According to the Food and Drug Administration (FDA), millions of Americans have food allergies. While most reactions are mild, some people experience severe or even life-threatening symptoms. FDA’s Current Good Manufacturing Practice (cGMP), Hazard Analysis, and Risk-Based Preventive Controls for Human Food (PCHF) Rule (21 CFR Part 117) requires domestic and foreign food facilities that manufacture human food develop and implement a Food Safety Plan that includes an Allergen Program to address this concern.

Eight Becomes Nine

While many different foods can cause many different types of reactions and symptoms, the Food Allergen Labeling and Consumer Protection Act of 2004 (FALCPA) identified what has commonly been known as the “Big 8” major allergens:

1. Milk
2. Eggs
3. Fish (e.g., bass, flounder, or cod)
4. Crustacean shellfish (e.g., crab, lobster, or shrimp)
5. Tree nuts (e.g., almonds, pecans, or walnuts)
6. Wheat
7. Peanuts
8. Soybeans

Sesame was added as the ninth major food allergen when the Food Allergy Safety, Treatment, Education, and Research (FASTER) Act became effective on January 1, 2023. FALCPA requires that food labels clearly identify the food source names of any ingredients that are a major food allergen or contain protein derived from a major food allergen. The intent of FALCPA is to help allergic consumers identify foods or ingredients that they should avoid to prevent an allergic or other reaction due to hypersensitivities.

New Guidance

On the heels of the FASTER Act’s effective date, FDA recently published draft guidance for Food Allergen Programs in September 2023. This is part of the Agency’s ongoing updates to its Draft Hazard Analysis and Risk-Based Preventive Controls for Human Foods Guidance for Industry. Comprised of 16 chapters, FDA has been releasing new chapters since the guidance was announced in 2016 as they are developed to help facilities develop a Food Safety Plan in accordance with regulatory requirements. The most recent guidance published includes Chapter 11: Food Allergen Program.

Chapter 11 focuses on developing a Food Allergen Program to ensure finished food is properly labeled for major food allergens and, even more so, to protect food from major food allergen cross-contamination. According to FDA, “Some manufacturers are intentionally adding sesame to products that previously did not contain sesame and are labeling the products to indicate presence, rather than taking appropriate measures to minimize or prevent cross-contact.” Through the new guidance, FDA is encouraging industry to prevent allergen cross-contamination rather than intentionally adding sesame (or other major allergens) to products and then labeling them to comply with the law.

FDA recognizes the challenges of ensuring products are allergen-free, and the guidance is intended to help companies find solutions to meet the needs of consumers with food allergies. Chapter 11 explains how to develop and implement a Food Allergen Program by providing detailed recommendations for each aspect of the Program. It offers multiple examples for illustrative purposes that demonstrate ways to significantly minimize allergen cross-contact and undeclared allergens using cGMPs and preventive controls.

Labeling errors are the major reason for most FDA food allergen recalls. As such, the new chapter also offers guidance on how to monitor and verify that food allergies are properly declared and correctly labeled. In addition, the guidance addresses what facilities can do when allergen presence due to cross-contact cannot be completely avoided, including using allergen advisory statements.

Previously Published Guidance

The comprehensive Draft Guidance for Industry remains a work in progress. In addition to Chapter 11: Food Allergen Programs, the following draft chapters are currently available:

• Chapter 1: The Food Safety Plan
• Chapter 2: Conducting a Hazard Analysis
• Chapter 3: Potential Hazards Associated with the Manufacturing, Processing, Packing, and Holding of Human Food
• Chapter 4: Preventive Controls
• Chapter 5: Application of Preventive Controls and Preventive Control Management Components
• Chapter 6: Use of Heat Treatments as a Process Control
• Chapter 14: Recall Plan
• Chapter 15: Supply-Chain Program for Human Food Products
• Chapter 16: Acidified Foods

FDA plans to still publish the following chapters as they are developed:

• Chapter 7: Use of Time/Temperature as a Process Control
• Chapter 8: Use of Product Formulation or Drying/Dehydrating as a Process Control for Biological Hazards
• Chapter 9: Validation of a Process Control for a Bacterial Pathogen 
• Chapter 10: Sanitation Controls
• Chapter 12: Preventive Controls for Chemical Hazards
• Chapter 13: Preventive Controls for Physical Hazards
• Chapter 17: Classification of Food as Ready to Eat or Not Ready to Eat

Whether for allergen management or other identified hazards, taking a systematic approach to establishing risk-based preventive controls helps protect food products—and the consumer—from biological, chemical, and physical risks. FDA’s guidance can provide an excellent resource for meeting regulatory requirements and protecting consumers.

In July, the Safe Quality Food (SQF) Institute published an article citing the most common non-conformances encountered during certification audits. Interestingly, the transition to SQF edition 9 has changed the number and types (i.e., critical, major, minor) of non-conformances SQF is seeing, with non-conformances related to pest prevention, Food Safety Plan, cleaning and sanitation, and management review and internal audits topping the list.

KTL’s food safety experts break down SQF’s top non-conformances and what you can do to address them.

Prioritizing Pest Prevention 

According to SQF, pest prevention is the leading non-conformance under edition 9, with both critical and major findings. Exposure to pests—and the diseases they carry—creates the risk of food contamination and the spread of infectious diseases. Companies need a pest prevention program, whether managed internally or by a third-party contractor, that integrates sufficient measures to minimize pest populations. This may include mechanical preventions and controls, waste minimization, or controlled use of pesticides.

