions, and verification as defined by the FDA below:

Mitigation Strategy Management Components

  • Monitoring: Establishing and implementing procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies.

  • Corrective actions: The response if mitigation strategies are not properly implemented.

  • Verification: Verification activities would ensure that monitoring is being conducted and appropriate decisions about corrective actions are being made.

Training and Recordkeeping

“Facilities must ensure that personnel assigned to the vulnerable areas receive appropriate training; facilities must maintain records for food defense monitoring, corrective actions, and verification activities.”

Christopher Snabes

Food safety training and recordkeeping should come as no surprise as proper documentation is at the heart of successful FSMA compliance. One of the most important inspections during an IA Rule audit is assessing a facility’s plan to monitor, execute, and document corrective actions. 

SafetyChain can be particularly effective in managing the quality and CAPA recordkeeping requirements of the Intentional Adulteration (IA) rule by automating the documentation processes. SafetyChain facilitates the creation, storage, and organization of compliance records with centralized data management that ensures all necessary documentation is accurate, up-to-date, and readily available for inspections. This reduces the manual burden and potential for errors, helping facilities comply with the IA rule's stringent recordkeeping demands.

The Compelling Event For Food Manufacturers

Enforcement of this rule is set to start in late Summer/early Fall 2024. Facilities will have to update their FDA Food Defense Plan to clearly show how they will monitor and verify food safety data so they can issue corrective actions and mitigate risk immediately. A large part of the enforcement is checking what your facility has actually done to start implementing your updated food defense plan.

SafetyChain is helping facilities meet the Food Defense requirements with real-time monitoring and tracking of food safety data, so the shop floor can proactively mitigate issues and implement corrective actions. A few examples of Food Defense Plan items that SafetyChain can help with include:

  • Implementing quality and personnel verifications as products move across the plant, from receiving to shipping and through areas that might allow contractors. 

  • Implementing intuitive tools for operators to mitigate risk, such as digitized checks on a tablet.

  • Requiring supplier Food Defense Actions before receiving raw material.

SafetyChain can have live data up and running in 6 weeks. Reach out to see how we might support your facility.

See why 2,500+ Facilities use SafetyChain

Book A Demo