Food safety programs have to be challenged to ensure that they work. Self-inspections are done to look for cleaning issues, maintenance issues, and record gaps. Some plants have GMP inspections just to evaluate personnel practices. Typically, mock recalls are conducted at least twice per year to ensure that all products can be tracked and traced in case of a recall. An actual Class 1 recall is not the time you want to discover that your program has holes. Most plants also meet with their pest control service providers to review activity, trend reports, and test control devices to ensure they are inspecting and checking them all. 

Facilities also have to ensure the programs in place for customer and certification audits are followed and tested. With the most recent rules of the Food Safety Modernization Act (FSMA) being finalized, many of these programs have switched from being good practice and good business to being the law.

One of the FSMA requirements that is scheduled to be passed in May 2016 is Section 106 - Protection against intentional adulteration. So, how do you go about testing your food defense program? Vulnerability assessments are an excellent way to review, check, and test existing programs to verify that systems are working as planned. Use these suggestions to test the effectiveness of the most common security measures. 

1.    Card access system.

Review the log that most card access systems generate to see if there are any trends. Has someone being denied access numerous times for an area they are not authorized to access? If so, it should be a red flag. Is there any unusual activity such as the same card entering multiple times? This is sometimes a sign that cards are being loaned to other employees who have misplaced or lost their own. 

Deactivate select cards and then try to use them to gain access in order to verify that they can be deactivated in a timely manner for those who are no longer are employed. Does your system allow deactivated card to still register access attempts? For example, if a recently terminated employee tries to gain access to the building with a deactivated card, does the security team have the ability to monitor the card access system and see if he has attempted to reenter? All of this information should also be documented as part of the food defense program’s effectiveness. 

2.    Seal program.

Are seals collected from trailers and rail cars and properly discarded? How do you know if they were all intact before removal? Are the seals counted and verified against the number of seals on the bill of lading? Are receiving employees knowledgeable of seal issues? Do they have a seal protocol in case a container arrives without a seal or with a damaged seal? Are there exceptions written into your program, such as if the seal is broken by customs? Are unloading lines locked and in some cases sealed? Are suppliers unloading lines sealed or locked? 

3.    Lighting

When do you test exterior lights to ensure your lighting is sufficient? Do you have a specific foot candle or lumen (how lighting is measured) requirement? Most maintenance departments have a luminometer. Measurements needs to be taken at night or very early in the morning. Lighting is a very important part of your food defense programs and should be tested and monitored. 

Are lights part of the preventive maintenance program for repair or subcontracted for repair? Is there sufficient lighting in key areas like employee entrances and receiving areas? Does lighting assist in the CCTV camera system? Can the camera resolution be clearly seen at night? Most suspicious events and robberies do not occur in broad daylight. If your camera footage is not clear it could indicate that lighting needs to be improved in these areas. 

4.    Visitor control program

Conduct a penetration test. Have an outsider attempt to enter the plant without following the proper protocol to test the guards (if present) and employees. If photo identification is required to enter have same outsider use someone else’s ID to see if anyone even looks at the photo. Guards and others in key positions can become complacent when an incident has not occurred in a long time.

5.    Camera system

Are the cameras on a preventive maintenance program? What is the length of the camera recordings? Usually it’s about 30 days depending on your system and the quality of the server. Are recorded incidents documented and investigated? Is there a policy on alerting visitors that the site is monitored by CCTV? Is there proper signage to comply with local laws and company requirements? How often are the cameras monitored? Does someone monitor the cameras continuously or are recordings reviewed on a daily basis or only when unusual activity is suspected?

6.    Training

Have you conducted food defense training with all employees? Is it documented? Have you explained the importance of a food defense program, the Bioterrorism act, customer requirements, and FSMA? Be cautious when conducting food defense training. You do not want to give employees ideas on how they could intentionally contaminate products by describing how a major incident could severely affect the company.

7.    Food defense manuals

Customers must now verify that their suppliers are in compliance with regulatory laws and regulations as part of their supplier control programs. They also want to make sure their raw materials are being supplied by a company that has programs in place to protect products from accidental and intentional contamination. If your food defense program or manual is requested will you provide your most guarded security measures? The plant should have two versions of their food defense manual. The facility’s version will be very detailed and confidential. It will likely include private information, such as FDA registration and pin numbers, security guard requirements, and information for sensitive areas. The customer manual will be very general. 

For example, the facility version might list how many guards police the property, what they check, when they are present, when the plant is vulnerable, and the mitigation measures during these times. With the new FSMA requirements, FDA inspectors will be looking at specific areas and mitigation strategies. This could also be included in this detailed manual. In the general manual you would simply say you have a security guard program, but not provide detailed information.

8.    Key protocol

Is there a documented program? Has a list of employees and the access they have been developed? Are keys numbered? If they are, is there a plan that indicates where these keys work? Who has authorization to have master keys copied or cut? Are doors numbered to match keys? Are doors numbered both inside and out?

9.    Crisis management program

There are many different types of crises a plant deals with each day. A customer complaint can be viewed as a crisis if you seldom receive complaints. A Class 1 recall would obviously be a crisis. Is your team prepared to handle a crisis? Are written procedures developed? Does the crisis management team understand the procedures? Do you test your crisis plan? Every plant does an emergency fire drill, but have you conducted a mock crisis drill based on another incident? There are plenty to choose from. 

FSMA focuses on prevention. Do not wait until you have a crisis to find out that your program does not work. Maintain your crisis management program in hopes that you never have to use it.

10.    Audit sensitive or high risk areas

Every plant has high risk or restricted areas. Computer or server rooms are usually limited access. Chemical storage areas should also be limited access. High value material storage areas should be identified on a schematic. These areas can be identified with a color-coding system. For example, red on the schematic might symbolize high risk or limited access. 
These areas should be audited. Everyone on the food defense team should understand that these areas are critical to the plant. If an issue in one of these areas is identified how is it handled? If there is not enough time to evaluate all areas during audits, make sure these high risk areas are not overlooked.

11.    Visitor/contractor bags and equipment

What is your facility’s weapons policy? How do you know contractors are providing safety data sheets on all chemicals brought into the facility? You should conduct inspections on tool bags, equipment, and other items contractors and visitors bring into your facility. It may not be necessary to conduct inspections on every person that enters, but periodic inspections should be conducted to ensure all visitors and contractor are following programs and policies.