Vulnerability Assessments
Background, Elliott, PAS 96 and TACCP
“The British Standards Institute has worked with Defra and
industry, to develop a Publicly Available Specification ‘Defending
Food and Drink’ (PAS 96).............elements such as the use of the
threats analysis and critical control points, or ‘TACCP’ approach,
are relevant in the prevention of food crime.
BSI and Defra should continue to focus on the TACCP
approach, and to consider the overlap and avoid duplication
between malicious contamination and food crime.
This approach will provide the building blocks of any future
standards that could be developed on preventing food crime.”
Elliott Review into the Integrity and Assurance
of Food Supply Networks – Final Report
Food Fraud
Food Defence
Food Safety
Food Quality
Food Quality, Safety, Fraud and Defence Overlaps
Accidental Acts
Deliberate Actions
Elliott’s Eight Pillars
1. Consumers First
2. Zero Tolerance
3. Intelligence Gathering
4. Laboratory Services
5. Audit
6. Government Support
7. Leadership
8. Crisis Management
GUIDELINE 72 - APPLICATION ROUTE
TACCP TEAM SELECTION
DEFINING THE SCOPE OF THE STUDY / PROCESS FLOW
REVIEW CURRENT TACCP MEASURES IN PLACE
THREAT CHARACTERISATION •Personnel
•Premises
•Process
•Services
•Logistics
•Cybercrime
MITIGATION STRATEGY DEVELOPMENT
HORIZON SCANNING
IMPLIMENTATION
RECORDING / DOCUMENTATION
AUDIT / REVIEW
• TACCP, or Threat Assessment and Critical Control
Point, is a system that was developed in accordance
with the PAS96:2010.
• Title for the revised PAS96:2014 is,
“Guide to protecting and defending food and drink from
deliberate attack”,
Updated from PAS96:2010,
“Defending food and drink. Guidance for the deterrence,
detection and defeat of ideologically motivated and
other forms of malicious attack on food and drink and
their supply arrangements”
Seven Sources of Food Fraud
•UNAPPROVED ENHANCEMENTS Melamine added to enhance protein value
Use of unauthorized additives (Sudan dyes in spices)
•COUNTERFEITING Copies of popular foods – not produced with acceptable safety assurances.
•DILUTION Watered down products (Also, potentially using non-potable / unsafe water)
Olive oil diluted with cheaper substitutes
•SUBSTITUTION Sunflower oil partially substituted with mineral oil
Hydrolyzed leather protein in milk
•CONCEALMENT Poultry injected with hormones to conceal disease
Harmful food colouring applied to fresh fruit to cover defects
•MISLABELLING Expiry of dates, provenance (unsafe origin)
Toxic Japanese star anise labelled as Chinese star anise
Mislabelled recycled cooking oil
•GREY MARKET PRODUCTION / THEFT / DIVERSION Sale of excess unreported product
“A documented Vulnerability Assessment shall be carried
out of all raw materials to assess the potential risk of
adulteration or substitution.
This shall take into account:
•Historical evidence of substitution or adulteration
•Economic factors
•Ease of access to raw materials through the supply chain
•Sophistication of routine testing to identify adulterants
•Nature of the raw material”
BRC V7 New Clause 5.4.2
“A number risk assessment tools have been published
including some specialist vulnerability assessment tools,
for example CARVER+Shock and TACCP (Threat
Assessment Critical Control Points), which may be used
to achieve a structured approach to the assessment
process.”
BRC V7 Interpretation Guide
“A vulnerability assessment is a search for potential
weaknesses in the supply chain in order to prevent food
fraud i.e. to prevent the adulteration or substitution of raw
materials before they arrive at the site.
The aim of the assessment is not to assess the potential for
fraud at the site, but to examine the supply chain for
potential concerns or weaknesses to identify those raw
materials which are of particular risk of adulteration or
substitution, such that appropriate controls need to be put in
place.”
BRC V7 Interpretation Guide
“Typical information to incorporate into the assessment includes:
• Any emerging issues and information identified
• Historical evidence of substitution or adulteration of the ingredient
• Cost/value of material
• Availability - for example, a poor harvest may restrict availability and
may increase the potential for adulteration
• Sophistication of routine testing to identify adulterants – if testing
within the supply chain is comprehensive and specifically focused on
potential fraud issues, then the likelihood of adulteration is reduced.