KTL Recommendations:

• Review any findings with your food safety team and the pest control contractor, if used. Include frequent review of the approved chemicals or chemicals used for any treatment and ensure the site has access to copies of their safety data sheets (SDSs). Corrective and preventive actions (CAPAs) should be applied to act right away on any open observations. CAPAs should be regularly monitored and tracked to closure. If a third-party contractor is used, open observations should be discussed with the contractor; they may have helpful information on how to handle a pest issue.
• Review pest control trending data at monthly management review meetings. This will help ensure pest prevention data is tracked and monitored. It can also help identify larger, more systemic issues that might necessitate additional CAPAs to resolve the problems.
• Incorporate evaluation of pest prevention performance into the validation and verification schedule.
  • Validation should include review of inspection records (at each visit), an annual assessment by the food safety team or pest control provider, and review of trends at the annual management review meeting.
  • Verification should include a monthly visual inspection during internal good management practices (GMP) inspections. A simple check to ensure these inspections are thorough enough can involve putting a business card in a tin can for pest control to find and identify on the report.

SQF Tip Sheet: Pest Prevention

Strengthening the Food Safety Plan 

The Hazard Analysis and Critical Control Points (HACCP) Food Safety Plan is the foundation of the SQF System. Given this, it makes sense that non-conformances related to the Food Safety Plan always top the list. SQF indicates that many of these findings are now being marked as critical with edition 9. The most common non-conformances include missing hazard analysis, incomplete ingredient hazard analysis, and misidentification of critical control points (CCPs).

KTL Recommendations:

• Review and update the HACCP Plan at least annually or whenever there is a change to operations (e.g., ingredients, processes, equipment, etc.) to ensure all inputs and outputs are identified and appropriately managed.
• Use a risk ranking chart to identify risks; determine their severity and likelihood; and document when a hazard is controlled by a GMP, CCP, or other preventive control (PC).
• Use specification sheets and known information about ingredients to facilitate the identification of hazards during the hazard analysis. Ensure copies of any studies or guidance documents are available to the HACCP team and any applicable updated scientific consensus is reviewed. Hazards should be specifically identified rather than just listed as general categories (e.g., biological, chemical, etc.).
• Document everything in a food safety management system (FSMS). Recordkeeping proves that all requirements of the Plan are met.

SQF Tip Sheet: HACCP Food Safety Plan

Emphasizing Cleaning and Sanitation 

Cleaning and sanitation methods vary based on the nature of operations, as well as the microbiological and allergen risks. Regardless, every facility needs to develop, implement, and document a cleaning and sanitation program that fits their production processes. According to SQF, this area remains second on the list of major findings in edition 9.

KTL Recommendations:

• Understand all the areas and equipment that need to be cleaned and sanitized in the facility. Pay attention to the condition of floors, ceilings, walls, doors, etc. to ensure you are maintaining a hygienic and safe environment.
• Create a robust cleaning and sanitation, preventive maintenance, and maintenance schedule. Regular maintenance of equipment, utensils, and building materials is crucial to prevent non-conformances.
• Incorporate monitoring of the cleaning and sanitation program into the validation and verification process:
  • Validation: Review sanitation records and logs, environmental monitoring records, and trending data to identify areas of concern.
  • Verification: Conduct visual inspections and records review. Consider swab testing to monitor compliance and trends, especially if using a contracted company for cleaning and sanitation. Review GMP inspection findings and CAPAs at monthly management meetings and track to closure.

SQF Tip Sheet: Cleaning and Sanitation

Management Review and Internal Audits 

SQF includes management review (2.1.2.1) as minor nonconformance, highlighting the importance of incorporating food safety culture into the review process. Internal audits remain a crucial way to identify areas of improvement, though they are now on the minor non-conformance list.

KTL Recommendations:

• Set objectives/goals for the year and monitor the performance of these objectives at monthly and annual management review meeting. Resources should be allocated appropriately based on trends identified in these meetings to reach goals and ensure the overall effectiveness of the food safety culture.
• Conduct regular GMP inspections, trend results, review them during management meetings, and identify CAPAs, as necessary.
• Distribute food safety questionnaires to personnel to gather input. Review results during management review meetings and use the data collected to create action plans for maintaining or improving scores.
• Conduct a comprehensive internal audit at least annually and address any identified gaps in compliance. Internal audit findings should be reviewed at monthly and annual management review meetings. CAPAs should be assigned for findings, and data can be used to refine food safety objectives/goals.

SQF Tip Sheets: Management Commitment / Internal Audit Plan

Knowing and truly understanding the requirements of the SQF Code—or any of the Global Food Safety Initiative (GFSI) certification standards—is essential to avoiding non-conformances. Paying particular attention to the identified top non-conformances can help facilities to proactively mitigate these risks, strengthen food safety culture, and improve overall compliance.

The threat of terrorism against our food supply is as real today as it ever has been. Whether it’s an attack on the products themselves, such as product tampering or sabotage, or a cyberattack against a company’s internet infrastructure, it can be harmful and costly if not recognized in advance. Plans should be in place to not only respond to such an attack but also to prevent it. ~ Rod Wheeler, NSF.org

National Security Memorandum

On November 10, 2022, President Joe Biden signed National Security Memorandum-16 (NSM-16) to strengthen the security and resilience of U.S. food and agriculture. This critical sector has continued to face increasing deliberate and naturally occurring threats to security and resilience, including intentional adulteration (IA), catastrophic events (e.g., pandemics that impact critical infrastructure), consequences of climate change, and cyber- and technology-related vulnerabilities.

NSM-16 replaces Homeland Security Presidential Directive 9 (Defense of United States Agriculture and Food – HSPD-9) and outlines the Administration’s guidance to:

1. Identify and assess the threats of greatest consequence. This includes redefining how chemical, biological, radiological, and nuclear threats are defined; focusing on increased cyber threats and climate change impacts; and enhancing threat and risk assessments by mandating a continuous process to assess and mitigate risks and vulnerabilities.
2. Strengthen partnerships to enhance the resilience of the workforce, who are typically the first line of response, and coordinate our government to act more efficiently and effectively. Essential critical infrastructure workers need guidance to work safely, while supporting operations during high-consequence incidents.
3. Enhance preparedness and response by training partners on how to prepare for and respond to threats, increasing testing and diagnostic surge capacity, and standardizing diagnostic and reporting tools to facilitate timely information sharing.

