HARPC guidance

The difference between HACCP and HARPC. A case of the Emperor’s New Clothes?

What does a child’s tale by Hans Christian Andersen have to do with a piece of American legislation issued regarding food safety? In my efforts over recent weeks to get to grips with the new FSMA Rules, I believe quite a lot. But before I get into all that, I would like to talk more generally about FSMA and what I perceive to be its impacts.

FSMA – Changing the Rules of the Game

Recent issuing of a number of final rules under FSMA has now placed these specific compliance requirements for food businesses firmly in the spotlight. As with any new or changed piece of legislation or food safety standard, at Safefood 360° we undertake a review of the requirements to see how they impact on our software platform and the needs of our customers. Normally this is a straight forward process for our team. Given food safety and its management is core to everything we do, identifying and making any necessary changes to the software is a matter of routine. Not so however, for FSMA.

FSMA is an interesting animal to observe. Unlike other pieces of food safety legislation e.g. EU Food Regulations, reading the requirements of FSMA rules is nothing short of a new vocation for those brave enough to undertake it. It certainly isn’t light bedtime reading. It is legal in its language, circular in nature and more effective at making your head spin than a NASA human centrifuge. You need to be made of the right stuff!

However, FSMA is interesting for none of the above reasons. It is compelling for one reason alone. It’s actually a good piece of legislation. Once you cut through the layers of legal jargon surrounding the requirements contained therein, what we find is something very clear, very prescriptive and which leaves little to the imagination. And as strange as it may sound, this is actually a very good thing.

Most food safety legislation globally tends to be general, stating what needs to be done rather than how it should be done. On the face of it this might appear as a smart approach however it can leave the door wide open to interpretation by companies, auditors and regulators.

Stating what needs to be done rather than how it should be done leaves the door wide open to interpretation

Sometimes it can be a welcome relief to be simply told in clear terms what needs to be done, do it, and then get on with the job of running your food business. And FSMA does this very well. It tells you (in the most unapologetic of tones) what you need to do and how you need to do it.

Compliance Framework Turned on Its Head

But it has also done something very interesting which has gone unmentioned by various food safety commentators. It has turned the compliance framework on its head! In a previous blog, I set out the burden of compliance demands on food businesses. At the bottom of the burden ladder was always legislation. Traditionally it was the minimum requirement to be met by businesses. Next were the requirements of the global standards like BRC, SQF and FSSC22000. Finally came the requirements set out in various food retailer technical standards which tend to be very prescriptive and demanding.

new compliance framework

Retailer Technical Standards used to set the highest bar for compliance requirements. With FSMA this setup has been turned upside down.

Whether by design or not, FSMA has changed this. If you read through the rules for FSVP and Preventive Controls for Human Food you will quickly realise that these now represent the highest standard of food safety control surpassing the requirements of the GFSI schemes. For example, under the FSVP requirements, you now need to risk assess, evaluate and develop monitoring controls not for each supplier but for each product supplied by each supplier. There are other examples but the point is that the framework has now been inverted with legislation setting the bar. This leaves the global schemes with an interesting situation to ponder given their unique selling point has always been that certification under their offer represented a higher standard. This may no longer be the case.

Unravelling the Mystery of HARPC  

The new rules, as expected, have also introduced the requirement for Hazard Analysis Risk Based Preventive Controls or what has been called generally called HARPC. This requirement is a risk based model for the identification of significant hazards and the establishment of preventive controls. It is quite an extensive requirement and consistent with any standard for food safety management. On face value it would appear to be HACCP at least in its basic principles, but what exactly is HARPC?

Having read various blogs and other resources on the subject I must admit I continued to struggle to really understand its true nature and relationship with HACCP. Almost embarrassed by my apparent inability to understand this new risk model, I quietly nodded my head and pretended I got it.  Frustrated, I decided to get to the bottom of this conundrum by going to the horse’s mouth – the FSMA Rule itself.

