The FDA’s Food Safety Modernization Act (FSMA) has been called the most sweeping reform of U.S. food safety laws in eight decades. Its main purpose is to protect public health using a proactive, instead of reactive, approach to food safety. FSMA also granted the FDA new enforcement authorities to improve compliance with prevention- and risk-based food safety practices. Because it encompasses such a robust overhaul of food safety regulation, efforts to finalize laws and put legislation into effect have been ongoing since FSMA was signed into law in 2011. By now, however, many compliance dates have passed, and food and beverage companies under FSMA are responsible for the development and implementation of a FSMA-compliant food safety program.
What is FSMA?
For Food & Beverage companies, FSMA is a critical pillar of compliance which calls for a compressive food safety program. Here, we’ll review critical information to help your facility achieve and maintain FSMA compliance, including FSMA requirements and regulations.
The following guide will review key need-to-know components of FSMA, including:
The Background & History of FSMA
What Prompted the FDA to Develop FSMA?
A Brief History of FSMA
Who is Affected by FSMA?
The Preventive Controls for Human Food Rule
Foreign Supplier Verification Programs (FSVP) Rule
Intentional Adulteration (IA) Rule
Intentional Adulteration Inspections
Implementation of a FSMA-Ready Food Safety Plan
Product & Facility Plan
Quick Checks on Your Written FSMA Food Defense Plan
Monitoring & Verification
CAPA & Reanalysis
The Background & History of FSMA
What Prompted the FDA to Develop FSMA?
Beginning in 2009, a host of high-profile food recalls took place, spurring the FDA to update the nation’s food safety system. Among the most noteworthy of these recalls was the multi state outbreak of salmonella found in peanut butter from 2008 to 2009. The CDC reports 714 people fell ill as a result of exposure and the infection reached people in 46 different states, as well as one resident of Canada. It is also suspected that the infection contributed to nine deaths. As a result of the outbreak, a jury in Georgia convicted a former peanut company owner guilty of fraud, conspiracy, and other federal charges in 2014. It marked the first federal felony conviction of an executive in a food safety case. Many other recalls have gained national attention since, stemming from pathogens such as E. coli and listeria found within spinach, ice cream, cantaloupe, and more popular food products.
In addition to these isolated incidents, the overall statistics of foodborne illnesses in the U.S. have been startling: every year, one in six Americans – or 48 million people – becomes sick from a foodborne disease, while 128,000 people are hospitalized and 3,000 deaths occur.
A Brief History of FSMA
The September 11th terrorist attack in 2001 influenced the government to enhance U.S. security across all realms. In 2002, President Bush signed the Bioterrorism Act into law, which granted the FDA administrative detention authority over food items presenting a threat of serious health issues to people or animals. FSMA was then created in 2009, broadening the FDA’s authority and allowing for administrative attention based on any reason to believe a food item has been adulterated.
The Food Safety Enhancement Act was passed by the House in 2009, but following negotiation with the Senate, it transformed into the Food Safety and Modernization Act. The Senate passed the final bill in 2010, and the House approved it shortly thereafter. President Barack Obama signed it into law in January of 2011.
The FDA’s key dates for FSMA Final Rules span the greater part of a decade, with the Preventive Controls for Human Food Final Rule having been published in September 2015, and the proposed compliance dates for very small farms under the Produce Safety Regulation extending all the way to January 2024. Each facility’s ability to understand the ways in which FSMA impacts its operations is central to ensuring compliance by the appropriate deadlines.
Who Does FSMA Apply To?
Under FSMA, all food producers, including manufacturers, processors, packers, and distributors, must comply with general FSMA requirements unless otherwise exempted, with the exception of USDA regulated meat, poultry, and egg producers. These requirements include biannual registration with the FDA, development and implementation of a food safety plan with preventive controls based on a hazard analysis, and development and implementation of a food defense plan with mitigation strategies based on a vulnerability assessment. Companies that fall under FSMA must also promptly report to the FDA’s Reportable Food Registry upon the discovery of any foods that could lead to adverse health effects. Dairy farms, with the exception of exempted very small dairy farms, are also included in the Intentional Adulteration Rule of FSMA.
What Are the FSMA Regulations?
The FDA has determined compliance dates for rules that form the foundation and implementation of FSMA based on company size and characterizes enterprises on a rule-by-rule basis as follows:
The Preventive Controls for Human Food Rule
The Preventive Controls for Human Food Rule is the crux of FSMA requirements. It focuses on the prevention of problems which could cause foodborne illnesses through the implementation of risk-based preventive controls to prevent or minimize identified hazards. FSMA compliance dates were staggered as follows:
Very Small Businesses - Businesses that average less than $1 million per year. Compliance date: September 17, 2018
Small Businesses- Businesses with fewer than 500 full-time employees. Compliance date: September 18, 2017
Other Businesses - Businesses that average equal to or more than $1 million per year. Compliance date: September 19, 2016
While compliance dates for the Preventive Controls for Animal Food Rule are the same as listed above, FDA defines very small and other businesses differently for this rule, with very small businesses earning less than $2.5 million, and others earning that figure or more.
Foreign Supplier Verification Program (FSVP) Rule
The Foreign Supplier Verification Programs (FSVP) Rule applies to importers of human and animal foods. It requires importers to perform risk-based activities to ensure that food imported into the U.S. meets FDA safety standards.
FSMA compliance dates are based on a number of factors, including the size of the foreign supplier, nature of the importer, and whether the foreign supplier meets FSMA’s Preventive Controls rule. Compliance dates began in May 2017 and will continue into 2021, so any importers that have not yet done so should review dates on the FDA’s official website.