Ongoing Security Actions

NSM-16 builds upon ongoing actions by the Administration to strengthen the resilience of the U.S. food and agriculture supply chains.

• U.S. Department of Agriculture (USDA) considers defense of the food and agriculture sector critical. USDA’s Food Safety and Inspection Service (FSIS), Animal and Plant Health Inspection Service (APHIS), and National Institute of Food and Agriculture (NIFA) have launched numerous programs to protect these sectors, including FSIS working to help industry partners develop effective food defense plans.
• U.S. Department of Homeland Security (DHS) Office of Health Security Health, Food, and Agriculture Resilience (OHS/HFAR) directorate is also working to help safeguard the American food supply against catastrophic incidents by bringing a national security perspective to the food and agriculture sector.  In recent years, OHS/HFAR has engaged directly with partners to perform risk assessments, develop strategic guidance, and design and deliver tailored exercises to better prepare for, respond to, and recover from catastrophic events.
• U.S. Food and Drug Administration (FDA) is engaging with federal; state, local, tribal, and territorial (SLTT) governments; the private sector; and academia on the following activities:
  • Conduct of vulnerability assessments
  • Risk mitigation analysis
  • Federal risk mitigation strategy
  • Strengthening existing efforts for information sharing procedures
  • Research and development

Roles of Food Safety and Food Defense

According to USDA-FSIS, to prevent, protect against, mitigate, respond to, and recover from threats and hazards of greatest risk to the food supply, preparedness efforts must encompass food safety and food defense.

Food safety provides for the protection of food products from unintentional contamination. Food defense involves the protection of food products from intentional contamination or adulteration (e.g., biological, chemical, physical, or radiological) that causes harm to public health or disrupts the economy in other ways.

The anticipated outcome of combined food safety and food defense efforts is food security. Food security exists when all people, at all times, have physical, social and economic access to sufficient, safe and nutritious food which meets their dietary needs and food preferences for an active and healthy life (United Nations Food and Agriculture Organization (FAO)).

Your Role: Food Defense Plan

Food defense involves putting security measures in place to reduce the chances of someone intentionally contaminating the food supply. FDA’s Food Safety Modernization Act (FSMA) rule on Mitigation Strategies to Protect Food Against Intentional Adulteration (IA) establishes requirements for industry to play an active role in improving the nation’s food security and resilience. This rule requires covered facilities to prepare and implement food defense plans.

The food defense plan incorporates four major elements:

• The vulnerability assessment identifies those areas in the process that pose the greatest IA risks. Each step in the facility’s process should be evaluated for the following:
  • Potential severity and scale of the impact on the public.
  • Physical access to the product.
  • Ability to successfully alter/contaminate the product.
• Facilities must develop and implement mitigation/preventive strategies at each step in the process to address vulnerabilities and minimize the risks of IA.
• A system must be put in place to ensure implementation of mitigation strategies and to effectively manage the following:
  • Monitoring mitigation strategies, including frequency.
  • Corrective action response.
  • Verification activities.
• Appropriate recordkeeping must be maintained for food defense monitoring, corrective actions, and verification, and key personnel must receive appropriate training.

The safety and security of our country’s food products requires developing, implementing, and enforcing policies and programs to support strong food defense. And it requires continually involving all employees in these food defense and security efforts to create a robust food safety culture. The threats to our nation’s food supply—and to those companies who work in the food supply chain—will continue. Taking an active role in controlling what you can and proactively managing your organization’s food defense efforts can play a significant role in securing the food supply chain.

According to the World Health Organization (WHO), foodborne diseases affect 1 in 10 people worldwide each year. Safe food is a key contributor to reducing these foodborne illnesses and other poor health conditions, including impaired development, micronutrient deficiencies, noncommunicable and communicable diseases, and mental illnesses. Only when food is safe can we fully benefit from its nutritional value.

FAO Strategic Priorities for Food Safety

In March 2023, the Food and Agriculture Organization of the United Nations (FAO) published its Strategic Priorities for Food Safety 2022-2031 to “support members in continuing to improve food safety at all levels by providing scientific advice and strengthening their food safety capacities for efficient, inclusive, resilient and sustainable agrifood systems.”  

The Strategic Priorities document is structured around four strategic outcomes:

• Governance (intergovernmental and intersectoral) is coordinated and reinforced at all levels.
• Scientific advice and evidence provide the foundation for decisions made about food safety.
• National food control systems are continually strengthened and improved by supporting members in:
  • Evaluating food control systems, identifying needs, and designing programs.
  • Developing and transitioning economy countries to participate in Codex Alimentarius work.
  • Developing and updating food safety standards, legal frameworks, government policies, and operational procedures and guidelines.
  • Generating relevant food safety data to reflect the national situation.
  • Implementing technology developments in food control and food safety management.
• Public-private partnerships along the food chain are being fostered to ensure food safety management and controls.

World Food Safety Day

On June 7, countries around the globe celebrated World Food Safety Day, focusing this year on “Food Standards Save Lives” as the theme. Established by the United Nations General Assembly in 2018, World Food Safety Day is an annual observation intended to mobilize action to prevent, detect, and manage foodborne risks and improve human health. The WHO and the FAO jointly facilitate the observance of World Food Safety Day.

This year’s theme coincides with the 60th anniversary of Codex Alimentarius, a collection of food standards, guidelines, and codes of practice that encourage governments and food safety advocates around the world to focus on the importance of applying safety standards.

Along with WHO and FAO, the U.S. Food and Drug Administration (FDA) is calling on everyone to join in the efforts to ensure safe food for all. Check out FDA’s information on ways to reduce foodborne illnesses and the Guide to World Food Safety Day 2023 for ideas on how you can participate in World Food Safety Day every day.

