This fall brings the first major compliance deadlines for rules promulgated under the Food Safety Modernization Act (FSMA), the most sweeping reform of U.S. food safety laws in over 70 years. Enacted in 2011 and now set to be implemented through seven major substantive rules—all issued within a 9-month period ending in May 2016—FSMA introduces a new era in food safety by focusing on preventing food safety risks rather than on responding to crises after they happen. As we enter the enforcement stage for the new rules, we consider the practical challenges of each rule and identify areas where enforcement may provide clarity, including in relation to one of the most difficult aspects of the final rules: regulation of the supply chain.
Each of the seven foundational rules plays a distinct role in the new integrated national food safety system, and together, they reflect the U.S. Food and Drug Administration (FDA)’s mandate to comprehensively regulate and modernize virtually all aspects of the food industry. Under this new framework, FDA requires preventive controls for food facilities and mandatory produce safety standards for a broad range of farming activities. Importers must verify that food produced on foreign farms and facilities is produced under standards at least as rigorous as those that apply to domestic food, and an accreditation program will regulate certain audits of foreign foods and foreign facilities. Regulations to minimize food safety risks during transport will apply to persons involved in the transportation of food by motor or rail carrier, including shippers, carriers, receivers, loaders and even brokers. And larger facilities will be required to protect against intentional adulteration intended to cause wide-scale public harm.
To allow FDA to accomplish this sweeping mandate, FSMA provides the agency with expanded enforcement authority to compel compliance with the new rules and to respond to and contain problems when they occur. Under FSMA, FDA now has mandatory recall authority, more flexible authority to administratively detain or to deny entry to food that poses potential safety risks, the ability to suspend facility registrations and the authority to require expanded record-keeping. The enforcement penalties for noncompliance are severe. Failure to comply with the rules may result in significant civil and strict-liability criminal penalties, which means that responsible persons can be guilty of a crime without negligence or knowledge of a violation.
In some of the most challenging provisions of the new rules, FDA imposes obligations on covered parties to verify and to provide or receive documentation regarding food safety risks to other parties in their food supply and distribution chains. In some instances, these requirements even require covered entities, such as importers, to obtain verifications from entities multiple steps back in the supply chain. Given the complexity of many modern supply chains, complying with these provisions will prove challenging in practice, and the industry will be watching to determine how FDA enforces these particular regulations.
As with all new regulations, questions remain about FDA’s expectations for certain aspects of the FSMA rules, as well as how those uncertainties may impact business operations. As these deadlines approach, it is important to examine particular challenges with each of the rules and understand key considerations regarding likely implementation challenges and potential enforcement risks.
The Preventive Controls Rule
One of the cornerstones of the new FSMA regulations is the final rule regarding Current Good Manufacturing Practice, Hazard Analysis and Risk-Based Preventive Controls for Human Food (the Preventive Controls rule). Under the Preventive Controls rule, a facility is required to develop a written food safety plan that includes a risk-based assessment to identify hazards where preventive controls are necessary to significantly minimize or prevent hazards for any food that is manufactured, processed, packed or held at the facility. The written food safety plan must also include procedures for monitoring, corrective actions and verification of each preventive control. Raw materials or ingredients must be sourced only from approved suppliers, and manufacturers and processors must verify that their suppliers are controlling for hazards earlier in the supply chain.
Many facilities were required to comply with the Preventive Controls rule by September 19, 2016, although facilities have longer to comply with the “supply chain program” requirements, for which there are varying deadlines depending on the facility and the supplier. Here are some considerations as you make one last check that your food safety plan is in order:
Remember that the Preventive Controls Rule Is Not HACCP
Your Hazard Analysis should not be limited to the Critical Control Points (CCPs) set forth in your Hazard Analysis and Critical Control Points (HACCP) plan, if you have one. Even a world-class HACCP plan may not be sufficient. Conversely, even facilities with no CCPs might need preventive controls. The goal of the Preventive Controls rule is to identify a broader class of “hazards requiring a preventive control,” which may exist other than at CCPs.
