Only one year has passed since the City of New Orleans was ravaged by floodwaters precipitated by an ominous hurricane named “Katrina” and resulting catastrophic system failure. One event was an intentional, surprise attack on the United States and the other a natural disaster resulting in costly and vain attempts to protect a city that lies several feet below sea level. Both catastrophic outcomes were aided by system failures, principally human, when threats were not taken seriously and the aftermath’s responses being awkwardly unprepared and poorly executed. Natural and intentional events have permanently altered us and the reaction from each of responders, our politicians and us seem to continually echo the shallow words, “Let’s make sure that this never happens again.”
Knowledge of these events shook us to our core—anger, guilt, fear and response. Interestingly, both 9/11 and Katrina scenarios were contemplated by experts in advance of the event. Each disaster provided compelling “lessons learned.” One of those lessons is that we are likely to fail again in preventing future disasters despite our best intentions. The real problem is that most of our efforts are spent fixing problems that have already happened, and we fail to select better available tools to help us solve problems in advance of that which may happen. In simple terms it’s called the “using past history as the predictor of future events” approach to risk management. We know that the U.S. food supply is on terrorist target lists, and a future attack by an adaptive adversary is probable.
Imagining the outcome of a carefully directed multi-city attack on a branded product is not difficult: a product and label recognized around the world contaminated by an agent that delivers lethal consequences! At the very least, the economic consequences could be catastrophic for the targeted global business. Food is core to our psyche and creates positive social interactions between us. Additional tragic loss of life would add to the already altered market demand and consumer confidence in our food supply. Our lives and shopping habits would be significantly affected. Those of us who live in the Washington, DC area remember all too well how our public habits were greatly altered by known snipers who attacked innocents—the fear for friends, family and strangers was engrained in us as we filled up a gas tank, parked in a shopping mall, or sent our children to school or a public sporting event. The same would likely be true after a carefully coordinated food attack.
Defending our food supply is perhaps the most monumental national security challenge that was initially “overlooked” post-9/11. Our U.S. food supply has one of the most unique, and complex systems of interdependencies operating within highly-differentiated, efficient and dynamic markets in the world. We, as consumers, depend upon the conveniences and choices that are offered in how we budget our purchases, our shopping time, and how, when and where we our make food selections. From farming, harvesting, processing, transportation, wholesaling and retailing—the domestic and foreign supply chain challenges in protecting assets associated with these system interdependencies seem unending. It is very clear that we cannot rely on our system of food safety without having an equivalent system of food defense.
Are We Prepared?
Five years after 9/11 and after awakening to a new threat environment, we hear these food defense messages from our food industry:
• We’re aware, and we understand that there is a threat
• We’ve done our homework
• We’ve assessed our vulnerabilities
• We’ve developed our food defense plan
• We’ve identified our risks
• We’re routinely audited
• We’ve responded to what our customers and the government expect of us
• We’ve implemented risk control measures and played out our scenarios in table top exercises
This sounds good, so is there really anything more that we can or must do? That answer is simple. Yes! Our industry can begin by gaining new insight and perspective so that it can correct course. The food supply has one of the most unique and complex systems of farming, harvesting, processing, wholesaling, retailing and transportation systems in the world—the global supply chain challenges in protecting these system capabilities seem unending. These words ring loud today in the food sector, but a more discerning truth lies just beneath these words: We are not prepared.
We have failed to connect basic food safety and food defense elements into a common risk-based food protection platform. We are comfortable with the opinions of third-party auditors who industry expects should have perspective and command in combined food safety and food defense disciplines. We have relied upon commercial software to mass-produce food defense plans for our businesses based upon pre-scripted, largely subjective inputs. In spite of these misgivings, our industry still has an opportunity to rethink the situation we presently find ourselves and develop a new core understanding of how to best manage our combined food safety and food defense knowledge and convert that knowledge into effective actions.
Have We Been Misguided?