Most commentators say that HARPC is similar to HACCP and for the most part this is true. HARPC like HACCP requires control when there is a significant hazard. Both are risk assessment models. Both allow for the use of CCP’s. Both appear to allow for the use of other Preventive Controls like PRP’s, and oPRP’s. HARPC requires more documentation for non-CCP controls such as monitoring, corrective action and verification. But so do GFSI standards. On the face of it, there would appear to be no difference between the two risk based models. This would suggest that simply renaming our existing HACCP plans is all that is required. This would be the ideal for most food businesses and if true would beg the question, why did the FDA simply not call it HACCP and avoid all this confusion. But confusion there is and food businesses are craving some clear guidance from both the FDA and authority voices in the area.

Food businesses are craving some clear guidance from the FDA and authority voices in this area

For the most part, discussions and guidance on the difference between the two models is of little value. Often they explain the history of both models as a difference. This is interesting but hardly a substantive difference. Other contributions explain that the scope of hazards to be included in HARPC are more extensive and include threats, allergens and recall to name a few. However, in practice the Food Safety Plans called for under GFSI do the same albeit as supports to the HACCP plan. In practice HARPC plans will do the same since inclusions of these directly in the HARPC plan is of little additional value. It is simply moving the chairs around the room. In short, the various sources that set out to explain the differences between the two standards effectively confirm their sameness.

Getting “FSMA ready”

Then we come to the subject of “Getting ready for FSMA / HARPC” and are you “FSMA ready?”. Again we search endlessly through the various forums, blogs and other resources to gain insight into what these terms actually mean and again we are left somewhat vacuous in our understanding. I have read one blog from a commentator who posed the question “What do you need to do to become FSMA compliant?” I waited with abated breath… the answer was “The first thing you need to do is understand what you are being asked to do…”. Still, we are no closer to the truth!

Is it possible that no one really and truly understands what the difference is and even then that there may be no difference. For those of us who have worked for many years with our clients helping them to develop and maintain risk based food safety systems is it not important that when we claim that two things are different that we can at some level explain what those differences are? And if we don’t should we not simply state this?

The fact that more recently we are being told to no longer refer to it as HARPC but rather as PCP (Preventative Controls Program) is I believe a reflection by its promoters that any differences are small at best and an attempt to avoid the perception that they are introducing a brand new risk assessment and management model for food safety. I think this is a positive step if we are to avoid the trap of a logical fallacy.

Rebranding HARPC as PCP is an attempt by promoters to avoid the perception they are introducing a brand new risk assessment and management model for food safety

So is there a Difference between HACCP and HARPC?

It is my belief, analyzing the requirements for both HARPC and HACCP that they are essentially the same. If we take both as food safety plans they follow the exact same approach, logic and structure. The language is slightly different but the models are the same, with one exception – Hazard Evaluation!

It would be easy to miss it, and most of us would appear to have done just that. It is only a few words in the requirements but on close analysis is a major difference between the two models. Here is the requirement from Preventative Controls for Human Food.

Hazard Evaluation is easy to miss but close analysis shows a major difference between the two models

c1 – (i) Hazard evaluation: The hazard analysis must include an evaluation of the hazards identified in paragraph (b) of this section to assess the severity of the illness or injury if the hazard were to occur and the probability that the hazard will occur in the absence of preventive controls.

Under HACCP any person conducting a study is required to conduct a hazard analysis followed by a risk assessment of the hazards to determine their significance. When doing this, they are required to list out the preventive measures already existing at the step and the implication is that the risk is determined with these preventive controls in mind. This by definition will result in a lower risk (assuming preventive controls are in place which is usually the case).

Differences between Risk Assessment Models

Table comparing the difference in risk assessment models. The key difference between HARPC and HACCP is that in HARPC the risk assessment is done assuming there is an absence of preventive controls.