Take a Tiered Approach to Hazard Analysis
The Preventive Controls rule refers to “hazards,” “known or reasonably foreseeable hazards” and “hazards requiring a preventive control.” Let this guide your Hazard Analysis. Out of the entire universe of hazards—that is, biological, chemical (including radiological) or physical agents likely to cause illness or injury—your Hazard Analysis should identify those that are “known or reasonably foreseeable” for each type of food manufactured, processed, packed or held at your facility. Out of this subset of hazards, you should identify those “hazards requiring a preventive control.” This is a risk-based determination, considering both the severity of illness or injury if the hazard occurs and the probability the hazard will occur in the absence of preventive controls.
Broaden Your Focus Beyond Adulteration and Reportable Risks
In identifying “hazards requiring a preventive control,” focus on hazards that are reasonably likely to cause illness or injury. Such risks might not rise to the level of “serious adverse health consequences or death to humans or animals” (a “SAHCODHA” threat), which would render a food “reportable” for the purposes of the Reportable Food Registry. But you also are not identifying every agent that could potentially render a food “adulterated” under the Federal Food, Drug, and Cosmetic Act. For example, production of food under insanitary conditions might “adulterate” a food but would not necessarily cause illness or injury. We will be watching for guidance and enforcement to clarify the severity and probability thresholds that must be reached for specific hazards to require a control.
Don’t Miss These Supply Chain Program Minimums
You do not want to miss the forest for the trees with the FSMA requirements, but there are some trees in the “supply chain program” requirements to which you must pay close attention. According to FDA, manufacturers and processors “cannot ignore published information relating to a supplier’s compliance with applicable FDA food safety regulations” when they approve suppliers or determine appropriate supplier verification activities. If you receive raw materials or ingredients from a supplier, it is a mistake not to document that you have searched FDA’s publicly available databases for warning letters and import alerts and researched publicized actions for the potential suspension of a supplier’s facility registration. Similarly, if a supply chain control is required for a SAHCODHA threat (e.g., pathogens or their toxins in ready-to-eat foods, most undeclared allergens, etc.), then an annual audit is the presumptively appropriate supplier verification activity. Refer to reports from the Reportable Food Registry for assistance in determining whether a hazard presents a SAHCODHA threat and make sure your food safety plan includes a written explanation if you decide on a verification activity other than an audit. Finally, make sure you have procedures for receiving raw materials and other ingredients, including a documented mechanism for ensuring food is received only from approved suppliers.
“We’d Like to See Your Food Safety Plan”
Be prepared to produce your written food safety plan within 24 hours. This sounds easy enough. But if your food safety plan consists of records in multiple places at a facility (although the plan must be located on-site), make sure you are not confirming its contents or its whereabouts after FDA requests a review. This is particularly important because FDA has suggested that it may rely on “two-tiered” reviews to enforce FSMA, starting first with a records request for the food safety plan before proceeding to an on-site physical inspection of a facility.
Compliance with most of the requirements for the Preventive Controls rule is now required for many facilities. With the supply chain program requirements fast approaching—as soon as March 2017 for some facilities—now is the time to reconfirm that your food safety plan is in full compliance with the Preventive Controls rule.
The Produce Safety Rule
When one considers the types of foodborne illness outbreaks that FSMA is designed to address, no other sector of the food supply more immediately comes to mind than fresh produce. Precisely because a number of recent outbreaks have involved fruits and vegetables, FSMA’s final rule regarding Standards for the Growing, Packing and Holding of Produce for Human Consumption (the Produce Safety rule) for the first time establishes science-based minimum standards that are focused entirely on “farms.”
Some of the clarity that the Produce Safety rule provides can be lost in the density of the science. The rule focuses on six areas of farm-related produce safety risks—worker training and hygiene; agricultural water practices; biological soil amendments (e.g., manure and composting methods); animal-related contamination (both wild animal intrusion and working animals); farming equipment and buildings; and special provisions focused entirely on sprouts.
This spectrum of risks reflects FDA’s effort to address and define “the realities and range of activities that farms conduct.” Under the final rule, a “farm” is an operation in one general (although not necessarily contiguous) location that is devoted to the growing or harvesting of crops or the raising of animals. You might think of this as the core of farming activity, as FDA sees it, and various farming operations branch out from that starting point. Covered farming operations also include more complex associations. For example, cooperatives and on-farm packinghouses, food aggregation and minimal “manufacturing” or “processing” activities and even off-farm packing at a “secondary activities” farm all fall within the “farm” definition.
