In this article we’re going to cover how to implement a robust and effective product security plan which includes product, site and vehicle security. The following information is compliant to these standards:
|BRCGS Food Safety Issue 8||4.2 Site security and food defence|
|BRCGS Packaging Issue 6||4.4 Site security and product defence|
|BRCGS Agents & Brokers Issue 2||4.3 Product security/food defence|
|Storage & Distribution Issue 4||4.2 Site security and product defence
5.2.1-5.2.3 Vehicle security
|FSSC22000 Version 5.1||2.5.3 Food defense|
|IFS Food Version 7||6 Food defence plan|
|SQF Edition 9||2.7 Food defense and food fraud|
The areas covered in this article are:
- Product or food defence?
- TACCP or VACCP?
- Product defence
- Threat assessment
- Inputs – information sources
- Threat team
- Identify the threats
- Threat analysis
- Security measures
Let’s start by looking at some of the terminology, because each standard uses different words so it can be confusing.
Product or food defence?
If you look at the list of sections above for the standards, you can see that some refer to this subject as food defence (or food defense if you’re in the US) and some refer to it as product defence. It means the same thing.
For sites who are making packaging, it’s referred to as product defence. For sites who are making food, it’s referred to as food defence. For storage and distribution sites, it’s referred to as product defence as they probably handle food, packaging and possibly other product too. The most important thing is the product – whether it be food or non-food.
At Techni-K we have a rule that we always refer to the product as product, not food – as we’re working with food and non-food companies. Which is why we’ll only use the term product defence in this article.
TACCP or VACCP?
These are relatively new terms and cause a lot of confusion:
- TACCP: Threat Assessment & Critical Control Point
- VACCP: Vulnerability Assessment & Critical Control Point
The terms and the purpose of these is shown below:
|Term||Type of risk assessment||Purpose||Applies to||Results in|
|VACCP||Vulnerability assessment||Product fraud||Raw materials prior to their delivery to you||Fraud mitigation plan|
|TACCP||Threat assessment||Product security||Product security while it’s in your control||Security plan|
We don’t use the terms; TACCP and VACCP, as the CCP refers to critical control point and there’s no such thing in either system. However, since these terms seem to have taken hold and get used a lot, you just need to know the difference between them.
Vulnerability (VACCP) is used when assessing fraud. This only applies to materials before they arrive with you.
Threat (TACCP) is used when assessing malicious contamination. This applies to the materials and the finished product while it’s under your control. This means – while it’s your responsibility. Which is typically, from the point of delivery of the material to you, throughout the process, to delivery of the finished product to your customer.
This means, that VACCP only applies to the supply-chain, before your materials get to you. From the point of delivery, through your process and to the point at which you deliver it to the customer – the rest is TACCP.
‘Delivery to the customer’ can vary…
- If you deliver into one of the big retailers their depot vehicles may collect the product from your site. In this case, your responsibility finishes as soon as the product is put on their vehicle at your dispatch.
- If you deliver into a depot using your own vehicles, then your responsibility finishes when you offload at that depot.
- If you deliver into a depot using a subcontracted transport company, then your responsibility finishes when you put the product on the subcontractor’s vehicle. But your supplier management system would ensure that your subcontractor picked up the TACCP responsibility at that point.
The idea is that we’re all aware of where our responsibility for product defence starts and stops at each individual point in the supply-chain – where one responsibility stops, the next responsibility starts. Therefore, ensuring product security throughout the whole supply-chain.
This is probably a good place to pause and explain the confusion around product security and product defence….
As we’ve explained, product fraud is what we’re concerned with in the supply-chain before materials get to you. To manage this risk, we carry out a vulnerability assessment to produce a fraud mitigation plan.
Product security is about keeping the product safe from malicious contamination and theft while it’s under your control. To manage this risk, we carry out a threat assessment to produce a security plan.
Product defence is a collective term for both of these things. Product defence is about protecting the consumer, whether it be from fraud or product security issues.
This means that:
A fraud mitigation plan + a security plan = a product defence plan
In this article we’re only going to look at product security, by carrying out a threat assessment, to produce a security plan.
GFSI define product defence as “Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”
BRCGS only provide a definition in two of their standards:
- Food Issue 8 defines product defence as “Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”
- Storage & Distribution Issue 4 states “Procedures adopted to ensure the safety of products from malicious contamination.”
IFS define product defence as “Procedures implemented to assure the protection of food and their supply chain from malicious and ideologically motivated threats.”
SQF use the definition provided by the FDA “As defined by the US Food and Drug Administration, the efforts to prevent intentional food contamination by biological, physical, chemical, or radiological hazards that are not reasonably likely to occur in the food supply.”
Therefore, the purpose of the product defence section of the standards is to protect the product from malicious contamination and theft. And we do that using product security.
In our article How to implement a robust and effective internal audit programme we explained that the term scope is used to define what the system is going to cover. What’s included and what’s not included.