After 9/11, we were misguided by our loudest voices in the scientific community. The message immediately conveyed to the food sector post-9/11 by our industry spokespersons was “food security (defense) is not food safety.” Industry was instructed to compartmentalize food safety and food defense activities into two separate risk management components. This divide-and-conquer approach is fundamentally flawed. The justification at the time was that food safety requires us to look at conventional, symmetrically occurring threats to food. In other words, we have to “think like the scientist with science we know” in managing food safety risks. Food safety scientists admittedly are not well trained to think like the “bad guy” and look at non-conventional, asymmetrically occurring threats to foods, but in many cases, our nation’s scientists have been given that responsibility. Most concur that food defense hazards are more complex and adaptive than those encountered in the context of a food safety environment. However, we should not isolate the two different mindsets in independent risk management approaches; the probability of “system failure” in the future is only heightened.
Because food safety and food defense are approached and managed in different contexts, small- to medium-sized companies often find it difficult to develop and implement a comprehensive food defense plan. Large companies balk at dedicating full-time staff and extra resources to manage food defense and vulnerability issues, particularly when considering the external terrorist threat. Why? Simply put, the objectives, justifications and returns on food defense investment are blurred against speculative threats. Also, asset management, crisis management and business continuity plans are often stand-alone components outside of the food protection plan.
Widely used food defense audits employ bolt-on standard checklists to food safety audits that result in likely overestimation of mitigation effectiveness in place and generate overconfidence in preparedness. Vendor certification and audit systems are not standardized across the industry. Food defense audits are often performed by experienced food safety auditors who are inexperienced in terms of food defense perspectives. These auditors rarely understand the complex, adaptive and opportunistic criminal or terrorist mind in breaching protective barriers. Some of the confusion stems from misconceptions in how a food defense audit and a food defense vulnerability assessment are conducted and results applied.
A vulnerability assessment is a risk-based evaluation of a site’s or a system’s hazard control strengths that could cause failure in achieving the set standard or documented process within a food defense environment. The process involves the identification and classification of the primary vulnerabilities that may impact the site or system function. The vulnerability assessment must precede an audit. Unfortunately, many businesses only conduct an audit, or the audit precedes a vulnerability assessment. A food defense audit consists of an evaluation of the businesses’ specific systems, proc-esses and controls and is performed against an already established set of standard or documented processes previously born out of vulnerability assessments. Audits are designed to provide an independent evaluation of system processes and controls using personnel with expert knowledge about such systems and processes. An audit also provides a gap analysis of the operating effectiveness of the internal controls in meeting a system or control requirement. Unlike a vulnerability assessment, there is limited feedback provided by the auditor as to how to mitigate the system gap. Because the purposes are not the same, very different outcomes can result from audits and vulnerability assessments used to develop or verify elements of a food defense plan.
There are other problems in understanding and effectively addressing today’s food defense issues. Post-9/11, reality is that food businesses have other operational priorities and can’t effectively focus on the high capital and human resource demands needed to continuously assess vulnerabilities, and identify and mitigate business threats. Also, when food safety systems are out of control, it is also likely that there are inadequate food defense systems in place. This is particularly true in many foreign countries that export products to the U.S.
We know that FDA foreign firm inspection data shows that a staggeringly high percentage of firms fail to comply with mandatory provisions of U.S. food safety regulations. For FDA uninspected foreign firms, it can be assumed that they would also fail to comply to at least the same degree. However, as long as these products from un-inspected firms were registered under the provisions of the Bioterrorism Act of 2002, they would be accepted into the U.S. Registration and Prior Notice compliance. But the Bioterrorism Act provides no assurance that these uninspected firms have actual food safety or food defense safeguards in place. Inadequate product surveillance at port of entry and lack of adequate international regulatory inspections and surveillance compound the problem and may be an Achilles heel to the U.S. food supply.
Additionally, the federal government has no intention of providing direct government subsidies to the food industry for food defense. Its main mission is to prepare the itself to respond to an attack. If industry does not take proactive actions to further protect the U.S. food supply, or if there is a successful terrorist attack, Congress will likely promulgate tightened food defense regulations. As the result of political party control shifts in mid-term Congressional elections, there is also likelihood that greater food safety and food defense oversight by the government will be initiated.
