You are here: Home / Archives for SQF Edition 8

by

Beyond vulnerability assessments

How to verify a food defense plan

The USA FSMA Intentional Adulteration Rule deadline is fast approaching, with implementation required by 26th July.  Food defense plans are our most requested service this month, and not just for companies in the United States.  Businesses that export to the US are also affected.

The Intentional Adulteration (IA) rule

The Intentional Adulteration (IA) rule requires food businesses to identify vulnerable parts of their food manufacturing processes, implement strategies to reduce the vulnerabilities and monitor and verify that those strategies are working.  As part of the verification processes, some experts are recommending that food businesses challenge their food defense system on a regular basis.  Food safety management system standards, including SQF Edition 8, also require that manufacturing facilities challenge their food defense system.  What exactly does it mean to ‘challenge’ a food defense system, and how is that different to monitoring and verification of the system?

Monitoring vs verification vs challenge testing

Monitoring, verification and challenge testing are different, but the terminology can be confusing when used with food defense plans.  Some commentators and trainers are using the three words almost interchangeably; however, the three words actually refer to different elements of a food defense plan.

Monitoring means, at its most basic level, to check that procedures are being followed and that processes are happening as they should.  The checking process must be documented.  So, the act of monitoring is documenting in real time the actions taken to follow a given procedure or the measured outputs of a specific process.

Within a food safety plan, an example of monitoring would be checking the internal temperature of three pies from each batch after a cooling step and recording the temperature on a form.  Within a food defense system, a mitigation strategy might be the implementation of a procedure to lock all external doors, or to leave all external doors locked.  For this procedure, the monitoring activity could be a once-per-shift process of checking and recording the lock/unlock status of each door.

Verification is the process of making sure that monitoring has been done properly.  When cooling pies, for example, verification could include a once-per-shift check by a supervisor or manager that the cooled pie temperatures are being recorded AND that appropriate action has been taken if the temperature has exceeded critical limits.  Verification also includes internal audits; the internal auditor checks that the managers have been signing off the monitoring records, that the records are complete and available for all shifts and that corrective actions have been properly recorded.

In our food defense example, verification could include a check of the door lock monitoring records by a manager or supervisor.  The manager would review the records to see that they were completed on time, at the correct frequency and that any deviations, such as a broken lock, have been identified and actioned correctly.  Verification of door lock status could also be included in a weekly plant walk-through by a manager.  Internal audits would check that all these activities were being done and recorded properly.

Challenge testing is real-world scenario testing of a system’s efficacy.  A challenge test aims to validate whether procedures are effective when implemented as expected, as well as highlighting any failures in implementation.  A challenge test is different to a verification process because it would usually test the implementation and effectiveness of many food defense mitigation strategies rather than focussing on one element such as door locks.

What is the weakest link in your food defense plan?

 

How to conduct a food defense challenge

  1. Decide on a challenge action. For example, a common food defense challenge test is a penetration test, in which an unauthorised person attempts to gain access to a sensitive area.
  2. Create a food defense challenge report. In the report document exactly what you plan to do in the challenge test.  Include what, when, how, who and next steps.

For example: A person unknown to staff (Ms Jane Doe, of Acme Services) will attempt to get from the main reception area into ingredient weighing area A.  She will be wearing a business suit covered by a lab coat.  Once there, she will remain for up to twenty minutes unless challenged by an employee.  She will then leave.

If the intruder is challenged, she will claim to be a new food safety consultant/pest control account manager/new human resources manager and attempt to remain in the area.

  1. Include written contingency plans in case of escalation, for example, what will be done if police are called.
  2. Get approval for the plan from senior management.
  3. In the report record the following:
    • Name of Senior manager who has signed off on this plan.
    • Names of people who have been informed of the challenge test
    • Names of people who will be working in the affected areas at the time of the challenge, have they been trained in food defense?
    • A description of what staff are supposed to do in this scenario; what procedures should be followed.
  4. Define and document the criteria for failure and success; what will happen if the food defense procedures are working 100% correctly; what will happen if the food defense procedures are working only partially; and finally, how might the scenario progress if there is a complete fail of procedures and systems?