However, if we look now at c1-(i) we see that FSMA takes a fundamentally different approach. It requires the person conducting the study to do the same exercise in the absence of preventive controls. This means that all other things being equal the risk for the same hazards will be higher and significantly higher in most cases. The result is that any person seeking to convert their existing HACCP plans over to HARPC will find that the whole risk assessment will be radically different. A major and very significant issue for what is a risk management system.

All other things being equal the risk for the same hazards will be significantly higher in most cases under HARPC.

So where does that leave us? Under HARPC we may well end up with many more significant hazards which require a preventive control which takes no account of basic mitigation measures such as sanitation and requires full planning, verification, validation and review. Basic mitigation controls have now been promoted to the same status of a CCP or oPRP. This in itself is not an issue but it does have a major impact on companies existing HACCP plans. It may be argued that they will need to be re-written from scratch.

The new food safety plan requires you to monitor, verify, document and review your preventive controls similarly as you do with CCPs.

The new food safety plan requires you to monitor, verify, document and review your preventive controls similarly as you do with CCPs.

In summary, HACCP requires risk assessment with controls in place while HARPC requires risk assessment with no controls in place. The output is a higher risk rating for HARPC than HACCP but essentially the same in terms of controls. You reach the same destination but by different routes. What is interesting is that both appear to take one of the elements of the Risk Mitigation Model but not both. In the risk mitigation model the risk assessor first estimates the risk in the absence of controls (HARPC) and then applies controls where required. Then a subsequent risk assessment is conducted to determine the risk mitigation or reduction achieved – which is essentially a measure of the effectiveness of the controls (HACCP). HARPC does not directly call for a risk assessment to be conducted in order to establish the risk reduction effect. It is not even implied which is the only justifiable reason for conducting a risk assessment in the absence of preventive controls. Finally, it may be argued that doing a risk assessment based on zero controls is not practical, particularly valuable and contrary to how food businesses work in practice.

It is quite possible that this is simply an oversight by the authors and the spirit of the legislation is what will prevail. Time will tell us if this is the case.

The Emperor’s New Clothes

The introduction of any new standard or legislation is disruptive. It is normal to expect a period of confusion followed by debate, interpretation, clarification and eventually understanding. FSMA is no different. However what is concerning is the almost illogical explanation of concepts like HARPC versus other risk models and what appears to be a fundamental oversight in regard to hazard evaluation. This does not take anything away from what I believe to be an excellent piece of legislation in food safety management. However, we need to guard against becoming like the Emperor’s subjects who from fear of being seen as unfit, stupid, or incompetent ignore the fact that he parades naked before them. Let’s protect FSMA and its significant value and put some clothes on it.

12 replies
  1. Cory Baron
    Cory Baron says:

    George, fantastic summary! However one comment as to the discussion as to where “validation” steps in the HACCP & HARPC process take place.

    Forgive the pun but “HACCP on PCP” is HARPC is really how I am seeing it unfold in the FDA un-scrutinized industries in the US. Under HARPC/PCP, do not all PCs need to be “validated” in some measurable manner?

    Reply
    • Admin
      Admin says:

      Hi Cory! Good point about validation, I’ll ask if George could respond to that. I think you’re right that PC’s need to be documented, verified and reviewed just like CCPs.

      Reply
      • Cory Baron
        Cory Baron says:

        Thank you. And by “Validation” I mean the Codex Alimentarius definition: “Obtaining evidence that a control measure or combination of control measures, if properly implemented, is capable of controlling the hazard to a specified outcome”.

        This boils down to on the floor and what the auditor is looking for is “Provide EVIDENCE that it is CAPABLE of controlling the potential hazard” (much like the GFSI Schemes already require for ones cPRP: prove ones cPRPs are capable).

        Just how this Validation/Capability proof of PC’s and/or CCPs will apply in your HARPC vs. HACCP summary?

        Reply
        • George
          George says:

          Good question Cory. The validation step as expected would occur once the plan has been developed to ensure preventive controls are capable of achieving the desired outcome. But please note that under FSMA not all PCPs need to be validated including hygiene, supplier, and allergen controls.

