How would you evaluate your food defense plan?

So, there is one small producer of cookies, certifying IFS Food. They have developed food difence plan using FDA software, and mainly covered all possible threats, and developed preventive programs to lower the risks.
Additionally this company is performing the review of food defence plan once per year. Review is done through the recall simulation. How? Well, company finds one delivered product and simulate compliant on the taste of product. Taste on chemicals that is, whit suspicion on intentional contamination by employees. During recall procedure, also it is tested where nonconformity could happen and who could be responsible from the employees or visitors.
Whit this they also test food difence plan effectiveness.

So, problem is that auditor noted that this test is not adequate to review food difence plan?!

What is your oppinion?

Thank you all

Poslato sa WAS-LX1 uz pomoć Tapatoka

I suppose that test only tests one aspect of it.  Is there another way you review the plan?  It doesn't only have to be via testing?  Or could you expand your recall test to include other aspects of food defence?  We always run it as a scenario so you could include information suggesting an unauthorised person has accessed site to get more information during the crisis?  You could include a supplier contacting you to say they've picked up fraud in their supply chain?  

food defense must be robust.

food defense must be robust.

Really?

Poslato sa WAS-LX1 uz pomoć Tapatoka

We have an audit checklist outlining all the requirements of our food defense plan and audit it annually. This has been found acceptable in our BRC audit.

I suppose that test only tests one aspect of it. Is there another way you review the plan? It doesn't only have to be via testing? Or could you expand your recall test to include other aspects of food defence? We always run it as a scenario so you could include information suggesting an unauthorised person has accessed site to get more information during the crisis? You could include a supplier contacting you to say they've picked up fraud in their supply chain?

How we look at the whole thing is simple. You build your food defence plan in order to prevent intentional contamination of product that you deliver to market, or to have a proper and fast reaction in order to deal with the critical situation.
For me there are two tipes of the review of the plan. One is to review your preventive actions, and one is to review your reaction in critical case.
Standard does not define how you should perform the review of food defence.

I think in future we will do one more additional review with the possible force entrance or something like that to control surveillance and alarm systems. Second review will remain the same.

Thank you all,

Vlada

Poslato sa WAS-LX1 uz pomoć Tapatoka

Hi Vladimir,

 

So, problem is that auditor noted that this test is not adequate to review food difence plan?!

 

 

One might hope that the auditor would explain why ??

 

IIRC (not myself a user), the IFS website actually suggests what the auditor needs to see for compliance to relevant clauses.

US FDA Food Defense Plan Builder.

 

https://www.fda.gov/...s/ucm349888.htm

 

You are welcome.

US FDA Food Defense Plan Builder.

https://www.fda.gov/...s/ucm349888.htm

You are welcome.

Thank you Ryan,

Company allready used the FDA FD plan builder to build the plan. So question was, how do you evaluate the effectiveness of that plan and implemented preventive and corrective actions.

In this software you mention, there is check list that could be used once per year to evaluate existing plan, and to revise the plan. But for me, youll need something more concrete.

Br,

Vlada

Poslato sa WAS-LX1 uz pomoć Tapatoka

Thank you Ryan,

Company allready used the FDA FD plan builder to build the plan. So question was, how do you evaluate the effectiveness of that plan and implemented preventive and corrective actions.

In this software you mention, there is check list that could be used once per year to evaluate existing plan, and to revise the plan. But for me, youll need something more concrete.

Br,

Vlada

Poslato sa WAS-LX1 uz pomoć Tapatoka

Ah ok. It is like any other program, you audit against it. For food defense, what issues have you had with defense or security? How were they corrected? Issues during regular self inspections? Any changes to the program, regulatory environment, or practices?

To evaluate the effectiveness of the food defense plan, the cookie factory could try to simulate an act of intentional adulteration in their factory.  For example, they could ask an 'outsider' to try to infiltrate a production area or an 'insider' to gain access to an area that they are not authorised to enter.  The 'perpetrator' could then attempt to open a silo hatch, bulk storage container or mixing tank in a simulation of a deliberate contamination event.  If the food defense plan is effective then the outsider will not be able to get access to the food or ingredients.  During the simulation the actions of the 'perpetrator' should be observed from a discreet distance throughout and the whole thing documented.  The report should include which elements of the food defense plan were working well and which areas had room for improvement. 

To evaluate the effectiveness of the food defense plan, the cookie factory could try to simulate an act of intentional adulteration in their factory. For example, they could ask an 'outsider' to try to infiltrate a production area or an 'insider' to gain access to an area that they are not authorised to enter. The 'perpetrator' could then attempt to open a silo hatch, bulk storage container or mixing tank in a simulation of a deliberate contamination event. If the food defense plan is effective then the outsider will not be able to get access to the food or ingredients. During the simulation the actions of the 'perpetrator' should be observed from a discreet distance throughout and the whole thing documented. The report should include which elements of the food defense plan were working well and which areas had room for improvement.

Thank you for your inputs, this informations are valuable.
On the other hand, I must say that this is not complete test of the food defence plan, because it only covers intentional aldurteration in case of brake and entry, or just walk in from stranger. This would be prevented with the simple area restrictions and video surveillance.

Still, what we miss is to consider and test cases were intentional aldurteration is done internally by employees... And what will be done in case that there is product already distributed to markets...

Vlada

Poslato sa WAS-LX1 uz pomoć Tapatoka

Yes correct, food defense plans should also mitigate the risks from employees and contractors ('insider attacks').  I think if it was my client I would note in the report that the evaluation did not completely address insider risks and say that a simulation of an insider attack will be done in next years' verification activities. 

 

For product already distributed to markets, the adulteration would unfortunately be discovered by a customer or consumer, so the actions taken by the cookie factory would be the same as for any other kind of recall.  I would be surprised if the auditor would want to see separate verification of recall for food defense-related incidents. 

 

... or do you mean how does one test whether the food defense plan is effective at protecting products that are already out in the market?  That's more tricky I think. I wouldn't recommend a simulated 'attack' on product that has left the manufacturing facility.  Perhaps a test of the effectiveness of the tamper-evident features of the food packaging would be a good start? 

FSSC 22000 Certified

Manufacture composite cans

 

I just heard back from our external auditor about audit of the food defense plan.  When he was here he simply said there was no formal evidence that the plan had been reviewed although it was mentioned in our meeting minutes.  So as evidence that we corrected the finding I developed a formal form to be filled out and signed every year.  Now he is saying that having a piece of paper shows we have a document in place but it doesn't show we've implemented an audit of the plan.  

I had no clue about "auditing" the plan but we had challenged it by having someone come in and see how far they could get.  Now after reading your posts, I see that probably will not be enough to satisfy.

 

Shanna