Food Defense and Intentional Adulteration
What You Need to Know:
"Intentional Adulteration" refers to the risk of someone deliberately contaminating a food product with aim of causing harm.
The Intentional Adulteration Rule was implemented to address bio-terrorism threats committed against food companies to contaminate the US food supply.
It applies to some, but not all food businesses (see "Applicability" below)
You can fulfill the requirements for a Food Defense Plan using our template
If you are a business under FDA regulation with >$10m/year in sales, then you most likely are required to comply with the Intentional Adulteration Rule.
Check the exemptions below and, if they do not apply to your businesses, see "What You Need to Do?"
Exemptions from the Intentional Adulteration Rule:
See if one of the following exemptions applies to your business or check out the applicability flowchart below
Does the Intentional Adulteration Rule Apply to My Business?
Food businesses that are not regulated by the FDA and aren't required to register as a food facility.
Small food businesses that produce, distribute, or hold less than $10 million dollars in product retail value per year, averaged over the last 3 years.
Food businesses that exclusively produce one of the following:
Licensed alcoholic beverage producers
Food which is packed, re-packed, or re-labeled food in a way that the container around the food remains intact.
Food businesses that only hold food, such as a distributor (unless the food is held in large liquid storage tanks).
Certain foods packaged on farms (See 21 CFR 121.5)
The FDA offers a flow chart to determine if the Rule on Intentional Adulteration applies to your food business.
Large Businesses (>500 Employees): July 26th, 2019
Small Businesses (< 500 employees): July 27th, 2020
What You Need To Do:
Access our Free Food Defense Plan Template
If you are required to follow the Intentional Adulteration Rule, then you must develop a Food Defense Plan. This plan documents that you have developed and implemented the following activities:
Conduct a "vulnerability assessment" to identify where your business is vulnerable
Develop "mitigation strategies" for addressing food defense threats.
Monitor your mitigation activities to make sure they're working
Develop corrective actions for when things go wrong
Conduct verification checks
Re-analyze your food defense as necessary
1. Conduct A Vulnerability Assessment
This is a written assessment of what areas your facility and product might be at risk to a threat of intentional adulteration. You should evaluate the following:
The potential impact if your product was contaminated
The degree of access available to your product
The ability of an attacker to contaminate your product
The possibility of an inside attacker.
The easiest way to conduct a vulnerability assessment, is to use our Food Defense Plan Template and modify it to suit your business' needs.
2. Develop Mitigation Strategies
If you identify a vulnerability in your business, then you must address it. Your mitigation strategies could include:
Upgrading security around your facility (i.e. adding fencing, upgrading locks, reducing access)
Developing a way to record and manage visitors in your facility.
Minimizing access to sensitive areas to only the people who require that access.
Changing how you store in-process product
Upgrading your packaging to minimize opportunity for contamination.
This section must include a written explanation of how your strategy specifically minimizes the risk(s) that you identified in your vulnerability assessment.
3. Monitor Your Mitigation Strategies
You must monitor your food defense efforts to verify that they're effective.
Some of your mitigation strategies may be a simple structural fix (i.e. fencing the facility grounds) while others may require ongoing management (implementing a visitor-access policy).
The strategies that require ongoing maintenance should be monitored to ensure that they are effective. For example, if you implement a visitor-access policy for your facility, then a supervisor should occasionally monitor that guests are wearing the required badge and that the sign-in document that you developed is actually being used.
How often must I monitor my mitigation strategies?
This is your choice. You should monitor your practices which support food defense enough to ensure that they're being performed effectively.
Do I need to keep records of my monitoring?
Yes. All of your monitoring efforts should be recorded. You can do this by keeping "exception records" where the only records kept are to document when the strategy is not working.
4. Develop Corrective Actions For When Things Go Wrong
You must have written corrective action procedures that will guide you in what to do if one of your mitigation strategies fails.
For example, let's pretend your visitor-access policy requires all guests to be checked-in and wear a badge in the processing space. When you develop that food defense strategy, you should also create a corrective-action to answer the question "What do we do if there is an unauthorized person in the production space?". Your corrective action could be registering the visitor and reviewing security footage prior to releasing the product that was being processed.
If something goes wrong in your food defense procedures, you must document that a corrective action was taken and how the problem was solved. Store this in your records.
Additionally, if take a corrective action to address a failure then you must also take action to ensure that the same failure does not recur.
5. Conduct Verification Checks
You must conduct verification activities to confirm that your mitigation strategies are being carried out effectively. This is a "double check" to make sure everything is happening according to plan.
Specifically, you must verify that monitoring is effective and that your corrective actions were taken appropriately. This verification can take the form of a manager reviewing the records that were taken during a given time-period and signing off on them.
A manager may conduct verification on the facility's visitor-access policy by reviewing the visitor registration sheet each week to ensure that it is being used.
How often must I conduct verification checks?
This is up to you. Verification should occur often enough that you can make adjustments if something is found to be wrong. For example, records are typically verified before the relevant product leaves the facility. This way, the product can be inspected or reconsidered if the verification reveals something improper occurred.
Do verification activities need to be written?
Yes. However, it does not need to be a separate form. A manager can verify a document by signature and date showing that the document was reviewed and that verification occurred.
6. Keep Records
Your Food Defense Plan must be written and on file. Additionally, you should keep records of the following for at least 2 years:
Corrective Action records
Any documents related to the food defense plan
When your food defense plan was changed or updated
Your records should meet the requirements outlined in Part 117 Subpart F: Record keeping
7. Reanalyze Your Food Defense As Necessary
You must reanalyze your food safety plan:
Every 3 years at minimum
Whenever a change is made that might expose a new vulnerability or increase your risk of intentional adulteration.
If the FDA identifies new vulnerabilities that they deem relevant to your business.
If your business makes a change that requires an adjustment to your food safety plan, you have 90 days to update your plan and implement the new strategies.
This article applies to you if…
∆ Your business produces, packs, or holds food under FDA regulation.
∆ Your business conducts >$10mm sales per year.