The immediate and important practical consequence of FDA’s acknowledgement of the breadth of modern farming practices is that a greater number of food suppliers are “farms” covered by the Produce Safety rule, and not “facilities” subject to the Preventive Controls rule. Unlike the Preventive Controls rule, which requires facilities to consider biological, chemical (including radiological) or physical hazards, the Produce Safety rule focuses entirely on biological hazards. It does so by using generic Escherichia coli as a proxy for the potential threat of fecal contamination and requires that no detectable generic E. coli be present in any agricultural water used in harvest and postharvest activities, or that certain thresholds not be exceeded during direct-application growing activities. More rigorous requirements apply to sprouts because the warm, moist conditions in which they grow are conducive to growing harmful bacteria.
Farms will need to make a proactive effort to comply with the Produce Safety rule. For example, farms are responsible for maintaining the integrity of their agricultural water sources, including by regularly inspecting those sources for conditions “reasonably likely to introduce known or reasonably foreseeable hazards into or onto covered produce or food contact surfaces.” In some situations, this will require farms to consider conditions beyond their control, including uses of nearby or adjacent land and other uses of the same water source. If an event impacts the quality of a water source (e.g., discovery of a dead animal in a spring used for irrigation or changes in adjacent land use), a farm might need to take corrective measures and revise the water quality profile for the source that is required to be developed under the rule. Farms also must take measures to identify and not harvest produce that is reasonably likely to be contaminated. At a minimum, this requires inspection of all covered produce to be harvested.
Downstream manufacturers, processors and restaurants or retail food establishments should review the exemptions if they intend to source from FSMA-covered produce farms. For example, small farms with average annual produce revenue of less than $25,000 during the previous 3-year period are not covered by the Produce Safety rule. In addition, farms with average food sales of less than $500,000 per year during the previous 3-year period and that predominantly sell to “qualified end-users,” including restaurants or retail food establishments in the same state or within a 275-mile radius, are subject only to modified requirements that primarily relate to identifying the farm on the label or at the point of purchase. Entities that source produce from exempt small farms or farms subject to the modified requirements might need to do additional diligence regarding the safety practices at those farms. Finally, although produce that will be subjected to commercial processing is exempt from the rule, this applies only if the supplier discloses that the produce has not been processed and if the customer provides an annual written assurance that it is adequately processing the produce.
The Produce Safety rule covers the entire spectrum of day-to-day farming practices. Even well-advanced farming operations should review the rule carefully to make sure they are complying with the new requirements, including with respect to training and record-keeping. In addition, downstream entities, including manufacturers and processors who must verify produce suppliers as part of their preventive controls supply chain program, should consider whether farms sourcing their produce are covered by and in compliance with the Produce Safety rule.
Foreign Supplier Verification Program Rule
As part of its mandate under FSMA, FDA must implement a program to ensure that food imported from foreign suppliers is produced in compliance with processes that provide the same level of safety protection that is required of domestic facilities. Under FDA’s rule regarding Foreign Supplier Verification Programs for Importers of Food for Humans and Animals (FSVP rule), “importers” must develop written plans to approve foreign food suppliers and also conduct supplier verification
The FSVP rule defines “importer” as “the U.S. owner or consignee of an article of food that is being offered for import into the United States,” and “[i]f there is no U.S. owner or consignee of an article of food at the time of U.S. entry, the importer is the U.S. agent or representative of the foreign owner or consignee at the time of entry, as confirmed in a signed statement of consent to serve as the importer under this subpart.” The rule further defines “U.S. owner or consignee” as “the person in the United States who, at the time of U.S. entry, either owns the food, has purchased the food, or has agreed in writing to purchase the food.”