Rule International Adulteration (IA) Rule
The Intentional Adulteration (IA) Rule aims to prevent purposeful acts intended to cause wide-scale harm to public health. Compliance dates are as follows:
Very Small Businesses - Businesses averaging less than $10 million per year are exempt but must provide documentation to show qualification for exemption by July 26, 2021.
Small Businesses- Businesses employing fewer than 500 full-time employees. Compliance date: July 27, 2020.
Other Businesses - Businesses averaging equal to or more than $10 million per year. Compliance date: July 26, 2019.
Farms earning more than $25,000 annually are also subject to the various components of the Produce Safety Rule, which has compliance dates ranging from 2016 to 2024.
What Are the FSMA Compliance Requirements?
FSMA requirements encompass six key components: a product and facility plan, risk assessment, preventive controls, monitoring, CAPAs and reanalysis, and documentation. One important method for companies under the FDA’s Food Safety Modernization Act (FSMA) to follow is HARCP. Each element is covered in greater depth below and if you want to learn more about HARPC check out our blog What is a HARPC Plan & Does Your Company Need One?
1. Product & Facility Plan
Food companies under FSMA governance must develop a written food safety plan for each product or group of similar products as well as the facility itself. This could require thousands or even tens of thousands of plan components, incorporating elements such as PRPs, CCPs, specifications, and more. There must also be demonstrable proof that product and facility plans are being implemented and monitored continuously.
2. Risk Assessment
The development of a FSMA compliant food safety plan requires a robust risk assessment. To analyze potential hazards throughout the supply chain, companies must identify and assess all risks that are reasonably likely to occur. Thereafter, they must determine which are most significant. While the FDA does not provide a standard definition of significance, FSMA does indicate that if someone knowledgeable in food safety would see the risk as a hazard that they would want to control in order to protect the public, it should be considered significant.
Potential hazards can include biological, chemical, and physical risks. To identify risks, food safety professionals may consider previous experiences with the product, its past history, or the history of similar products.
3. Preventive Controls
Once risks have been identified, the next step is to establish controls which can be put in place to mitigate them. The preventive controls within a company’s food safety plan should be designed to do all that is possible to prevent potential risks from occurring. It is also important to note that the controls for a FSMA food safety plan can extend beyond hazard analysis critical control points (HACCP), and must also encompass factors such as process controls, allergen controls, sanitation controls, training, and recall plans.
4. Monitoring & Verification
The only way to confirm that a FSMA food safety plan is working effectively is to actively monitor, verify, and validate preventive controls. The FDA requires continuous monitoring, so not only will plans themselves need to be presented upon audits, but also proof of ongoing tracking. The primary purpose of FSMA is, after all, to prevent food safety outbreaks instead of responding to issues after they arise.
Tracking FSMA plan performance is ultimately up to the discretion of each company. With that said, tracking controls on an ongoing basis and documenting results are two critical aspects of a successful plan. To ensure effectiveness, companies can measure specific parameters such as temperature, monitor an aspect of the environment, test products routinely, or find a similar means of tracking data.
5. CAPA & Reanalysis
Under FSMA, Corrective/Preventive Actions (CAPAs) must be in place when preventive controls fail. Plans and controls must also be revisited periodically to ascertain whether any areas of improvement can be addressed. In general, plans should be readdressed at least every three years, or if a food safety incident occurs and was caused by a failure in preventive controls. The objective of a FSMA food safety plan is to identify CAPAs before they are needed so prompt remedial action can take place in the event it is needed.
With FSMA, it is often said that “if it isn’t documented, you might as well not have done it.” Indeed, every component of a FSMA food safety plan must be documented: the programs that make up the plan, proof of completion and validation, all test results and supplier documents, and CAPAs. The objective is for each facility to be able to tell a narrative about its FSMA food safety plan. This can be simplified through a single, unified system of records. Modern food safety solutions allow users to record, store, track, and retrieve all of the pieces of data for a FSMA food safety plan with ease and convenience.
The level of enforcement on the FDA’s part changes significantly based on industry events. While in past years they have been able to focus on building programs for FSMA, recent outbreaks have demanded the agency’s attention.
The food industry still has yet to see how FDA enforcement of FSMA will take shape. While the FDA originally began with what may have been an approach that was 95% education and 5% regulation, there is now a heavier focus on regulation. There also appears to be variability from one jurisdiction to the next, with some large facilities having yet to experience FDA inspections, while some smaller enterprises have had multiple audits. Additionally, although the use of swabathons is not FSMA-derived, the FDA will likely continue leveraging lab testing and genetic capabilities more and more if they are able to acquire the necessary resources.
Although most FSMA compliance dates have passed, staying up-to-date on evolving regulations will remain critical for Food & Beverage companies. FSMA regulations continue to evolve, with the Finalized Food Traceability Rule in December 2022 and many more on the horizon. As such, implementing a scalable and flexible food safety program will be integral to navigating regulations as they develop.
About SafetyChain Software
SafetyChain is a digital plant management platform for process manufacturers trusted by more than 2,000 facilities to improve plant-wide performance. It unifies production and quality teams with data and insights, tools, and delivers real-time operational visibility and control by eliminating paper and point solutions.
About the author: Tiffany Donica is a Customer Success Coach at SafetyChain Software, with 18+ years of experience in QMS systems integrations and continual process improvement projects relating to HACCP, Root Cause Analysis, and lean manufacturing. She is an expert in GFSI, BRC, and SQF, and has extensive food manufacturing experience, supporting different facilities as QA Manager to FSQA Director.