• Country of origin
• Length and complexity of the supply chain
• The nature of raw material may change the potential for food fraud”
BRC V7 Interpretation Guide
“Output from the vulnerability assessment
Where raw materials are identified as being of particular risk then
appropriate assurance controls need to be in place to ensure that
only genuine materials are purchased.
Depending on the perceived risk assurance controls may include:
• Certificates of analysis from raw material suppliers
• Raw material testing
• Supply chain audits
• Use of tamper evidence or seals on incoming raw materials
• Enhanced supplier approval checks
• Mass balance exercises at the raw material supplier
• Changes to the supply chain eg a change of supplier or a move to a
shorter supply chain”
BRC V7 Interpretation Guide
CARVER + shock
A method from the FDA that puts a scoring system on attributes of:
• Criticality - measure of public health and economic impacts of an
attack
• Accessibility - ability to physically access and egress from target
• Recuperability - ability of system to recover from an attack
• Vulnerability - ease of accomplishing attack
• Effect - amount of direct loss from an attack as measured by loss
of production
• Recognizability - ease of identifying target
• shock - the combined health, economic, and psychological
impacts of an attack
Vulnerability Assessment
Section 106 of the Food Safety Modernization Act (FSMA)
• requires the FDA, among other things, to conduct a
Vulnerability Assessment (VA) of the food system
• A VA is the process of identifying, quantifying, and
prioritizing (or ranking) the vulnerabilities in a system
FSMA - What is a
Vulnerability Assessment?
• In food safety there are "hazards" to accidental contamination
• In food defense there are "vulnerabilities" to intentional contamination.
• In calculating risk of intentional threat, the common measure of
vulnerability is the likelihood that an attack succeeds, if it is attempted
• By conducting a vulnerability assessment of a food production facility or
process, you can determine the most vulnerable points in the
infrastructure and focus resources on the most susceptible points
TACCP & HACCP
Differences and Integrating the Systems
A Quote…..
“There are known known's.
These are things we know that we know.
There are known unknowns.
That is to say, there are things that we know we don't know.
But there are also unknown unknowns.
There are things we don't know we don't know.”
Donald Rumsfeld, US Secretary of Defense - February 2002
It could be said that HACCP is perhaps a study of the
“known known's” and the “known unknowns”.
TACCP is an analysis of some “known unknowns” and
“unknown unknowns”.
Key Differences
• The team may cover the need for slightly different or additional disciplines
• The Process Flow Diagram (PFD) will be written to capture the entire process,
not just that which takes place at the manufacturer’s site
• As a result of the requirements, the potential hazards may detail not only
Chemical, Physical and Biological hazards, but also cover the elements of
radiological hazards and of adulteration.
• Potential contaminants within the TACCP study may not be confined to those
which are pertinent to the process involved (e.g. Metal swarf from stirrer blade)
• At times with TACCP, the specific hazard at each process step might not be
listed.
• TACCP suggests implementing response levels of ‘Normal’, ‘Heightened’ and
‘Exceptional’, in parallel with Prerequisite programmes and Critical Control
Points.
Weigh batch seasonings and other ingredients
Primal Intake of Beef Primal Intake of Pork
Store in Freezer
Thaw Store in Chill
Weigh Primals
Mince through 5mm plate
Weigh batch Quantity Minced Beef
Store in Freezer
Thaw Store in Chill
Weigh Primals
Mince through 5mm plate
Weigh batch Quantity Minced Pork
Blend minced Beef, minced Pork and other ingredients
Discharge into tote bins
Store in Chill
Form meatballs on forming machine
Place in containers / trays / packaging
Chill or Freeze
Dispatch Load Vehicle
Central delivery Depot
Deliver to meatball in sauce manufacturer
Flow diagram - Meatball manufacture
Intake of other ingredients
Storage
FSMA Vulnerability Assessment
The key activity types identified in the most vulnerable
production environments are:
• Coating / Mixing / Grinding / Rework
• Ingredient Staging / Prep/Addition
• Liquid Receiving / Loading
• Liquid Storage / Hold / Surge Tanks
Primal Intake of Beef Primal Intake of Pork
Store in Freezer
Thaw Store in Chill
Weigh Primals
Mince Through 5mm Plate
Weigh Batch Quantity Minced Beef
Store in Freezer
Thaw Store in Chill
Weigh Primals
Mince Through 5mm Plate
Weigh Batch Quantity Minced Pork
Blend Minced UK Beef, Minced Pork / Ingredients
Discharge Into Tote Bins Store in Chill
Form Meatballs on Forming Machine
Place in Containers / Trays / Packaging
Chill or Freeze
Dispatch Load Vehicle
Central delivery Depot
Deliver to Meatball in Sauce Manufacturer
TACCP
Human Elements
• Significantly more males engaged in insider activity (82%) than
females (18%)
• The majority of insider acts were carried out by permanent staff
(88%); only 7% of cases involved contractors and only 5% involved
agency or temporary staff
• 60% of cases were individuals who had worked for their organisation
for less than five years
• 49% of insider cases occurred within the 31-45 years age category.