For facilities already required to comply with the supply chain requirements of the Preventive Controls rule (i.e., manufacturers or processors who receive raw materials or ingredients from suppliers), this language presents little challenge. If such a facility complies with the Preventive Controls rule, it will be in compliance with the FSVP rule (except for a requirement that the FSVP importer be identified at the time of entry of the food). But for facilities other than manufacturers or processors, including warehouses or distributors that only hold or pack food, identifying the appropriate FSVP “importer” is more difficult.
As the industry waits for additional guidance from FDA regarding how to identify the “importer” for the FSVP rule, facilities should focus on a few factors to guide their analysis. As an initial matter, remember that “importer” is specifically defined in the FSVP rule. FDA has emphasized that an “importer” for FSVP purposes is not necessarily either the importer of record for customs purposes or the person who submits information to comply with FDA prior notice regulations. You might be an importer for some other purpose but not for the FSVP rule.
FDA also has said that the FSVP “importer” should have “a financial interest in the food” and “knowledge and control of the food’s supply chain” at the time the food enters the United States. This could be true of multiple parties, so consider which party has a greater financial interest and knowledge and control of the supply chain at the time of entry. This will not necessarily be the direct owner of the food, in part because “entry” refers not to physical entry, but rather to the filing of certain papers with U.S. Customs and Border Protection. FDA has acknowledged “it is possible for U.S. persons to purchase or agree in writing to purchase food at the time of entry to the United States, even if they do not yet own the products at that time.”
Based on its comments to date, FDA’s promised guidance is likely to be fairly generalized to account for a variety of commercial relationships. On the one hand, this means that FDA might give the parties in a supply chain the flexibility to determine the most appropriate “importer.” In fact, FDA suggested in a presentation soon after publication of the final rule that the respective parties in the supply chain will be in the best position to identify the “importer” based on the circumstances. On the other hand, there are costs to this flexibility: Potentially covered entities will need to clarify the “importer” in each case, and it is unclear how FDA will evaluate supply chain relationships when the “importer” is not clearly identified.
The FSVP rule presents unique challenges because of the lack of clarity regarding the identification of the covered “importer” as a threshold matter. At least until FDA clarifies its position in guidance, potentially covered “importers” have no alternative but to work with other supply chain partners to identify the most appropriate FSVP “importer” based on financial interest and control of the supply chain and the particular circumstances of each situation.
Foreign Audits Rule
As part of its sweeping reforms, FSMA mandates that FDA take steps to ensure the safety of food imported from foreign sources. In a narrow, technical rule with important implications for FSMA’s overall design, the final rule regarding Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and To Issue Certifications (Foreign Audits rule) establishes a voluntary program by which foreign entities may request food safety audits and certifications from accredited third-party auditors.
The narrow focus of the Foreign Audits rule can make it difficult to discern how the rule fits into FSMA’s overall scheme. Here is how it works: FDA will start by recognizing certain accreditation bodies that will certify third-party auditors to conduct foreign food safety audits. A foreign entity, including a foreign “facility” that is required to register with FDA under Section 415 of the Food, Drug, and Cosmetic Act, can then voluntarily request that an accredited third-party auditor conduct a food safety audit or provide certifications for a food or a facility. There are two threshold takeaways: The program is voluntary, and it applies only to foreign entities.
This of course begs the question why an entity might ever want an audit under the Foreign Audits rule. There are two primary reasons. First, FDA is required to set up what is called the Voluntary Qualified Importer Program (VQIP), which, for a fee, will allow for expedited review and entry for firms with “a high level of control over the safety and security of their supply chains.” Only foreign entities that have been certified by a third-party audit under the Foreign Audits rule can participate in the VQIP. The idea is that expedited entry might incentivize foreign entities to request audits under FDA’s guidelines.
The second reason that an audit under the Foreign Audits rule might be needed is that FDA has the authority, in limited circumstances, to require certification from an accredited third-party auditor as a condition of admissibility. This authority is risk-based and is limited to circumstances in which FDA determines that a food presents a potential safety risk. (Additionally, instead of requesting certification under the Foreign Audits rule, FDA may request certification of an agency or representative of the government of the country from which the foreign food originated.) By requiring certification under the Foreign Audits rule, FDA can ensure both the competence and independence of the third-party auditor in situations involving greater potential public risk.