For example, if the ‘intruder’ is able to remain in the ingredient weighing area for 20 minutes without being challenged by an employee this could be considered a complete fail of the food defense system.  If the intruder is challenged but can convince the employee to allow them to remain in the area unattended, this could be considered a partial fail; if the employee chooses to remain with the intruder to ‘keep an eye on them’ this could be considered a better outcome than leaving the intruder unattended.

  1. Run the challenge. Have a trusted staff member observe from a discreet distance.
  2. Describe in the report what happened.
  3. Convene a meeting of the food defense team and analyse the results of the challenge test.
  4. Perform root cause analyses and raise corrective action/s for any failures in the system.
  5. Close out corrective action/s
  6. Take action to prevent a scenario like this from reoccurring, based on the root cause analyses.

Learn more about food defense

Register your interest in learning more about food defense by entering your email address in the box below.

We will never supply your email address to anyone without your written permission. View our privacy policy.


 

by

What next?

Now you have a food fraud vulnerability assessment, what comes next?

First make a home for the vulnerability assessment documents so that they can easily be found for reviews and audits.  They should be incorporated into an existing quality manual or food safety manual, with correct document reference numbers and with review dates scheduled in the same way as other sections of the system.  If the business operates a risk register or an enterprise risk management system, talk to the owner of that register about whether it is appropriate to reference the documents in that system also.

Second: communicate!

If food fraud vulnerabilities have been identified the business will need to make a plan to

prevent deter detect

  • Prevent the purchase of fraudulent ingredients or products
  • Deter fraudsters from adulterating materials that your business is going to purchase
  • Deter counterfeiters from copying or ‘faking’ your products
  • Detect fraudulent materials before they are used to make food
  • Detect fakes in the marketplace so enforcement action can be taken

This is a job for the whole business, not just food safety or food quality personnel.  Communicating what has been found in the vulnerability assessment is the first step in engaging people from other parts of the food business.  Ideally the top levels of management of the food business are committed to preventing, deterring and detecting fraud and will be willing to implement changes to protect the business.  It may be necessary to make changes to purchasing policies, supply chain strategies and supplier contracts to help prevent fraudulent materials from reaching the doors of your factory.  Changes to sales agreements, sales channels and packaging might be needed to prevent food fraud from affecting your products after they have left your facility.  Personnel from purchasing, finance, marketing, sales and legal departments will need to be involved to implement changes within these business areas.   If the business has a Risk Officer or an Enterprise Risk Manager that person should also be involved in the prevention and mitigation planning process.  The result should be a cross-functional team with upper management support and a commitment to prevent food fraud, plus the resources to implement changes to policies, practices and programs.

That is the theory anyway; without support from upper management and a cross-functional team, any fight against food fraud is going to be tough.  However there are some things that can be done by food safety personnel that are relatively quick to implement and do not require a lot of investment from other parts of the business.  These are listed below.

Third: action!

Create and implement a food fraud prevention and detection plan (‘control plan’).

Here are some actions that can reduce your exposure to food fraud:

  1. Update your raw material specifications to include authenticity requirements.  Guidance for raw material specifications.
  2. Review your vendor approvals systems and revise questionnaires and requirements if required.  Consider implementing more stringent requirements for suppliers that provide vulnerable materials.
  3. Request certificates of analysis (CofA) from suppliers of vulnerable materials and make sure they include analyses that reflect authenticity attributes as described in your purchasing specifications.  This won’t prevent fraud per se, but will help your business to enforce penalties if problems are found later.
  4. Begin a testing regime for vulnerable materials.
  5. Investigate the costs and benefits of supply chain audits, including whether ad-hoc, one-off visits to certain suppliers might be worthwhile.
  6. Request tamper-evident packaging and bulk container tamper seals for vulnerable raw materials.
  7. Ask suppliers of vulnerable materials to undertake a mass balance exercise at their facility or further upstream in the supply chain.
  8. Make a business case for switching suppliers of materials that prove to be consistently problematic and present it to your purchasing department.
  9. Make sure that senior staff in the business understand the risks posed by food fraud, by providing Food Fraud Awareness Training.

Need help with your food fraud control plans?  Get easy instructions and downloadable templates from our online training course.

Start today