Disgruntled employees. International terrorists. Extortionists. What do these people have in common? They could all potentially be a source of intentional food contamination or tampering. Today, food safety and security threats are real, and it is critical that food manufacturers ensure the food they produce is safe and free from contamination. If not, the risk to a company’s reputation and its bottom line are significant.
“Bio-weapons” such as Salmonella, E. coli, Botulinum, and Shigella can cause foodborne illness when food is contaminated by improper handling or when the contaminants are introduced deliberately into a food or water supply to cause harm. Fortunately, manufacturers have numerous resources at their disposal to ensure food under their control will not be subject to tampering or other malicious, criminal or terrorist actions. Even the smallest manufacturer can couple a HACCP-based, common-sense approach to food safety with standard operating procedures, employee and management training, strong vendor relationships, physical facility readiness and a crisis management plan.
Oversight of Food Security Issues
In the wake of 9/11, the 197th U.S. Congress issued the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. The Act, which deals with the protection of the food supply, calls for registering food suppliers and gives the U.S. Food and Drug Administration the authority to seize and detain contaminated food.
In March 2003, the FDA issued “Food Producers, Processors, and Transporters: Food Security Preventive Measures Guidance.” This Guidance asks facilities to reassess their security for areas in which potential threats could be brought to bear on their products. Areas of concern include:
• Security management – Those responsible for security should have formal training. Security should not be delegated to untrained personnel or to those who have other primary responsibilities.
• Employees – Additional pre-hire screening and increased background checks, on-the-job surveillance and limiting of employee access to restricted areas are recommended to help ensure that employees do not become a source of tampering.
• Public access – Facilities and shipping companies need to assess how easy it is for someone to gain access, both during the day and at night or when the facilities are closed. Locked doors, sealed trailers, and 24-hour security cameras are recommended.
• Facility access – Food manufacturers are required to re-evaluate their policies on visitors, truck drivers, contractors, etc. Are visitors always accompanied? Do they have proper passes or ID badges so that regular employees can easily identify them as visitors?
•Laboratory controls – Manufacturers with food laboratories must implement measures to prevent pathogens and potentially harmful chemicals from getting into production areas.
•Finished products – How are products protected during storage and transportation? This includes on-site storage, as well as storage in warehouse facilities, trucks, rail cars, etc.
• Mail/packages – How are incoming goods evaluated for tampering?
• Computers – Who has access to computer data on product formulations and shipping routes? Could that information be compromised or stolen?
In May 2003, the FDA issued a proposed rule providing procedures for the detention of an article of food, if an officer or qualified employee of the FDA has credible evidence or information indicating that such an article presents a threat of serious adverse health consequences or death to humans and animals. This proposed rule subsequently went into effect on July 6, 2004. This ruling gives the FDA previously unavailable powers to seize and detain food items.
Section 305 of the Bioterrorism Preparedness and Response Act of 2002 also gives the FDA authority to require every food manufacturer (domestic or foreign) to register with the FDA and obtain a bioterrorism registration number. While facilities that come under the jurisdiction of the U.S. Department of Agriculture are exempt, this requirement allows the FDA to know who is manufacturing and distributing food products so that they are able to enforce their regulations.
In a final ruling on the Bioterrorism Act, issued in December 2004, the FDA was been given authority to rapidly remove any potentially contaminated product from the supply chain. In order for the FDA to be able to do this, food processors are required to establish and maintain records that allow them or their transporters and distributors to rapidly locate and isolate any potentially contaminated food product or ingredient. This involves keeping records of code dates and lot numbers on all products and ingredients entering the processing facility or being placed in trailers, tankers or other conveyance methods for distribution. The overall goal is to be able to track these items as they come in and move through a facility.
Another important regulation from the Bioterrorism Act deals with Prior Notice of Imported Food. Issued in December 2003 and most recently updated in November 2004, this requires all importers to submit paperwork on incoming shipments before those shipments arrive in the U.S. Failure to provide such advance notice results in those food items being barred from entry into the U.S.