In addition to these two statutory-based reasons for seeking an audit under the Foreign Audits rule, a foreign entity might voluntarily seek an audit under the rule for reasons relating to the supply chain aspects of FSMA more generally. This relationship probably contributes to some of the confusion about the rule. Under the Preventive Controls rule and the FSVP rule, a receiving facility or importer, respectively, might determine that an audit of a supplier is required as a supplier verification activity under those rules. Such an audit must be conducted by a “qualified auditor,” and that auditor can be, but need not be, an accredited third-party auditor under the Foreign Audits rule.
This means that a successful audit under the Foreign Audits rule has significant benefits: expedited entry, coverage in the unlikely event of a risk-based FDA demand and satisfaction of a downstream supplier verification request. But here’s the other side of the coin: An accredited third-party auditor is required to perform unannounced facility audits and to notify FDA upon discovery of a condition that could cause a serious risk to public health. The third-party auditor may, but is not required to, notify the audited entity at the same time notice is given to FDA where concurrent notice is “feasible and reliable.” This notification requirement applies to “consultative” audits that are intended for internal purposes only and to “regulatory” audits that can be used to acquire certification under the Foreign Audits rule.
The Foreign Audits rule has a narrow but significant role in FSMA’s ability to minimize food safety risks from foreign sources. As the rule is implemented, the industry will be watching in particular for how significantly FDA incentivizes participation in the voluntary accreditation program by expedited entry through the VQIP. FDA has indicated that the programs under the Foreign Audits rule will be implemented once it finalizes guidance regarding model standards that will be used to accredit third-party auditors and after it finalizes a rule that will establish the user fees that will reimburse FDA for its costs in establishing and administering the program.
Sanitary Transport Rule
As part of FDA’s reform of the nation’s food safety system under FSMA, the Sanitary Transportation of Human and Animal Food Rule (Sanitary Transport rule) addresses unsafe practices that may create food safety risks during transportation by rail or motor vehicle. Applicable to shippers, carriers, loaders and receivers of food in intrastate or interstate commerce, the rule imposes vehicle and equipment standards, temperature and cross-contamination controls and training and record-keeping requirements.
Industry should take note of some important changes in the final rule. The final rule clarifies that its focus is on threats to food safety, not spoilage or quality-related defects that do not necessarily render food adulterated. In addition, the final rule clarifies that the primary responsibility for communicating safety-related shipping requirements falls on the shipper, who is best situated to make this determination and will be required to communicate any requirements in writing to the carrier. Safety-related requirements include temperature controls, although the final rule provides the parties flexibility to agree how this will be done in each case.
A carrier that takes on food safety-related obligations must ensure that its own personnel are adequately trained, and in some circumstances, a carrier might be required to demonstrate to the shipper or receiver that all safety requirements have been met. At a minimum, shippers and carriers should review their shipping contracts to make sure that safety responsibilities and liabilities are clearly and appropriately allocated and comply with the new requirements. This deference to the contracting process and the placement of the primary obligation on shippers to communicate safety requirements is a win for carriers, and probably for the industry in general.
Brokers and loaders, however, probably will not be pleased with the final rule. FDA expressly included freight brokers in the definition of “shipper” in the final rule and added “loaders” (i.e., persons who physically load food onto vehicles) as an additional category of covered parties. As a practical matter, manufacturers will need to ensure that safety-related information is provided to loaders and freight brokers, who may, in turn, demand higher rates for taking on the additional legal responsibility under the rule. The final rule allows any covered party to reassign its responsibilities to any other covered party, so brokers, loaders and manufacturers should review their contracts to make sure that responsibilities are clearly allocated. Even when this is done successfully, however, manufacturers should also review their shipping papers to ensure that sufficient safety information is provided directly to carriers. A bill of lading might be the only contract that a manufacturer has with a carrier if carriage for the shipment was arranged through a broker and the broker goes under or fails to pass on safety information or liability to a carrier. Few bills of lading currently convey such information adequately.