The National Bioengineered Food Disclosure Standard defines bioengineered foods (a/k/a genetically modified organisms (GMOs)) as “foods that contain detectable genetic material that has been modified through certain laboratory techniques and for which the modification could not be obtained through conventional breeding or found in nature.”

Genetic engineering allows scientists to take a beneficial gene (e.g., insect resistance or drought tolerance) and transfer it to a plant. Genetic modifications can create many desirable results, including higher crop yields, less crop loss, longer storage life, better appearance, enhanced nutritional value, or some combination thereof.

Genetic engineering can also be used to create a plant-based protein. The Food and Drug Administration (FDA) is aware that some developers are now exploring transferring genes for proteins that are known food allergens (including the “Big 9”) into new plant varieties for foods. Managing this introduction of food allergens into bioengineered food is a significant concern.

Regulatory Framework

The FDA, Environmental Protection Agency (EPA), and U.S. Department of Agriculture (USDA) work together to ensure bioengineered foods are as safe and healthful for humans, plants, and animals—or even more so—as their non-GMO counterparts.

• FDA ensures those who produce, process, store, ship, or sell bioengineered foods or foods with bioengineered ingredients meet the same food safety standards as all other foods. FDA’s voluntary Plant Biotechnology Consultation Program allows developers to work with FDA on a product-by-product basis to evaluate the safety of bioengineered foods before they enter the market. 
• EPA regulates the safety of the substances that protect bioengineered plants to make them resistant to insects and disease and monitors all types of pesticides used on crops.
• USDA Animal and Plant Health Inspection Service (APHIS) establishes regulations to ensure bioengineered plants do not harm other plants.

Warning Letter

In April 2023, FDA issued a letter to developers and manufacturers who intend to transfer genes for proteins that are known food allergens into new plant varieties for foods. The letter serves as an important reminder that developers of these new plant varieties are obligated to make sure the products they market are safe for consumers and implement all measures needed to comply with the Food, Drug, and Cosmetic (FD&C) Act.

If not appropriately managed, the development of these plants could result in the presence of an unexpected allergen in the bioengineered food product. And if an unexpected allergen enters the food supply, there is real risk of a severe or even life-threatening allergic reaction and, subsequently, needing to recall affected products.

Early Actions

The FDA implores, “We are specifically reminding those developers who are now exploring development of these types of plant varieties of their responsibility for food safety. In particular, we are reminding them to consider the allergenicity issues related to their products, and how they would be stewarded from production to manufacturing to consumption so that they do not inadvertently or unexpectedly enter the food supply.”

The FDA is asking developers to consider the food safety risks posed by such allergens and to plan early in development to manage those risks. Developers who intend to create these plant varieties using proteins that are food allergens need to:

• Take advantage of the Plant Biotechnology Consultation Program early in the development process to ensure new varieties meet FD&C Act requirements and consumers are protected.
• Develop a robust risk management plan that includes significantly stronger mitigation strategies and practices (e.g., crop segregation) to provide assurance that foods containing the transferred allergen are not mixed with other foods.
• Consider whether the entire supply chain can maintain appropriate conditions to prevent allergens from inadvertently entering the food supply.
• Properly label bioengineered foods by declaring the presence of an allergen on the food label.

The most effective way to respond to an emergency is to properly plan for it before it happens. That’s precisely why so many federal, state, and municipal laws and regulations require many facilities to develop and implement some sort of Emergency Response Plan (ERP).

Effective Emergency Response

An ERP is intended to outline the steps an organization needs to take in an emergency—and after—to protect workers’ health and safety, the environment, the surrounding community, and the business itself. The requirements developed by various agencies are important, as they establish the components that must be included in an ERP to comply with regulations and respond effectively.

Most ERPs contain the same basic information. However, it can get complicated when a facility is subject to more than one regulation requiring an ERP, because even though the various regulations share many similarities, they also contain important differences (e.g., command structures, training requirements, equipment needs, operating protocols). Often, facilities end up creating a different ERP to respond to the different regulatory requirements. In an actual emergency, this can create inconsistencies or, worse yet, an implementation nightmare trying to figure out which ERP to follow.

Importance of Integration

The solution lies in integration. For example, consider an integrated management system that allows organizations to align standards, find common management system components (e.g., terminology, policies, objectives, processes, resources), and add measurable and recognizable business value. The same can be done with the various ERPs required within a facility.

It shouldn’t come as a surprise that in 1996, the U.S. National Response Team (NRT) published initial guidance for consolidating multiple ERPs into one core document. The Integrated Contingency Plan (ICP or One Plan) is a single, unified ERP intended to help organizations comply with the various emergency response requirements of the Environmental Protection Agency (EPA), U.S. Coast Guard, Occupational Safety and Health Administration (OSHA), Department of Transportation (DOT), and Department of Interior (DOI). The ICP Guidance does not change any of the existing requirements of the regulations it covers; rather, it provides a format for consolidating, organizing, and presenting the required emergency response information.

While the ICP does not currently incorporate all federal regulations addressing emergency response, it does establish a basic framework for organizations to pull in ERPs for any applicable regulations. And the benefits of doing so are many:

• Streamlined planning process. A single document simplifies the planning, development, and maintenance process. When plans are integrated, it minimizes duplication of effort, eliminates discrepancies and inconsistencies, and helps the organization identify and fill in gaps.
• Improved emergency response. It is much easier—and faster—for emergency responders and employees to navigate one plan rather than multiple separate ones. One plan allows for a single command structure with defined roles rather than potentially conflicting responsibilities. This all allows responders to act quickly and decisively to minimize potential disruption to the organization and public.
• Greater compliance. An integrated ERP provides improved visibility to all parts of the organization’s emergency response and helps reveal gaps that could prove costly and/or dangerous. This is especially important for organizations that must comply with several regulations.
• Potential cost savings. Streamlined and simplified planning reduces the resources required to build the plan. An integrated ERP may also help eliminate regulatory fines and minimize the need for and associated costs of emergency response/cleanup efforts.