A New Food Protection Model
There is little argument that there is specialization in the food defense discipline that requires special assessment skills that only physical security specialists, counterterrorism experts and criminal investigators can provide. That’s where any dissimilarity stops. The basic risk assessment methodology for both food safety and food defense is the same. It includes identifying hazards, assigning risks, analyzing risk controls, making control decisions, implementing controls against the risks and supervising and reviewing the process (e.g. ORM). Other assessment methods, such as CARVER + shock, use specific metrics to help assessors refine the definition of risk into economic and psychological terms. Other more sophisticated assessment tools have been developed and are most often used in national security settings. Our perspective in the food industry has historically been on safety and the quality of the products we grow, process and sell. From a food safety perspective, the emphasis since the 1970s has been on the earliest possible detection of “bad things” to prevent the production of “bad product.” In other words, our focus has been on preventing bad things before they happen. What we need to do in this new and constantly changing risk environment is to leverage what we already know from managing the highly effective food safety processes and procedures with traditional physical security and criminal threat and risk approaches that we have taken on (with only limited success). It is time to change the culture from the traditional food defense “react-and-respond” to the “anticipate-and-prevent” approach that falls within the paramount goal of total food protection.
The solution is fairly simple. Food defense plans should be developed within the prerequisite framework of Hazard Analysis and Critical Control Points (HACCP). HACCP is clearly the globally accepted and practiced “core” food safety platform. The global food industry is experienced with the process in managing biological, chemical and physical hazards in foods and the risk management methodology used.
Risk is a universal and central term that needs to be understood before evaluating a risk management process. For these reasons, a dual-utilization of the predecessor food safety-directed HACCP plan risk management approach to accommodate food defense is a most logical, practical and workable solution. Combined with food safety, managing food defense risks on a total food protection platform provides a more efficient, understood and practical industry application. Food defense risk assessment objectives and methods used today—ORM and CARVER+Shock and those from traditional risk assessments made in food safety using HACCP hazard identification and risk control measures—are fundamentally alike. The risk process is the same, the application is the same, but the specific methodologies of choice and perspectives are different.
In combining perspectives of food safety and food defense, whether assessing a microbiological, chemical, physical, radiological, or explosive hazard, the following formula defines risk:
Risk = Vulnerabilities + Threat + Consequence
Therefore, we can conclude that this risk determination equation can be elegantly applied to both food safety and food defense.
What, then, is the real risk determination difference between food safety and food defense? It involves a new twist but not a new wheel. Further refining the basic risk formula, then, results in the following definitions:
Food Safety: Risk = Vulnerabilities + Unintentional Threat + Consequence
Food Safety: Risk = Vulnerabilities + Intentional Threat + Consequence
We define the term threat as “capability plus intent.” Intent is a unique term that only applies to food defense and is borne out of terrorist or criminal behavior. Food protection threats are expanded from food safety perspectives alone because of the “intent.” This is the component that requires a different perspective, but does not require a unique risk process to be employed. Therefore, we can conclude:
Food Protection: Risk = All Vulnerabilities + All Threats + Consequence
We need to apply and expand what we already know about safeguarding our food supply into an expanded application that can be placed into a food defense context so that it is more easily understood by industry. As in Hazard Analysis Critical Control Points (HACCP), Critical Control Points (CCPs) and Control Points (CPs), we can use new equal and corresponding terms such as “Hazard Analysis Critical Defense Points” (HACDP), “Critical Defense Points” (CDPs) and “Defense Points” (DPs) to take advantage of the risk system we already know. CDPs and DPs are merely additional terms when integrating the approach for identifying and managing different or added hazards around all critical nodes of operation.
For example, a change in the HACCP plan would signal a requirement to re-evaluate that impact upon such a corresponding change to the HACDP plan, and vice versa. With the fundamental process objectives of risk/threat assessment the same, only the perspectives are different and can be accommodated with a diverse assessment team and critical decision-path facilitation. When food safety and food security risk processes are purposely integrated, they can be powerfully overlaid, using the different perspectives and resources needed by both. These food defense elements can remain securely “partitioned” from general view, thus restricting sensitive information access. Food defense plan specifics and related documents can be protected from employee view using a “need-to-know” basis. A select few of the trusted, knowledgeable and qualified employees can gain access to both HACCP and HACDP plans for food protection plan maintenance.