Notwithstanding the flexibility given to covered parties to contract around their respective obligations, covered parties should note the final rule makes clear that any shipper (including a broker), carrier, receiver or loader who becomes aware of a condition that “may” have rendered food unsafe during transport must take action to make sure the food is not sold or further distributed until a qualified individual can evaluate its safety. (This is in addition to a receiver’s obligation to assess the safety of any food requiring temperature controls.) As with all the provisions of the Sanitary Transport rule, a violation of this provision is a “prohibited act” under the Food, Drug, and Cosmetic Act and raises the risk of serious criminal penalties. All covered parties, no matter what contracts are involved, should know this provision.
The Sanitary Transport rule does not apply to transportation operations of entities with less than $500,000 in average annual revenue, to foods that are completely enclosed by a container (unless the foods require temperature controls for safety) or to transportation involving certain animal food, food contact substances, compressed food gases, live animals and food that is trans-shipped or imported for future export. Other exemptions are provided for food when it is located in facilities subject to the exclusive jurisdiction of the U.S. Department of Agriculture (this exemption does not include dual-jurisdiction establishments) and to all transportation operations conducted by a farm. Businesses with fewer than 500 full-time equivalent employees, and motor carriers that are not also shippers and receivers and having less than $27.5 million in annual receipts, must comply with the final rule by April 2018.55 All other covered businesses must comply by April 2017.
Food Defense Rule
In perhaps the most distinctive of the FSMA rules, the rule regarding Mitigation Strategies to Protect Food Against Intentional Adulteration (Food Defense rule) requires large food companies for the first time to develop and implement written “food defense” plans to assess and manage the risk of an act of intentional adulteration intended to cause wide-scale public harm. In developing food defense plans, covered entities must conduct an analysis of each facility to assess significant vulnerabilities to intentional adulteration (in particular, the risk of an “inside attacker”), as well as develop mitigation and management strategies to minimize those risks.
The Food Defense rule focuses on large companies whose food products are most likely to reach the greatest number of people. Smaller facilities and specific industry sectors are exempt. Although the rule is a first of its kind, many facilities should be able to leverage their existing food safety policies and procedures as they set out to draft their food defense plans.
A covered facility should start first by determining who will develop the food defense plan. The plan must be prepared by “one or more qualified individuals,” and facilities might find it helpful to assemble a “vulnerability assessment team.” As FDA suggested in the proposed Food Defense rule, this team could include security personnel, food safety or quality assurance specialists, human resources, members of the operations or maintenance staff or a qualified third party. Deciding who should participate in a food defense strategy will be a facility-specific determination, and facilities should document their decisions regarding who is included and why. Use this as an opportunity to demonstrate to FDA that you were deliberate from the outset.
The axis of your food defense plan will be the required written “vulnerability assessment.” FDA referred to this in a webinar as the most novel and complex part of the Food Defense rule, so give particular focus here. The goal of the vulnerability assessment is to identify “actionable process steps” at which mitigation is needed to minimize the risk of a significant vulnerability to intentional adulteration. Start by preparing a flow chart to identify “each point, step or procedure” in the production process, and then at each point, consider three factors. (Let’s call these “the three vulnerability factors.”) Specifically, at each process point, consider the potential public health impact if a contaminant were added, the degree of physical access to the product and the ability of an attacker to successfully contaminate the product if access were obtained. As you progress from process point to process point, take special note of certain “key activity types”—bulk liquid receiving and loading; liquid storage and handling; secondary ingredient handling; and mixing and similar activities. Although it is not expressly set out in the final rule, FDA previously identified these key activity types as consistently the most vulnerable in over 50 vulnerability assessments applying the three vulnerability factors. These activities most likely will be actionable process steps in all but exceptional instances at your facility.
Use the three vulnerability factors to shape the rest of your food defense plan. At each actionable process step, a mitigation strategy must be implemented that is focused on the specific process step.63 Simplify this by focusing on the three vulnerability factors. For example, what mitigation will minimize access at this actionable process step? And how might you reduce the likelihood of successful contamination if access is obtained? (If you can accomplish both of these goals through mitigation, you also will have reduced the potential public health impact.) Locking ingredients in sealed containers in a sealed room and staging immediately prior to production might reduce access to an ingredient. Similarly, staffing sensitive areas with multiple employees or introducing downstream formulary controls might reduce the likelihood of successful contamination. Whatever mitigation is selected, you are required to support it with a written explanation, so use this opportunity to document the thoroughness of your decisions.