Find Your Format

The goal of an integrated ERP is not to create new requirements but to consolidate existing concepts into a single functional plan structure. Regardless of what the plan looks like, it should start with:

1. An assessment of the facility’s vulnerabilities to various emergency situations.
2. An understanding of the various applicable emergency planning laws and regulations to determine which specific requirements must be incorporated. For example, food emergency response has different implications that must be integrated, particularly when it comes to recovery. A food production facility that is ordered or otherwise required to cease operations during an emergency may not reopen until authorization has been granted by the regulatory authority. Food facilities also have strict guidelines to follow for salvaging, reconditioning, and/or discarding product.

With this understanding, the ERP should then comprise step-by-step guidelines for addressing the most significant emergency situations. The core plan should be straightforward and concise and outline fundamental response procedures. More detailed information can be included in the annex. Most ERPs should include the following basic elements:

• Facility information. Consolidate common elements required in various plans, including site description, statement of purpose, scope, drawings, maps, roster of emergency response personnel, emergency response equipment, key contacts for plan development and maintenance, etc.
• Steps to initiate, conduct, and terminate a response. Outline essential response actions and notification procedures, with references to the annex for more detailed information. Provide concise and specific information that is time-critical in the earliest stages of the response and a framework to guide responders through key steps to deliver an effective response.
• Designated emergency responders. Develop a single command structure for all types of emergencies. Assign qualified, high-level individuals who are familiar with emergency procedures to fill emergency roles. In addition, list the appropriate authorities for specific emergencies, as well as their contact information.
• Evacuation plan/routes and rally points. Clearly mark evacuation routes and identify rally points where employees should meet upon exiting. Do not allow employees to leave designated rally points until it has been documented they have safely left the building.
• Data and information backup technology. Develop provisions for data backup to secondary/off-site systems, as well as alternate options for communications and power.  
• Designated plan for communication. Outline who is communicating what, when they are communicating it, and how it is being communicated. This includes internal communication, as well as communication to customers/clients/suppliers/vendors that may be impacted, the media, and the appropriate regulatory authorities.
• Supporting materials. The annex should provide detailed support information based on the procedures outlined in the core plan and required regulatory compliance documentation. Importantly, facilities should create a table that cross-references individual regulatory requirements with the plan to ensure there are no gaps and to demonstrate compliance.

Ensuring Success

The goal of emergency response planning is to minimize impacts to the environment and workers’ health and safety, as well as disruptions to operations. An integrated ERP has the potential to significantly reduce the number of decisions required to respond in an emergency, eliminate confusion and disagreement regarding roles and responsibilities, and enable a timelier, more coordinated response.

That all being said, an integrated ERP will only be effective if it is thoroughly and consistently communicated to all employees. These best practices will help ensure that the integrated ERP functions not only on paper, but also in practice:

• Periodic training is vital to ensure employees understand the ERP and are fully aware of emergency response procedures. It is especially important in an integrated ERP that first responders are trained to handle all potential emergencies rather than more narrowly trained on response for a single regulation.
• Routine drills significantly improve understanding of the ERP, clarify employee roles, test procedures to ensure they work, and diminish confusion during an emergency.
• Posting an abbreviated version of the ERP throughout the plant provides easy access to all employees if an emergency occurs. This summary version of the ERP should highlight the most vital information for quick response: recognized hazards, high-level emergency procedures, evacuation routes, and key contacts.

Since corporations do not act independently, the only way to hold them accountable for a violation and to enforce the law is to hold corporate directors who are responsible for the violations accountable. They may be held to the same standard as the corporation in terms of accountability (United States v. Park, 421 U.S. 658 (1975)).

The Park Doctrine—also known as the Responsible Corporate Officer (RCO) Doctrine—imposes strict, vicarious criminal liability upon RCOs for misdemeanor Food, Drug, and Cosmetic (FD&C) Act violations. The word vicarious is important, because it means RCOs can be penalized without having personally participated in the violation, having been an accessory to it, or even being aware of it. And recently, there have been increasing cases of holding corporate leaders accountable for food safety issues that negatively impact public health.

Setting Precedent

A legal doctrine is a set of rules or principles typically established through legal precedent that courts widely follow. The following two landmark cases set the precedent for the Park Doctrine.

The Park Doctrine has its roots in a 1943 Supreme Court case—United States v. Dotterweich. In this case, the jury determined that Dotterweich, as President of the company, was guilty of FD&C Act violations because he shared in the responsibilities related to the transaction of mislabeled product, even though he had no knowledge of the violation. With this decision, the Court held that individuals could be held criminally liable for the company’s FD&C Act violations.

1975 marks the Supreme Court decision on the United States v. Park. In this case, Park (the President and CEO of a national retail food chain) knew about a rat infestation issue but delegated responsibility to employees to resolve the issue. When it was not resolved by the FDA’s inspection, Park and the company were both charged with FD&C Act violations for introducing adulterated food into interstate commerce. Again, the Court maintained that RCOs are held to strict accountability standards, and—very importantly—liability does not require proof of negligence, intent, involvement, or even awareness of wrongdoing. Rather, liability is based solely on the RCO’s role and responsibilities. Park had a duty to remedy the violations and to implement measures to prevent them—he did neither.

Park Doctrine Criteria

In January 2011, the Food and Drug Administration (FDA) published criteria for recommending Park Doctrine prosecutions that factor in the individual’s position in the company, his/her relationship to the violation, and whether the RCO had the authority to correct or prevent the violation. Specific factors under consideration also include the following:

• Whether the violation involves actual or potential harm to the public.
• Whether the violation is obvious.
• Whether the violation reflects a pattern of illegal behavior and/or failure to heed prior warnings.
• Whether the violation is widespread.
• Whether the violation is serious.
• The quality of the legal and factual support for the proposed prosecution.
• Whether the proposed prosecution is a prudent use of Agency resources.