The underlying risk process will be understood by all individuals involved, regardless of a full range of perspectives and subject matter input embedded in the plan. When changes in a HACCP plan occur, the HACDP plan may also be directly affected, and vice versa. This would indicate a required review on whether or not the HACCP change would contribute to further mitigation of an existing vulnerability, possible creation of another, or having no effect at all on the HACDP critical defense points. HACCP and HACDP programs must evolve together for food protection to be assured—changes in HACCP may impact HACDP because critical process nodes may be shared in a total food protection program.
Developing and implementing any new hybrid food protection systems must have different perspectives that are contributed by different subject matter experts (SMEs). Traditional HACCP encourages hazard identification and hazard control as far upstream in the food and packaging supply chain as is practical. In an intentional threat environment, processing and packaging access points are open and vulnerable to an intentional, malevolent attack, either upstream or downstream in the process. This requires the HACDP approach, which must consider opportunities and probabilities that exist to introduce biological, chemical, or radiological agents into foods or packaging at any point in the process stream that may go undetected in the context of presently developed and industry-practiced HACCP plans.
For example, select pathogens, heat-resistant microbial toxins, poisonous, odorless and tasteless toxic chemicals and radiological contaminants are examples of hazards that can go undetected under currently configured HACCP plans. For this reason, any food defense requirements must be evaluated on a customized basis for the purpose of best selecting, positioning and deploying “dual-utilization” food safety and food defense detection devices or procedures to be used in mitigation of all hazards in the food handling application. Dual-utilization technologies must now also correctly detect (ideally, even identify) and mitigate all potential hazards that while reasonably unlikely to occur (low probability) could contribute to a catastrophic business failure or national security incident (high impact).
Of principal concern is managing the risk of product diversion, theft and counterfeiting. These acts often involve higher market-value products that are marketed to high-risk populations. These products are principally involved in economic adulteration and often find their way back into the food supply. In most cases, these products are involved in criminal and not state terrorist activity. However, these incidents do point to a food defense concern that can be mitigated by technology countermeasures. Progress is being made. Sensor technology development, rapid microbial, chemical and radiological detection, supply chain traceback and product identity preservation technologies, tamper-proof and tamper-evident packaging, and surveillance technologies are examples of what is working in food defense to minimize both food industry and consumer risk. These technologies offer enhanced food protection and a dual-utilization approach. Industry is now beginning to learn that adopting investment strategies that meet both food safety and food defense objectives rationalizes the investment required to meet growing needs in managing all food threats. Radio frequency infrared device (RFID) investments, for example, bring supply chain efficiency gain as well as provide an added layer of food protection. Sensor capability, with global positioning system (GPS) and global information system (GIS) technology support and provide industry with the ability to consistently scan the environment for food safety and food defense indicators and warnings that are built around critical food protection nodes within the supply chain.
New Simulation Tools Available
Perhaps the most exciting advanced technology developments for food defense are in the area of computer simulation and visualizations. These new tools offer far greater insight into how to better define sector risk, how to visualize the consequences of an intentional attack on our food supply, and how to think differently about threats to our food supply in complex and adaptive environments. Purdue University’s Center for Computational Homeland Security (CCHS) and the Purdue Food Science Food Bio-security Simulation are teamed to conduct agro-terrorism simulations in synthetic environments. The result is an agent-based simulation used by Purdue’s partners in government and business to prepare for and train for terrorist events in the food supply chain. According to Purdue, the simulation uses “an explicit spatial and temporal paradigm to develop a synthetic society that mimics essential demographic, epidemiological, and economic characteristics of the United States. This simulated arena creates up to a million artificial agents with multiple layers of attributes and behaviors representing position, mobility, infect-ability and well-being of the citizens of the United States. The virtual geography mirrors the real geography, and the artificial agent population is tied to different locations. Epidemiological characteristics such as susceptibility to infection by age, gender, and race broadly reflect the real data. Attributes of individual well-being are drawn from well established paradigms in economics and psychology. An overlay of actual infrastructural characteristics models the broad availability of roads, railways, and airplanes.”