Stay focused on the vulnerability factors as you consider the “management” components of your food defense plan.64 In developing your food defense verification procedures, refer back to the written explanations you provided in support of your mitigation strategies. How effectively has each mitigation strategy minimized physical access and the potential for an inside attacker to contaminate the production process successfully? In answering these questions, you are not simply verifying your mitigation strategies—you are also verifying how well your monitoring procedures have identified deficiencies and supported effective corrective actions.
The Food Defense rule is a first-of-its-kind regulation. But by focusing on the three vulnerability factors and applying them through a step-by-step approach that is similar to a preventive controls or CCP analysis, facilities can leverage their experience in food safety issues as they address the unique challenges presented by the Food Defense rule.
While these new rules have challenging provisions, FSMA promises to introduce a new era in food safety by focusing on preventing food safety risks rather than on responding to crises after they happen. We considered the practical challenges of each rule and identified areas where enforcement may clarify how to implement the rules.
As with all new regulations, questions remain about FDA’s expectations in the coming years, as well as how those uncertainties may impact business operations. As implementation nears, it is important to examine these challenges and understand key considerations regarding likely implementation challenges and potential enforcement risks.
James F. Neale, Esq., is a partner and codeputy chair of McGuireWoods LLP’s food and beverage team. He regularly advises food manufacturers, distributors and retailers on regulatory compliance and litigation avoidance. He defends clients in food-related litigation, including cases of foodborne illness and labeling claims. He can be reached at firstname.lastname@example.org.
J. Brian Jackson, Esq., is a partner and cochair of McGuireWoods’s transportation industry team. His transportation clients span the full industry spectrum, including companies that transport food and food additive products. He tries high-exposure jury cases in jurisdictions throughout the United States. He can be reached at email@example.com.
Christopher A. Ripple, Esq., is an associate at McGuireWoods LLP. He focuses his practice on litigation and regulatory matters with an emphasis on the food and transportation industries. He advises food manufacturers, distributors and transporters on compliance with food labeling and food safety laws and counsels clients on federal transportation regulations. He can be reached at firstname.lastname@example.org.
1. Current Good Manufacturing Practice, Hazard Analysis and Risk-Based Preventive Controls for Human Food; Final rule, 80 Fed. Reg. 55907 (Sept. 17, 2015) (Preventive Controls rule). A similar rule, addressed to animal food, was finalized by FDA under FSMA on the same day. See Current Good Manufacturing Practice, Hazard Analysis and Risk-Based Preventive Controls for Food for Animals; Final rule, 80 Fed. Reg. 56169 (Sept. 17, 2015).
2. Preventive Controls rule, 80 Fed. Reg. at 56128.
3. See 21 C.F.R. § 117.3 (definitions of “hazard” and “hazard requiring a preventive control”).
4. Preventive Controls rule, 80 Fed. Reg. at 55950.
5. See 21 C.F.R. Part 117, subpart G (detailing the requirements of a supply-chain program).
6. Preventive Controls rule, 80 Fed. Reg. at 56105-56106.
7. 21 C.F.R. § 117.430(b).
8. Id. §§ 117.410, 117.415.
9. Id. §§ 117.315(c), (d); 117.320.
10. Public Meeting: FDA Food Safety Modernization Act Final Rules on Preventive Controls for Human and Animal Food, FDA-2015-N-0001, Oct. 20, 2015, Trans. at pp. 158–159.
11. Standards for the Growing, Packing and Holding of Produce for Human Consumption; Final Rule, 80 Fed. Reg. 74353 (Nov. 27, 2015) (Produce Safety rule).
12. Current Good Manufacturing Practice, Hazard Analysis and Risk-Based Preventive Controls for Human Food; Final rule, 80 Fed. Reg. 55907, 55936 (Sept. 17, 2015) (the Preventive Controls rule) (discussing revisions to the “farm” definition in the FSMA rules).
13. 21 C.F.R. § 112.3 (definition of “farm”).
14. Produce Safety rule, 80 Fed. Reg. at 74396.
15. 21 C.F.R. § 117.130.