Holding Individuals Accountable

A broad theme in law enforcement these days is holding individuals accountable, said Mary El Riordan, Senior Counsel in the Administrative & Civil Remedies Branch of the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG). Million-dollar settlements do not change behavior, but holding individuals accountable does.

On September 15, 2022, the Department of Justice (DOJ) released the Monaco Memo, affirming its focus on holding individuals accountable. Deputy Attorney General Lisa O. Monaco stated in her address that the DOJ’s top priority for corporate criminal enforcement is going after individuals who commit and profit from corporate crime. The Monaco Memo is fundamentally about individual accountability and corporate responsibility and represents a desire on the part of the DOJ and FDA to use the Park Doctrine to increase the numbers of criminal convictions of RCOs. 

Proactively Mitigating Risks

It is clear the DOJ and FDA are taking an increasingly aggressive stance and prosecuting more RCOs, even without knowledge or intent to commit a violation. In the case of the Price Doctrine, it is a crime to do nothing. It is ultimately the RCO’s duty to be aware of, prevent, and address potential violations.

To do so, there are several best practices companies can take to proactively mitigate risk:

• Implement and maintain an integrated management system (i.e., quality, food safety) to help identify compliance obligations and manage risks through an organized set of policies, procedures, practices, and resources.
• Conduct internal audits. Audits provide an essential tool for continually improving and verifying compliance performance. Routine audits should ensure policies and procedures are being followed and identify concerns before they become major violations.
• Engage in regular monitoring activities. Regular environmental monitoring that focuses heavily Zones 1 and 2 (i.e., food contact surfaces and surfaces directly adjacent to food contact surfaces, respectively) is vital to preventing foodborne illnesses.
• Establish clear roles and responsibilities for all employees, including leadership. Provide training for RCOs on the Park Doctrine so they clearly understand their duties and obligations.
• Resolve corrective and preventive actions (CAPAs) immediately. CAPAs are those actions an organization takes to make improvements and/or eliminate causes of non-conformities. Failure to conduct a CAPA may be considered a major non-conformance.
• Create a culture that encourages employees to speak freely when there are issues. Food safety culture is being integrated more completely and significantly into many of the Global Food Safety Initiative (GFSI)-benchmarked food safety certification standards to encourage widespread adoption.
• Be responsive and work with the FDA. The FDA sends warning letters to companies in violation of the FD&C Act (see example 2022 Warning Letter). The letter specifically outlines the required response and related consequences: You are responsible for investigating and determining the causes of the violations identified above and for preventing their recurrence or the occurrence of other violations. It is your responsibility to ensure your facility complies with all requirements of federal law, including FDA regulations. You should take prompt action to correct or implement corrections to the violations cited in this letter. Failure to do so may result in legal action without further notice, including, without limitation, seizure, injunction, or administrative action for suspension of food facility registration if criteria and conditions warrant.

Food Safety System Certification (FSSC) 22000 is a complete Global Food Safety Initiative (GFSI)-benchmarked certification scheme that is aligned with the ISO management system approach and harmonized structure. The first version of FSSC 22000 was published in 2009, and more than 16,000 sites have been certified under the scheme since.

On March 31, 2023, the Foundation FSSC published the most recent version of the FSSC 22000 scheme (FSSC V6.0) to:

• Integrate the requirements of ISO 22003-1:2022.
• Strengthen the requirements to support organizations in their contributions to meeting the United Nations’ Sustainable Development Goals.
• Incorporate feedback from the FSSC 22000 V6.0 development survey.

Overview of Changes

Foundation FSSC has set a 12-month period—between April 1, 2023 and March 31, 2024— for companies to transition from V5.1 to V6.0. In addition to changes in some of the requirements (as outlined below), V6.0 includes a realignment of the Food Chain Categories in accordance with ISO 22003-1:2022 and GFSI requirements (i.e., including Trading and Brokering (FII) and removing Farming (A)). Among others, some of the significant changes to the requirements include the following:

Food safety and quality culture. As we are seeing with other GFSI certification schemes, ISO management systems, and the FDA New Era of Smarter Food Safety, culture requirements are becoming more prominent. FSSC 22000 V6.0 requires senior management to “establish, implement, and maintain a food safety and quality culture objective as part of the management system,” addressing the following elements at a minimum: communication, training, employee feedback and engagement, and performance measurement of defined activities.

In addition, organizations must develop and implement a a documented food safety and quality culture plan that outlines objectives and timelines and follows the management system process of continuous improvement (i.e., plan-do-check-act (PDCA)).

Quality control. Quality control is a new clause of FSSC 22000 V6.0 that aligns with clauses 5.2 and 6.2 of ISO 22000:2018. Under this clause, organizations must establish, implement, and maintain a quality policy, objectives, and parameters in line with finished product specifications for all products within the scope of certification. As part of the quality program, organizations also need to establish and implement quality control and line startup and changeover procedures to ensure products meet customer and legal requirements.

Food loss and waste. The regulatory community has identified the lack of circularity in the food industry and a real need for addressing food waste. FSSC V6.0 now requires organizations to develop a documented policy with objectives and detailed strategy to reduce food loss and waste within the organization and the related supply chain.

Equipment management. Organizations must establish and implement a risk-based change management process for new equipment and/or any changes to existing equipment. This includes having documented purchase specifications to address such things as hygienic design, legal and customer requirements, and intended use of the equipment.

Allergen management. The requirement to have a documented allergen management plan is not new to V6.0. However, in addition to a including a risk assessment of all potential sources of allergen cross-contamination and related control measures, V6.0 now requires validation and verification of control measures; precautionary or warning labels as an outcome of the risk assessment to identify allergen cross-contamination risks (warning labels do not exempt the organization from implementing allergen control measures/verification testing); allergen awareness and control measures training; and annual review of the allergen management plan.