Instances of insider cases increased with age until they peaked within
this category and then decreased beyond 45 years of age
The Centre for the Protection of National Infrastructure (CPNI's)
Insider Data Collection Study indicated:
Human factors
Human Factors
Errors
Violations
Mistakes
Skill based errors
Slips of action
Lapses of memory
Knowledge based
mistakes
Exceptional
Rule based mistakes
Routine
Situational
Intended to set dial to
3 accidentally set to 6
Thought the setting
should be 4 when in
fact it should be 6
Used baking powder
instead of baking soda
Used a thermometer
that wasn’t calibrated
Knows to follow steps 1
to 10 in order but always
performs steps 1-5, 7-10
then step 8
When under time or
other constraints, the
action not carried out
as per the procedure
Disgruntled employee
received a warning that
day and chose to act in a
way they shouldn’t
Complacency, Incompetence,
Criminality: 3 Business Threats
Subject Matter:
• Complacency – “Smug self satisfaction”
• Incompetence – “Lacking the necessary skill”
• Criminality – “Tendency to illegal acts”
• Sudan dyes
• Melamine
Case study I: Sudan dyes (genotoxic carcinogens, prohibited for use in food)
May’03 France reports Sudan dyes
as an issue in Indian chilli
products
Jul’03 Pan-EU controls introduced
Feb’04 FSA reminds UK industry of
issue
Jan’05 56 Alerts issued in UK since
2003
Feb’05 Worcestershire sauce found
with sudan (made with 2002
chilli)
Mar’05 580 products withdrawn
from the UK market
Case Study II: Melamine
2005/6 Local reports of melamine as an
in issue in Chinese milk
Mar’07 First US pet deaths directly
attributable to melamine
Aug’07 >5300 products recalled
Jun’08 Linkage between baby kidney
damage and Sanlu milk in Gansu
province
Aug’08 Melamine found by Fonterra (NZ)
Sep’08 Fonterra advise NZ government
who advise the Chinese govt.
Significance of problem
recognised
Dec’08 Estimated number of cases:
>250,000 babies & infants
Points to consider
• Understand the historical perspective
• Inevitable lag time between commencement and
detection
• Value of certification
• Adulteration often relates to value (money) determining
product attributes
– Attribute quality is often measured to an indirect or subjective
end-point (e.g. Colour)
• Fraud is becoming more sophisticated
– “chemically identical” substitutes (e.g. vanilla)
– Commodity items (e.g. olive oil / basmati rice / tomato paste)
How To Conduct a TACCP Study
APPLICATION ROUTE / LOGIC TABLE
TEAM SELECTION
DEFINING THE SCOPE OF THE STUDY / PROCESS FLOW
REVIEW CURRENT TACCP MEASURES IN PLACE
THREAT CHARACTERISATION •Personnel
•Premises
•Process
•Services
•Logistics
•Cybercrime
MITIGATION STRATEGY DEVELOPMENT
HORIZON SCANNING
IMPLIMENTATION
RECORDING / DOCUMENTATION
AUDIT / REVIEW
Impact
Likelihood
5
4
3
2
1
1 2 3 4 5
Threats categorised by likelihood / impact and plotted
EXCEPTIONAL
HEIGHTENED
NORMAL
No. Process step
description
Step
No.
Threat description and job role
involved
Response:
Normal
Heightened
Exceptional
Preventative Actions / Control
Measures
Severity Likelihood Total
1
2
3
DOC REF: TACCP1 DATE: XX/XX/XX
EDITION: 1 VERSION: 1
TACCP ANALYSIS: FOOD SECURITY
Product / Process:
Thank you
Lorraine Green
Quality Management Systems Specialist – Campden BRI
Tel: 01386 842458
Email: [email protected]
Top Related