Managing Food Security
Developing a proactive, risk-based management approach to assessing and preventing malicious food contamination is the best way to adhere to FDA and other government regulations in the interest of protecting the food supply. Many in the industry recommend applying a Hazard Analysis Critical Control Points (HACCP) program for hazard analysis, prevention, monitoring and verifying food security, particularly as it relates to vendor assurance, facility security, employee and management security, and plant operations.
For example, David Park of Food-Defense, LLC, in a presentation at Food Manufacturing’s Processing Technology Expo on Ensuring Food Safety, suggests using HACCP food safety plans as a benchmark for assessing food security. Park argues for establishing Critical Security Points and introducing detection and mitigation technologies around gaps in food security. He notes that a HACCP program for food security contains many of the same steps as a traditional HACCP program for food safety:
1. Identify the hazards.
2. Assess the risks.
3. Analyze the risk control measures.
4. Make control decisions.
5. Implement risk controls.
6. Supervise and review.
Importance of Audits
A tested food security plan will ensure that a crisis situation can be handled smoothly. Today, there are third-party audit firms which can test and evaluate food security plans. Some foodservice operators, in fact, are requiring their suppliers (the food manufacturers) to be audited on a regular basis as part of their vendor assurance strategy.
Following are some of the key areas that could be evaluated during a food security audit:
Vendor Assurance. Because even manufacturers with airtight facility security can still be at risk if incoming ingredients and products are tainted, manufacturers should require all of their ingredient and food product suppliers to provide documentation on their food safety and security practices (much like you would do for a food retailer or foodservice operator who purchases your products). An audit may check to ensure that this documentation extends to all systems that will rapidly notify your facility in the event of a recall or product contamination issue. An auditor may also ask you to verify that your food security program identifies primary and back-up contacts within your organization that can be reached 24 hours a day, 7 days a week.
Auditors may ask to see delivery records to ascertain whether all deliveries are restricted to scheduled times and that both inbound and outbound vehicles are inspected. They will look for evidence that all deliveries are immediately reconciled with what was ordered, with special attention paid to any missing items as well as any additional items that were not ordered. Receiving personnel should be inspecting all incoming products for signs of tampering, counterfeiting, contamination or damage and should reject any suspicious item.
Facility Security. During a food security audit, expect the security of all doors, windows, ventilation systems, utility rooms and roof openings to be checked. Manufacturers can protect their perimeter by establishing clear zones for employees, customers and visitors and by implementing a program to account for all employee keys and visitor badges. It is especially important to restrict entry of unauthorized staff, vendors and customers from food/ingredient storage, chemical storage and production areas. Auditors may check that all employee personal items like clothing and purses are stored away from food storage and production areas. They may also check that all hazardous materials, such as cleaning chemicals are routinely logged and tracked and that if anything is missing, it is promptly investigated.
Employee Security. Auditors may ask to see records of pre-hire employee screening, especially as it relates to immigration status and criminal background – though this should be done without regard to an applicant’s race, religion or ethnic background. Manufacturers should pay special attention to contract, seasonal or temporary employees. Auditors may check to see that all employees are wearing identification at all times and are allowed access only to those areas essential to perform their required task. Part of safeguarding employee identification means collecting employee IDs, badges and uniforms upon termination or resignation.
While employees can potentially be a source for food tampering, they also can be a manufacturer’s best defense in preventing security breaches that would allow for deliberate attacks. That is why food security awareness should be incorporated into new hire orientation and ongoing training for existing employees. In addition to educating employees on how to identify and prevent problems, make sure they know how to report and respond to actual or suspicious actions or threats. A confidential “tipline” makes it easier for employees to report suspicious activities.
Plant Operations. At a minimum, a food security auditor will want to evaluate a manufacturer’s written standard operating procedures (SOPs) and Good Manufacturing Practices (GMPs). Sanitation schedules and procedures, cooking/cooling/holding time and temperature logs, pathogen “kill” steps, product sampling, cross-contamination prevention, product labeling/packaging (including coding and expiration dates), water and other utilities, and HVAC and refrigeration are just some of the operational areas that can be evaluated during a food safety audit.
Don’t forget a key element of any food security program: establish a step-by-step crisis management plan (including internal and external communications) so that you can respond to tampering or contamination actions.