Environmental monitoring. V6.0 expands on the previous requirements for organizations to have a risk-based environmental monitoring program (EMP) for relevant pathogens, spoilage, and indicator organisms and documented procedures for evaluating the effectiveness of all controls in preventing contamination. V6.0 requires that the EMP must be reviewed for continued effectiveness at least annually, including when specific triggers occur (e.g., significant changes related to products, processes, legislation; when no positive test results have been obtained over an extended period; and when there is a repeat detection of pathogens during routine environmental monitoring).

Validation/verification of packaging claims. When a claim is made on the product label or packaging, the organization must maintain evidence of validation to support the claim and must have verification systems in place to ensure product integrity.

Food defense. V6.0 clarifies and strengthens requirements related to food defense. Organizations now must conduct and document a food defense threat assessment based on defined methodology to identify and evaluate potential threats linked to processes and products. In addition, the food defense plan must be based on the threat assessment, specify mitigation measures and verification procedures, and be implemented and supported by the food safety management system (FSMS).

Food fraud mitigation. Again, V6.0 clarifies and strengthens food fraud mitigation requirements by requiring organizations to conduct and document the food fraud vulnerability assessment to identify potential vulnerabilities and develop and implement appropriate mitigation measures. The food fraud mitigation plan must be based on the vulnerability assessment, specify mitigation measures and verification procedures, and be implemented and supported by the FSMS.

Other requirements. V6.0 also includes clarifications on the requirements for the certification process and implements the addition of a QR Code on FSSC 22000 certificates for improved traceability. It updates Communication Requirements (2.5.17) so organizations must 1) inform the certification body within three days of serious events/situations that may impact the FSMS and/or the integrity of the certification, and then 2) implement corrective measures as part of the emergency response and preparedness process. In addition, the standard requires that major nonconformities must be closed by the certification body within 28 calendar days from the last day of the audit. If this is not possible, the Corrective Action Plan must include temporary measures and controls necessary to mitigate the risk until permanent corrective action can be implemented.

Next Steps

Sites currently certified to FSSC 22000 have a transition period of 12 months to prepare their FSMS to be audited against the V6.0 requirements. The next year affords these organizations the time to assess current FSSC 22000 elements; identify improvements that are internally desirable and/or required by the new V6.0; and implement those updates to reduce nonconformances with FSSC 22000 V6.0. This can be done through a series of phases to ensure adoption throughout the organization:

Phase 1: Internal Assessment. Review existing FSSC 22000 food programs, processes, and procedures; document management systems; and employee training tools and programs to identify those areas in need of updates, development, and/or implementation to meet the requirements of V6.0.

Phase 2: FSMS Updates. Based on the assessment, develop a plan for updating your FSSC 22000 FSMS, including major activities, key milestones, and expected outcomes. This may include updating/developing programs, processes, procedures, and training with missing V6.0 requirements.

Phase 3: Training. To ensure staff are prepared to implement and sustain the updated FSSC 22000 V6.0 program, they must be trained on applicable requirements; specific plans, procedures, and good manufacturing practices (GMPs) developed to achieve compliance; and the certification roadmap to prepare for future assessments.

View the complete FSSC V6.0 standard.

As one of the premier events in the food industry, the Food Safety Summit provides a comprehensive conference and expo for attendees to learn from subject matter experts, exchange ideas, and find solutions to current industry challenges.

• When: May 8-11, 2023
• Where: Donald Stephens Convention Center, Rosemont, Illinois
• Who: Retailers, food processors, distributors, food manufacturers, growers, foodservice, testing laboratories, importing/exporting, law firms, and other food safety professionals
• Find KTL: Stop by our booth (#534) in the exhibit hall!

KTL Solutions Stage Presentation

Be sure to also update your agenda to attend KTL’s Solutions Stage presentation on Thursday, May 11 at 2:00 pm CT:

The Big Secret: You already have the software you need to build your FSMS.
Having a simple, centralized FSMS to manage, track, communicate, and report compliance program information can enable staff to complete required tasks, improve compliance performance, and support operational decision-making. It sounds expensive, but it doesn’t have to be—not when most companies already have the software and just need the right combination of food safety and IT expertise to customize it. KTL will present several examples that demonstrate how various food companies are leveraging Microsoft 365® with SharePoint and the Power Platform to elevate their FSMS and effectively manage food safety compliance documentation, data, and certification requirements.

When preparing for compliance and certification audits, environmental monitoring is an area where there are often questions: What are my requirements? How much do I need to do? What happens if I have a deviation? There are many intricacies associated with environmental monitoring that can depend largely on operational processes and compliance and certification requirements—many of which are not always clearly defined. KTL’s food safety experts offer their high-level perspective on some common questions regarding environmental monitoring.

What is environmental monitoring?

Environmental monitoring involves sampling and testing your facility’s environment for pathogens, spoilage and indicator organisms, and allergens to prevent foodborne illness. Environmental monitoring is typically done by swabbing various surfaces for pathogens and sending those samples to an accredited lab for analysis. This monitoring helps to 1) assess how effective the plant’s cleaning and sanitation programs are, and 2) determine whether any pathogens are living in the facility so it can respond accordingly (e.g., adjusting cleaning procedures, addressing personnel hygiene issues, etc.). 

What is an Environmental Monitoring Program (EMP)?

An EMP refers to an entire program for organizing the monitoring process to prevent pathogens—and foodborne illness—in finished product. The EMP helps to identify those areas where harmful microorganisms could be harboring in the facility and to implement and verify the effectiveness of pathogen controls (e.g., cleaning and sanitation procedures, sampling frequency and methodology, employee hygiene practices). Ultimately, the purpose of an effective EMP is to help a facility identify and implement strategies to eliminate pathogens and prevent their recurrence.

Who needs an EMP?

