How to carry out your FDA food defense plan…

In order to comply with the proposed Intentional Adulteration Rule, the food defense plan must include:

In our previous post we covered the first element of creating your vulnerability assessment and how you can use our proven methodology in our book Assessing Threat & Vulnerability for Food Defence.  If you’ve not read this post yet, you can do so now:

FSMA Issue 9

TA Trans



If you need a copy of our threat methodology, you can purchase your copy in Ebook priced at £66 incl. VAT or paperback priced at £70. Just click on the image to go to our page which provides more information and your purchase options.

Purchase now

The Food Defense Plan

We’ve completed the vulnerability stages, so we’re now onto the dark blue food defense plan steps, as shown in the image below…

We’ll now go through each of the steps to create a food defense plan.  These are:
  • Define the protection measures
  • Establish management techniques
  • Implement management techniques
  • Validation and justification of VTPs
  • Review
  • Maintenance
Define the protection measures:

For each significant threat, protection measures need to be applied.  There may be one or more protection measures for each threat, depending on the scale and impact that the threat may have.

A protection measure is not a control, as you would find in a typical HACCP plan – as it may include checks or tests to positively confirm whether the threat has or has not occurred.  This is because a threat cannot always be controlled, but you can put as many protection measures between the business and the threat, to reduce the risk.

Where more than one protection measure is assigned, the risk is reduced, but also the frequency at which the protection measure is applied may be reduced.  This would be particularly useful when the protection measure puts added cost into the business.

Establish Management Techniques:

Once the protection measure, or protection measures have been assigned to the threats, they need to be managed.  In our methodology we use a decision tree to establish how each protection measure should be managed.

Implement management techniques:

Our methodology includes 4 types of management technique for the protection measures:

  • Pre-requisite programmes
  • Risk register
  • CCPs (or other critical food safety controls)
  • Vulnerable threat point (VTP)
Pre-requisite Programmes:

A facility-wide protection measure, can be managed by a current, or new pre-requisite programme.  Therefore, it should be written into a procedure and be trained out to all those involved.

Protection measures which are managed by pre-requisite programmes may be things like – CCTV, which is under the control of the security PRP.

Risk Register:

Some of the protection measures that are assigned to the threats may not be able to be immediately applied.  Or, there may be no apparent protection measure available to you at the time, for example, a testing method may not have been developed yet to test for the threat in question.

These are still however significant threats and therefore they need to be managed effectively.  To do this, they would be assigned to a risk register.  The risk register should detail why there is believed to be no immediate threat, plus the short, medium and/or long term actions required to implement the required protection measure.  The risk register must then be reviewed on a regular basis to ensure that the actions are being progressed to the timescales stated.

The risk register should also include a plan as to what the business would do, if the threat became real.

CCP’s / Food Safety:

Where a threat is already managed by a CCP or another critical food safety control, this always must take precedence.  The food safety control should be expanded and the associated training, so that it is clear that it also manages a significant threat.

Vulnerable Threat Point (VTP):

A vulnerable threat point is the equivalent of a threat CCP.  Therefore, the procedure and the associated training must include a monitoring process, criteria or critical limits and a frequency.  Where the monitoring shows that the critical limits or the criteria have not been met, there must also be an agreed corrective action plan in place.  Verification of this VTP must also be carried out to ensure that it continues to be effective at all times.

Validation and justification of VTP’s:

Where VTP’s have been assigned as the required management technique for a protection measure and the threat, the monitoring, critical limit or criteria and the frequency must be validated or justified.  Validation must show that the provided VTP is effective at managing the threat and this would include validation of the critical limits and the process.  Where criteria have been assigned, because a critical limit cannot be set, then the justification of why the criteria are acceptable should be documented.  For both cases, the frequency of the monitoring of the VTP should be justified.


Reviewing the vulnerability assessment and the food defense plan is essential to ensure that it stays up to date and continues to be effective and protect the business and the consumer.

A review (or re-analysis) of the documentation must be completed when new information is received which will have an impact on the overall food defense plan.  It is advisable, if no new information is received a review is undertaken at least once per year to ensure that the plan and all elements of the plan continue to be effective.  Internal auditing of the system is important to allow the management team to understand any flaws or any continuous improvement that is needed.


To ensure that the plan continues to be effective, the management team must be aware of new information.  Therefore, systems of receiving new information is essential.  Once the information is received, it should be reviewed by a responsible person who should assess whether it may impact on the plan.  Where this is found to be the case, a review of the plan must be undertaken, to amend or further develop the protection measures for any new or developing threats.

The Final Rule:
Over the next few weeks I am going to assess the changes to the final rule that has been published and I’ll let you know my findings.  In the next post I’m going to cover the Foreign Supplier Verification Program Rule, but if you have any specific questions about the Intentional Adulteration Rule that you would like me to cover after that, please let me know – by adding your thoughts to the comments below.

If you would like a copy of our book to help you work through your vulnerability assessment and put your food defense plan together, step-by-step, you can get your copy below…

Have your say…

Share your thoughts…

Your email address will not be published.

We've tagged this article as:

The icing on the cake

We've got a range of products for organisations of every size. Our clients agree that they really do put the icing on the cake…