16. 21 C.F.R. § 112.3 (defining “known or reasonably foreseeable hazard” as “a biological hazard that is known to be or has the potential to be, associated with the farm or the food”); id. at § 112.11 (requiring farms to take appropriate measures “reasonably necessary to prevent the introduction of known or reasonably foreseeable hazards into covered produce”).
17. See id. § 112.44.
18. See 21 C.F.R. Part 112, subpart M (sprouts); see also Produce Safety rule, 80 Fed. Reg. at 74507 (describing significance of sprout conditions).
19. 21 C.F.R. § 112.42.
20. See Produce Safety Rule, 80 Fed. Reg. at 74431–32; id. at 74455–56.
21. 21 C.F.R. § 112.112.
22. Id. § 112.4(a).
23. Id. § 112.5(a) (modified requirements); id. § 112.3 (definition of “qualified end-user”).
24. Id. § 112.2(b).
25. For the various compliance dates under the Produce Safety rule, see 80 Fed. Reg. at 74357.
26. See Foreign Supplier Verification Programs for Importers of Food for Humans and Animals; Final rule, 80 Fed. Reg. 74225 (Nov. 27, 2015) (FSVP rule).
27. 21 C.F.R. § 1.500 (definition of “importer”).
28. Id. (definition of “U.S. owner or consignee”).
29. Id. § 1.502(c).
30. FSVP rule, 80 Fed. Reg. 74300 (Nov. 27, 2015).
31. Id. at 74238.
32. Id. at 74240.
34. For information regarding compliance deadlines for the FSVP rule, see 80 Fed. Reg. at 74332.
35. Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and to Issue Certifications; Final rule, 80 Fed. Reg. 74569 (Nov. 27, 2015) (Foreign Audits rule).
37. 21 U.S.C. §§ 381(q) and 384d.
38. 21 C.F.R. § 117.3 (definition of “qualified auditor”); 21 C.F.R. § 1.500 (definition of “qualified auditor”).
39. 21 C.F.R. § 1.651(b)(1) (unannounced audits); id. § 1.656(c).
40. 21 C.F.R. § 1.656(e)(1).
41. Id. § 1.656(c).
43. See User Fee Program to Provide for Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certification; Proposed rule, 80 Fed. Reg. 43987 (July 24, 2015).
44. Sanitary Transportation of Human and Animal Food; Final rule, 81 Fed. Reg. 20091 (Apr. 6, 2016) (Sanitary Transport rule).
45. Id. at 20093.
46. 21 C.F.R. § 1.908(b)(2)(5).
47. See generally id. § 1.908(e) (requirements applicable to carriers); id. § 1.910 (carrier training requirements).
48. Id. § 1.900(a) (stating that requirements apply to shippers, carriers, loaders and receivers); id. § 1.904 (defining “shipper” to include brokers).
49. Id. § 1.908(a).
50. Id. § 1.908(d).
51. Id. § 1.900(b).
52. 21 C.F.R. § 1.904 (definition of “noncovered business”).
53. 21 C.F.R. §§ 1.904 (definition of “transportation operations”), 1.900(b) (listing exemptions).
54. 21 C.F.R. §1.904 (definition of “small business”).
55. Sanitary Transport rule, 80 Fed. Reg. 20160 (Apr. 6, 2016) (regarding effective and compliance dates).
56. Mitigation Strategies to Protect Food against Intentional Adulteration; Final rule, 80 Fed. Reg. 34165 (May 27, 2016) (Food Defense rule).
57. Id. at 34190.
58. 21 C.F.R. § 121.5 (exemptions).
59. Focused Mitigation Strategies to Protect Food against Intentional Adulteration; Proposed rule, 78 Fed. Reg. 78013, 78042 (Dec. 24, 2013); see also Food Defense rule, 80 Fed. Reg. at 34197.
60. See generally 21 C.F.R. § 121.130.
61. See Food Defense rule, 80 Fed. Reg. at 34197.
62. Id. at 34195–96.
63. 21 C.F.R. § 121.135.
64. See 21 C.F.R. § 121.138 (regarding “mitigation strategies management components,” including monitoring, corrective actions and verification).