Certain foods are considered high risks for harboring pathogens and growing bacteria. These include beef, poultry, dairy, seafood/shellfish, ready-to-eat (RTE) food, baby food, leafy greens, and tree nuts. According to U.S. Public Health Service, the organisms in the table below—and their sources—are the biggest culprits of foodborne illness:

The kill step is the point in food manufacturing when dangerous pathogens are removed from the product. This is often done by killing pathogens through processes such as cooking, pasteurization, irradiation, and freezing. It is one of the most important steps in keeping food safe. The following questions can help determine whether an EMP may be necessary for your facility:

• Does your process have a kill step that removes dangerous pathogens from the product?
• Is your product exposed to the environment after the kill step and before packaging?
• Does your product combine RTE products without including a kill step?

Why do I need an EMP?

From a compliance perspective, the Food and Drug Administration’s (FDA) Food Safety Modernization Act (FSMA) Final Rule for Preventive Controls for Human Food requires it: “A facility who has identified a potential environmental pathogen or indicator organism as a hazard to RTE foods is required to include an EMP in its Food Safety Plan. A trained Preventive Controls Qualified Individual (PCQI) needs to review EMP test results to ensure that the Food Safety Plan is being followed.”

From a certification perspective, most Global Food Safety Initiative (GFSI) food safety certification schemes also require an EMP, and failure to have an effective program will result in a major non-conformance.

From a consumer protection perspective, environmental monitoring is intended to protect consumers by keeping harmful bacteria from contaminating the food we eat. An EMP can help serve as an early warning system for identifying a potential contaminant before it spreads throughout the facility and into food that reaches the consumer.

What does an EMP include?

EMP requirements are set forth by FDA and GFSI certification programs, but retailers and consumers may also have their own requirements that impact the food supply chain. According to FDA, a FSMA-compliant EMP should include:

• Established, written, and scientifically valid procedures.
• Identified testing microorganisms, adequate locations, and number of collection sites.
• Identified timing and frequencies for collecting and testing samples.
• Identified corrective action procedures in compliance with CFR 21 section 117.150.
• Testing performed by an accredited laboratory.

An EMP should be tailored to the facility’s specific operations and food products; however, there are several steps that every program should include:

• Perform a risk assessment. Determine the risks associated with the plant’s operations, including identifying high-risk foods and potential pathogens that could be present. The frequency of environmental monitoring will be determined by the hazards and risks identified.
• Determine hygienic zones. An EMP should include sampling to assess activities, pathogens, associated risks, and mitigation options within the following zones (from highest to lowest risk):
  • Zone 1: Direct food contact services (e.g., counters, conveyers, utensils).
  • Zone 2: Indirect food contact surfaces that are close to food contact surfaces (e.g., crevices of equipment, drip shields).
  • Zone 3: Indirect food contact surfaces that are not close to food contact surfaces (e.g., walls, floors, drains).
  • Zone 4: Areas distant from food contact surfaces and processing areas (e.g., locker rooms, lunchrooms, offices).
• Implement and manage testing protocols. Testing and sampling protocols should identify the frequency of sampling required (depending on risks), number of samples (depending on the facility size), timing of sampling (before/during/after production), person responsible for conducting sampling, and an accredited lab (ISO 17025) to use for testing, as needed. Some facilities may opt to conduct internal “rapid tests” at interim phases of production by trained staff to provide more immediate and cost-effective results and leave third-party lab testing for the final product. Regardless of whether testing is done internally or by a lab, an effective EMP will swab different sites each time to reduce the likelihood of contamination going undetected.
• Develop corrective action procedures. Sampling is intended to identify high-risk areas. How an establishment responds to any findings—and how quickly—is critical. Potential corrective actions may include changing cleaning chemicals, increasing frequency of cleaning program, requiring uniforms, etc.
• Verify and validate the EMP. Data, programs, and procedures should be regularly reviewed to ensure the EMP is serving its intended purpose. Verification provides proof the EMP is working; validation provides proof it is effective.

What do I do if I have a deviation?

The FDA anticipates that facilities with EMPs will occasionally detect environmental pathogens. If this happens, the facility should immediately enact the corrective actions outlined in the facility’s EMP (see above). This may include modifying cleaning and sanitation procedures, recleaning areas, conducting retesting, holding product, or even issuing a product recall.

It is important for facilities to remember that any environment has the potential to become contaminated with a pathogen. Never having a positive result for a common environmental pathogen might not necessarily mean that the EMP is “perfect;” rather, it might be a sign that the right areas are not being swabbed adequately. Keep in mind that any positive result offers an opportunity to improve the EMP and related cleaning/sanitation/hygiene procedures.

How can I prevent environmental pathogens?

There are a number of key actions food processors can undertake to prevent environmental pathogens from contaminating their facilities and food products:

• Apply Good Manufacturing Practices (GMPs). GMPs apply to EMPs, as with every other aspect of a strong food safety program. GMPs that will impact environmental monitoring results include employee hygiene practices, sanitary facility and equipment design, and cleaning and sanitation processes.
• Evaluate, implement, and verify preventive controls. Identify your greatest risks for environmental pathogens, and proactively develop strategies to implement controls in your process flow. These may include controlling pedestrian walkways to avoid personnel contamination; using dedicated tools, equipment, and/or staff post-process; having special uniforms for staff, etc. Just as important, you must verify the performance of your preventive controls through environmental monitoring and take corrective action immediately if problems arise.
• Ensure employees and other resources are qualified. Employees responsible for sanitation, sampling, and overseeing the EMP must have the necessary training and/or experience for assigned duties. In addition, any outside labs used for environmental testing must be accredited under ISO 17025.
• Review and update the EMP. Products, operations, equipment, employees, processes, and other environmental factors change—and all of these can impact the EMP. Conducting periodic reviews to ensure processes and procedures reflect any new conditions is important in ensuring a facility’s overall hygiene and its products’ quality and safety.