Another example of developing risk evaluation tools for the food industry is the Consequence Management System (CSM) being developed by BT Safety, LLC, with the support of the U.S. Food and Drug Administration (FDA) and Homeland Security’s National Center for Food Protection and Defense (NCFPD). “CSM is user-friendly, is a simulation model that estimates the consequences of a food contamination event. This interactive tool simulates a variety of possible food contamination events and takes the user through scenario that graphically depicts the human and economic impact of the contamination event and possible intervention methods.”
Other entrepreneurial companies are developing a new generation of smart software and learning knowledge bases that are designed to identify and continuously monitor the early warning signals of natural and man-made events and how terrorist means and methods are changing. They are engaged in developing better decision-making tools around a system of organizing and managing complex inputs and adaptive changes. This approach will help U.S. industries, including the food industry, to better understand and manage the threat environment.
What the Food Industry Needs to Do
We have been most recently reminded of the damage caused by the E. coli O157:H7 contamination of fresh-bagged spinach and nationwide recall. These food safety lessons will continue to give us valuable insight on how we might respond (or fail to respond) during an intentional food attack. Why might these sequence of events leading up to be any different than an intentional attack on our food supply and how might we expect to respond to these challenges in the future?
If we can change our focus from “reaction and response” to “anticipation and prevention” and recognize that the bad guys’ tactics are constantly changing we will end up with a whole new view of the food defense world. This is one reason that the American food industry may be in the very unique position to lead the way in using new guidance to show how to radically enhance the protection of our nation’s entire critical infrastructure system.
Instead of thinking about what the terrorist can really do to us, we continue to take a snapshot in time and define the bad guys’ capabilities based on the latest bad thing they’ve done. The law of large numbers rules the day. For example, at nuclear weapons facilities across the U.S. this type of thinking has morphed into what is called the “design basis threat.” The government spends millions of dollars to design, engineer and build the most sophisticated security systems in the world. The problem is that technology and terrorist means and methods are always changing while the “design basis threat” remains the same. If the design basis threat says that terrorists won’t use toxic gas then security guards won’t be issued gas masks. Security systems based on the past will be the victim of a new generation of technologically smarter terrorists. Are we in the food industry looking at the same dilemma?
Instead of putting so much attention on the notion of creating deterrence through tough guy response reminiscent of the G-men of the 1930s trying to stop bootlegging, maybe we need to think differently. More investments in early detection and preventing the bad guy from doing his terrible deed to our food supply are more appropriate to the changing nature of today’s threat and risk management picture. As 9/11 and the government response to Hurricane Katrina shows us, by the time the worst happens it may already be too late. If you don’t plan for what can really happen to you before it happens, disaster can quickly turn into catastrophe.
We have to systematically think about what can happen to us before risk events happen. We need a compatible food safety and food defense framework, as proposed in this article, that all of us who have responsibilities within the system can easily understand to accomplish food protection goals. And, if we can’t prevent the event from happening, then we have to think about response in a different way. Effective responses to complex events require more than a sheriff’s posse to go out catch and hang the villain who has threatened or attacked our food supply. Effective food defense responses must converge and be leveraged by the successes of proven food safety practices and procedures that incorporate the best forensic science we can all bring to the table.
David K. Park is president of Philmont, VA-based Food-Defense, LLC, an independent food safety and food defense risk management consulting services company, as well as vice president of TechniCAL, Inc., for which he serves as management advisor for the operations and business growth of the international thermal processing products and services company. Park, a food safety and food defense training instructor with top-level security clearance by government appointment, routinely conducts risk and vulnerability assessments for the agri-food sector to facilitate food defense plan and program development and implementation at companies throughout the supply chain. He is a FDA and USDA regulatory expert in food laws and regulations who has led several international public health food poisoning investigations involving vegetables, seafood, and meat and poultry,
Park is also internationally recognized as a premier process authority in the thermal processing of shelf-stable and extended shelf-life foods, and he co-developed the first FDA and USDA regulatory accepted computer control for the thermal pasteurization and sterilization of acidified and low-acid canned foods.