When referring to product security the scope must cover:
- All activities and physical locations within your company control
- From the point at which the material is delivered
- To the point where you hand over responsibility to your customer or the next point in the supply-chain
- Internal threats: people on site; employees, agency, contractors, visitors
- External threats: anyone who shouldn’t be on site
The purpose is to ensure that the product is protected from malicious contamination and theft, while on site and during distribution. This includes food product and packaging product.
A threat assessment is a new term that replaces the security risk assessment that we had before.
Inputs – information sources
Every type of risk assessment has to have an input and an output. The input gives us the facts and data we need to carry it out and the output is the reason we are doing the risk assessment in the first place.
A threat assessment is no different, we need information to base our assessment on. This information can come from a two main sources:
- Internally from your team (which we’ll come on to)
- Externally from information sources such as industry bodies, government bodies and industry incidents
To comply with the standards, you’ll need to identify where you’re going to get your external information, how it will be received, who’s responsible for receiving it, reviewing it and then feeding it into the threat team if needed.
Also make sure that when information is received, it’s logged so you can prove that you received it. This doesn’t have to be complicated, just having a filing system in your emails would work.
To comply with the standards, you need a methodology for your threat assessment. The standards don’t define how you must do it, just that you must have one and that it’s documented. The purpose of the methodology is to provide structure and consistency to your assessment.
When you’re creating your methodology, there are a number of things you’ll need to take into consideration:
- You need to define what impact the threat will have. Typically, in risk assessment you’d think about the severity on the consumer and your customer. But, with threats, the consumer or your customer might not be the only target, as some threats (such as sabotage) are aimed at hurting the business. So, it’s a good idea to consider not just the impact on the consumer and customer, but also the impact on your business too.
- Because you can’t always control a threat, i.e., you can’t stop it from happening, you also have to consider the likelihood of someone detecting that it’s occurred. This would be where security measures such as seals or tamper evidence packaging would come in. So, it’s a good idea to include detection, or likelihood in your methodology.
- Make sure your risk assessment method provides a result as to whether the threat that you are assessing, is significant or not. As significant threats would need to go forward (like you do in HACCP) to determine if they need special consideration.
Alternatively, you could use the well-defined and proven methodology, that’s provided in our book ‘Assessing Threat Vulnerabilities for Food Defence.’
To ensure that your assessment is robust you’ll need to have a team who have responsibilities for product security, site security and transport security. You also need to have people on your team who can provide you with information about known or possible threats, for example:
- HR will be able to provide insights into staff moral and contractual changes that may affect your assessment.
- Technical will be able to provide information about any malicious contamination complaints or relevant industry incidents.
The team will need training on the methodology that you’ve set and the procedure for receiving and reviewing information. The team will also need to be trained to ensure that they know that when they become aware of new information that may impact the threat assessment, that they must highlight it to the team for review.
Identify the threats
As a team, map out the process that the materials go through, from the point at which they arrive to the point at which they are delivered to the customer (if it’s your vehicles that deliver your product), or wherever your responsibility ends. At that point, you can then look at what threats are applicable at each stage, using the information sources from your team or from external industry sources.
The threats must cover any known or possible threats from malicious contamination and theft, including substitution of product with substandard product.
Once you’ve got your list of threats at each point in the process, you can assess them using your threat assessment methodology.
Once you have your list of threats at the relevant steps, you can carry out your analysis using the methodology you’ve defined.
The purpose of the analysis is to define which threats are significant and therefore need security measures – this is your output to the threat assessment and it creates your security plan.
Note here, that we’ve said ‘security measures’, not ‘control measures’. This is because you can’t always control a threat, as you may not always be able to stop it from happening.
What you can do, is put security measures in place to protect the customer or the consumer, using techniques such as tamper evident packaging or seals on vehicles. This way you can identify when a threat has occurred, so that it can then be managed. Where your security measures identify that monitoring is required, this will also need writing into relevant procedures and records.
Expected security measures
There are certain measures that are expected, which are:
- External storage areas are locked when not in use
- Intake points (e.g. to silos) need to be locked when not in use
- Site security such as perimeter fencing, CCTV, access control to internal areas
- Tamper evident packaging
- Seals on vehicles and tankers
- Visitor and contractor sign-in processes
This doesn’t mean that you don’t need a threat assessment if you have all of the above in place, you do – your assessment would need to have these security measures as the output. And it doesn’t mean that these are the only security measures you need, your threat assessment should define which additional ones you may need.
If you have to subcontract any parts of your process (including logistics), then you must relay the required security measures to your approved service supplier. The monitoring of the supplier must also include monitoring of the required security measures.
Your team must be constantly looking for new information (this is called horizon scanning) which will trigger a review if needed.
A review would also be needed when a security incident occurs, and at least annually. You’ll also need to make sure you record the review, what was discussed, who attended and any actions that arise from it.
To comply with this section of the standard you need to implement two types of training:
- All on site personnel must have an awareness of site, product and vehicle security and any site security rules.
- The threat team must be trained in the site procedure for threat assessment, information sources and review.
We have developed a free product defence awareness course, for you to train all of your staff on site.
It’s very light-hearted and fun, but gets across the key points about why product defence is important.
It only takes a few minutes to complete and you can set up all of your staff on site – so, you’ll be one step closer to being compliant!