Skip to Content
chevron-left chevron-right chevron-up chevron-right chevron-left arrow-back star phone quote checkbox-checked search wrench info shield play connection mobile coin-dollar spoon-knife ticket pushpin location gift fire feed bubbles home heart calendar price-tag credit-card clock envelop facebook instagram twitter youtube pinterest yelp google reddit linkedin envelope bbb pinterest homeadvisor angies
A National Food Safety Month – Special Post

The Food Safety Modernization Act (FSMA) Final Rule provides us with guidance and law related to protecting food from intentional acts of contamination. To prevent an act of intentional adulteration (IA) that could cause harm to the public on a large scale, the FDA is implementing risk-reducing strategies to combat IA, as detailed in a recently required Food Defense Plan.

Strategies to build this plan include:
  • Vulnerability Assessment
  • Mitigation Strategies
    • Monitoring
    • Corrective Actions
    • Verification
  • Training and Record keeping
The Vulnerability Assessment

The Vulnerability Assessment is the major starting step in the process. As Peter Drucker once said, “You can’t manage what you don’t measure”. While the FDA is not prescriptive in the methodology, they have discussed CARVER + Shock and the guidance from their Food Defense Plan Builder.

Some personal commentary on vulnerability assessment…

  • CARVER + Shock is great process and tool. However, as it was originally designed by the US military and used extensively in US government entities, few commercial clients can afford to do it.
  • Government operations with lots of resources and time to pull together large teams of subject matter experts to work through a very extensive methodology will produce tremendous results using CARVER + Shock.
  • The private sector is hard-pressed with regards to resources, time, and money to use CARVER + Shock or similar processes, and at the same time, keep this data current.
  • On an August 22, 2017 call, the FDA representatives acknowledged this challenge for private industry. On this same call, the FDA mentioned that their Food Defense Plan Builder tool is a bit dated, and is currently being refreshed. There is no firm date for the availability of the new plan builder. Some time ago, the FDA removed their CARVER + Shock software tool from public circulation.
  • No methodology is ever perfect, but one does need to start somewhere. Refining the assessment instrument over time, while refreshing the data to avoid unpleasant surprises from emerging threats.

The encouraging news from the recent FDA call with industry is that they are socializing Key Activity Types (KATs) as a legitimate vulnerability assessment method for the private sector. I believe this is great news for food producers and with some modifications, will provide an excellent vulnerability assessment model.

Us Government Vulnerability Assessment Project

From 2005 – 2008, the FDA, USDA, FBI, and DHS conducted CARVER + Shock threat assessments on 36 products, processes, or commodities in the food and agriculture sector. Afterwards, the FDA conducted another 18 assessments on products not previously assessed and updated another 16 that were previously examined.

Examples of FDA Vulnerability

Unfortunately, much of the data that resulted from these product, process, and commodity assessments are classified and cannot be shared with the industry!

What can be publicly shared is found here:

Sound Documentation Is Imperative

Examining the IA Rule, we want to ensure a complete food defense process, along with good documentation of our process, and why we made the recommendations and decisions we determined reasonable and appropriate. We would also want to document our reasoning for discounting certain traditionally vulnerable processes or areas.

Our process should look like this:

The Food Defense Plan

  1. Vulnerability Assessment
  2. Mitigation Strategies
  3. Procedures for food defense monitoring
  4. Food defense corrective actions procedures
  5. Food defense verification procedures
  6. Training
  7. Reanalysis
  8. Records
Key Activity Types (KATs)

Examining the Key Activity Types (KATs) model, we see that the FDA determined that processing steps can be grouped, based on the types of activities are being carried out during the food production process.

Key Activity Types
FDA Identified KATs
  1. Coating/Mixing/Grinding/Rework
  2. Ingredient Staging/Prep/Addition
  3. Liquid Receiving/Loading
  4. Liquid Storage/Hold/Surge Tanks

We can examine the processing on our site and identify those points that present us with the most risk. We can apply the term Actionable Process Steps to these items.

For each point, step, or procedure we must consider at a minimum the following:

  1. The potential impact on public health
  2. To what degree there is physical access to the product
  3. The ability of an attacker to successfully contaminate a product
Special Notes of Caution:
  1. While other considerations may be prudent based on many factors, these three elements are fundamental and required for a Food Defense Vulnerability Assessment by the FDA.
  2. It is VERY important to note that you MUST consider the possibility of an insider attack in your vulnerability assessment. Also, the results of your assessment must be documented in writing.
Food Defense Vulnerability Assessment

KATs and the Three Fundamental Elements

In this chart, we see that the FDA has organized common vulnerabilities into generalized activity groups – Key Activity Types. They are linked to the three fundamental elements, as required.

Key Activity Types
The FDA’S view of KATs
  1. Efficient
  2. Science-based
  3. An approach companies MAY use to ID actionable process steps
Key Activity Types

Key Activity Types, when combined with other physical security methodologies and body of knowledge can bring a Corporate Security Department to the leadership pinnacle. In my opinion, Key Activity Types presents us with a workable model to build on any existing food defense and food safety strategies. KATs helps us create a science-based Food Defense Vulnerability Assessment program that will:

  • Gather internal stakeholders that may not have previously been at the table
  • Help Corporate Security socialize a significant new approach to Food Defense
  • Ultimately if done right, build tremendous internal goodwill, buy-in, and mitigation budgets

I would very much enjoy continuing this Food Defense discussion with you, the corporate security or food defense professional. As a Certified Food Defense Coordinator with many successful, hands-on vulnerability assessment projects during my career, I look forward to exploring with you new ways of thinking about old problems. PRS believes in charting new courses and approaching each project with a tailored approach. If KATs and some related tools are of interest to you, reach out, and let’s have a chat. You can book a call with me through my calendar link:

Please forgive the FDA slide quality. They were the only slides available to us from the source at time of writing.