In May 2016, FDA, as part of the Food Safety Modernization Act (FSMA), issued a final rule requiring domestic and foreign food facilities address hazards that may be introduced into foods with the intention to cause wide-scale harm to public health (Intentional Adulteration Rule or IA Rule). The first compliance date, applying to large facilities, was July 26, 2019.

Upon a cursory reading of the IA Rule, one could certainly argue the burden involved in complying with the requirements of the rule, including establishing a food defense plan, far outweigh the remote possibility of an event of wide-scale harm through the food supply occurring. It is also important to note that intentional adulteration can occur in many forms, including economically motivated adulteration (usually in the form of swapping out ingredients or spiking of ingredients to inflate nutritional values) or intentional acts by disgruntled employees. Some may remember the melamine spiking of pet food or baby formula in China aimed to artificially inflate protein content, instead resulting in thousands falling ill, and some infant and pet fatalities. Others may remember the 2009 Salmonella outbreak at Peanut Corp. of America, which killed nine people and sickened hundreds, where company officials knowingly distributed contaminated product. These types of economically motivated adulteration are not covered under the IA Rule, but rather under FSMA’s preventive control rules.

The question becomes, why all this effort to implement a rule for an event that is likely to never occur? The answer lies in U.S. Founding Father Benjamin Franklin’s famous axiom, “an ounce of prevention is worth a pound of cure.” Frankly speaking, it is better to be prepared for a disaster that results in widespread illness, death or economic disruption to the food supply, than to pick up the pieces afterwards. In developing the rule, FDA interacted closely with the intelligence community and the food industry to identify perceived vulnerabilities to the food supply.

The IA Rule is ultimately designed to cover large companies with wider consumer reach. Exempt are smaller companies that average less than US$10 million in sales per year. Companies that hold food (except holding of food in liquid storage tanks), pack/repack/label/relabel food where containers remain intact; farms; and manufacturers of animal food or certain alcoholic beverages are all also exempt from the IA Rule.

Integral to the IA Rule is the requirement to develop a food defense plan. Many, including FDA, have approached development of a food safety plan in the same way they would develop a hazard analysis critical control point (HACCP) plan for seafood or juices, or a hazard analysis and risk-based preventive controls (HARPC) for foods subject to FSMA’s preventive controls rule. A food defense plan must identify vulnerabilities in the food supply chain, mitigation strategies to address these vulnerabilities, procedures for defense monitoring, and procedures for implementing corrective actions and verification of these corrective actions. This food defense plan must be reanalyzed every three years or sooner if it’s determined that an established mitigation strategy or corrective action was found to be ineffective.

Since the rule was established in 2016, much of the industry has voiced concern over conducting a vulnerability assessment, given that the possibility of such a wide-spread event occurring is extremely remote. However, FDA has lent guidance on what it believes should be included in a vulnerability assessment. FDA suggests that for each point, step or procedure in the facility’s process, the following, at minimum, should be assessed: (1) the severity and scale of the potential impact on public health, including how much product is being made and how many consumer exposures this would translate to, the velocity in which the product moves through the distribution system, and the possible number of illnesses or deaths that may occur through exposure; (2) the degree of physical access to the product including physical barriers such as gates, railings, doors, locks, lids, seals, etc.; and (3) the potential for successful contamination of the product. An example of a vulnerability could be the handling of raw material containers that are reused and do not contain a tamper seal after initial opening. For example, consider a scenario where a drum of hydrogenated vegetable oil is ordered as a raw material and is received at the facility with a tamper-evident seal. The oil is used on an as needed basis and the top of the drum is reapplied after each use, but without a tamper-evident seal for subsequent uses. This oil drum remains accessible to contamination without easy identification of such contamination.

Next, the food defense plan must identify mitigation strategies for identified vulnerabilities. Mitigation strategies can be in the form of physical steps such as monitored and secured access to facility areas, or they can be operation-based, such as implementing more robust background checks for facility employees. They can also be in the form of technology strategies, including employing automated machinery to lessen the amount of human contact with the food product. There are several strategies that FDA has identified in their guidance document titled, “Mitigation Strategies to Protect Food Against Intentional Adulteration: Guidance for Industry” issued in March 2019.

Finally, once a vulnerability assessment and mitigation strategy review has occurred, written procedures for monitoring, corrective action, verification, training and recordkeeping must also be established and implemented. FDA does give companies the leeway to determine the extent to which such activities apply to a certain company’s operations.

FDA has announced that the start of routine IA rule inspections is set to begin in March 2020. As with FSMA Preventive Controls rule implementation and inspections, FDA has stated that it intends on initially inspecting to educate while it regulates. Early inspections plan to be very high level and will be more educational in nature and may be done in conjunction with other planned inspections pursuant to FSMA or HACCP inspections, as opposed to solely inspecting with respect to the IA Rule.

FDA estimated that roughly 9,800 facilities are covered by the IA Rule. Large business must already comply as of July 26, 2019. Small businesses with less than 500 employees but more than $10 million in annual sales must comply by July 27, 2020. Those companies that are exempt must maintain written documentation of their exempt status as of July 26, 2021. Thus, it is prudent to review whether a company is covered, and if so, what steps must be taken to ensure compliance with the rule.

Abhishek Gurnani is a partner at Amin Talati Upadhye. Gurnani represents a wide variety of health and wellness-focused companies addressing issues such as quality control (QC), recalls, government investigations and class action lawsuits, as well as dealing with matters before FDA, FTC, U.S. Customs and USDA.