          This is one area where FSMA actually has a lower requirement than GFSI. It is a strange one since validating cleaning procedures to ensure there is no allergen cross-contamination would seem to be essential to controlling and minimizing these risks.

          Reply
  2. Clem Griffiths
    Clem Griffiths says:

    Still seems like we are still stuck with our “heads in the sand” and we are no where closer to reducing the number of recalls and or improving consumer confidence in the food supply.
    Both GFSI and HAACP could get the job done the problem however was and is that a stakeholder was needed to fill the gaps and ” keep them honest” that stakeholder was supposed to be regulatory but they downsized or right sized and by default refused to accept responsibility and left QA Managers to fend for themselves and when that happens the consumer never wins. There are effective strategies in place to “hog tie ” both the dedicated QA Manager and or food auditor therefore we need regulatory to do those non negotiated unannounced inspections, to follow up on corrective action and to make QA Managers liable along with plant managers when and if unsafe food injures or kills consumers. Finally I am not on the outside for 35 years I have been a QA manager and at least 3 years a food auditor.

    Reply
    • George
      George says:

      Clem many thanks for your insights. I suppose it could be argued that the GFSI should be serving this role as a stakeholder however it is a voluntary scheme and lacks the teeth which the regulatory bodies have or at the very least should be exercising.

      Reply
  3. Jeff
    Jeff says:

    The reason for recalls and failure may not be in the analysis, but the basic boots on the ground problem of verifying workers and ensuring documentation input is real. Typically the human failure rate is the weakest link in an otherwise sound program.

    Reply
  4. JAY SHIRODKER
    JAY SHIRODKER says:

    Agree, both HACCP and GFSI will contribute significantly in maintaining food safety of the facility. However, the focus on supply chain preventive controls in FSMA will bring added scrutiny in food chain

    Reply
  5. George
    George says:

    Yes Jay, I tend to agree. I think the preventive controls rule is perhaps the most valuable aspect of the new FSMA legislation.

    Reply
  6. Bianca Juarez
    Bianca Juarez says:

    Thank you for an insightful article, George. I am wrestling with updating our HACCP plan and it just isn’t making sense to me that you would write it without any GMP’s in place. If there are no rules at all then EVERYTHING is a hazard. If no-one is required to wash their hands before handling food, will someone get sick? Yes. How long will it take for them to get sick? Don’t know, it depends on the size of the facility, amount of people handling food, etc. How am I supposed to assess a risk like that? Is there a time frame for the risk? A week? A month? A year? I’ve done 20+ hours of training and am no closer to figuring it out.

    Reply
    • George
      George says:

      Many thanks for your comment. I feel that many of us are struggling to reconcile the requirement in the legislation that requires risk assessment to be conducted in the absence of controls when plainly the industry does not in reality operate this way. If you remove controls from the estimation of risk you are in essence correct in stating that everything (or almost everything) becomes a hazard or more accurately a Risk. The issue is one of significance and again in most cases the risk will increase and therefore the significance of many hazards. Therefore more controls are required and so on. In HACCP you do your study with controls in place and therefore many are referred back to general controls or PRP’s. In HARPC you need to develop controls for all these in the plan itself and they must be fully defined, monitored, controlled and in some cases verified.

      What we are doing with our software is to create a new STEP in the plan for each of the general Preventive Controls (PC’s) e.g. recall, supplier control, sanitation controls, pest control, personal hygiene and so on. We are doing the RA on these without the presence of PC and therefore they go on for full planning. These are being inserted at the head of the HACCP study. For the specific process steps we are leaving the RA and Decision Tree sections as is (with the preventive controls in place) since to remove them would lead to an unworkable food safety plan which is in nobody’s interests – including the inspectors who have to use them. This may not be totally faithful to the requirement but time will tell.

      The full conversion from HACCP to HARPC is a little more complicated than the above but it does address the core of your question I hope.

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *