Ten Need-to-Know FSMA Compliance Facts
The Food and Drug Administration (FDA) will soon start enforcing new food safety regulations in a broad-reaching set of regulations that will affect many industries—including retailers and transportation companies as well as food and agribusiness itself.
Here are ten things you need to know now to comply when the new food safety rules go into effect next month:
1. What is FSMA?
The Food Safety Modernization Act (FSMA), originally passed in 2011 and clarified with new rules several times since then, takes effect in stages, through at least 2020. It aims to prevent food-borne illness and contamination that can spread nationally or even internationally in an era of supply chains that are long and often global, potentially affecting huge numbers of people, brands and businesses.
2. What’s changing now?
By September 2016, the FDA will be enforcing stricter requirements that emphasize preventive controls for human and animal food. These requirements place a new premium on transparency into both products and trading partners.
One of the key new requirements is that companies must document and implement Hazard Analysis and Risk-Based Preventive Controls (HARPC). Companies must be able to produce required documents for the FDA within 24 hours, for records going back for up to two years prior to the request (called the 24-and-2 rule).
In addition, many retailers with their own private-label brands will be held responsible for their suppliers’ compliance.
3. Are food companies the only ones affected?
No. Large retailers (especially those selling private label product) and food transporters are also impacted. Also, food processors and their suppliers are realizing that they need to make sure that their affected suppliers comply with the new rules and document their compliance. Ignorance of suppliers’ lack of compliance will do little to deflect their legal liability under FSMA.
4. Could I be fined or go to jail?
It’s possible. Central to the FDA’s tougher approach is a no-excuses attitude toward affected companies’ senior management, who can be held liable for violations.
Think Sarbanes-Oxley for food companies. Executives are being held responsible for ensuring compliance, even when they’ve delegated such duties to others.
In particular, the Park Doctrine, which established that an executive could be held legally liable for violations even if the executive had delegated responsibility for food safety, is expected to be enforced much more aggressively than before. A first offense is a misdemeanor; the second is a felony. And ignorance of the law is no excuse. Already. prosecutors have sent executives to jail for food safety violations.
5. What do we have to do to comply now?
Food facilities are required to implement written preventive controls plans. For companies that already conform to existing HACCP regulations, HARPC (FSMA’s Hazard Analysis Risk-Based Preventive Control requirements) adds additional new preventive controls. Each facility is required to:
- Evaluate hazards that could affect food safety.
- Identify what preventive steps or controls, will be put in place to minimize or prevent the hazard.
- Describe how these controls will be monitored for effectiveness.
- Maintain routine records of such monitoring.
- Specify what actions the facility will take to correct problems that arise.
6. How much extra work does this mean for us?
All of these rules require greater documentation and record-keeping to ensure compliance, and the FDA can demand to see these docs or punish companies that can’t produce them.
The emphasis on documentation can pose compliance, IT and quality assurance headaches for companies—a problem made even more difficult with the requirement that supplier compliance needs to be kept by retailers and other downstream companies.
Also, your systems will need to support greater collaboration among trading partners, as well as archiving records of testing and certification. And of course, your technology will have a critical role in supporting the 24-and-2 rule.
7. Can we automate any of this?
Yes. Technology can automate much of this huge information-management problem, making affected companies’ programs and supply chains more transparent to others—and to themselves. Plus, automation can help companies manage their trading partner networks in real-time, so compliance and safety aren’t jeopardized by outdated information. The goal is for companies to “manage by exception,” as trading partners with undocumented compliance or supply-chain problems are automatically flagged for possible action.
8. But doesn’t this all mean months of development work for our IT group?
Not necessarily. Some companies are turning to cloud-based services, which means that most of the work has already been done for you. Some cloud providers, like ICIX, have built best-practice applications and templates that simplify and expedite compliance programs. A cloud application takes most of the load off of IT departments because security upgrades and maintenance are taken care of by the provider.
9. What should we look for in such a cloud-based FSMA compliance service?
Look for a system that:
- Has a big network—and preferably, one that already includes many of your current trading partners
- Helps you manage both information about trading partner companies and data about specific products
- Automates core processes and helps you manage by exception. Ideally, you can just “set it and forget it,” and get automatic alerts of the possibility of a problem.
- Provides transparency into most or all facets of your processes. For example, missing or incomplete hazard assessments or mitigation plans should be obvious in whatever system you use. Look for dashboards, alerts and easy reporting capabilities.
- Is easily customizable for your situation. Look for easy customization, so that you’re not having to program the system, just configure it. Also, look for “best practices” templates and setups, so you can quickly implement the standard good practices that regulators (and customers) expect.
10. Can we comply without overhauling our whole business and IT strategy?
Yes, and the cloud has made this a lot easier. Cloud vendors often do the work of pre-integrating their applications, eliminating much of the work that used to be done in internal IT departments. For example, ICIX FSMA supply-chain compliance solution is cloud-hosted and built on the popular Salesforce platform, which helps the application interoperate better with other enterprise software and slashes integration and maintenance costs.
New FSMA Rules: The Takeaway
Just knowing and documenting the compliance of every vendor in a supply chain can be a daunting task. Manually maintaining that information is nearly impossible, both technically and organizationally. Technology can automate much of the paperwork and lets you manage by exception.