In this article we’re going to cover how to implement a robust and effective product security plan which includes product, site and vehicle security. The following information is compliant to these standards:

BRCGS Food Safety Issue 8 4.2 Site security and food defence
BRCGS Packaging Issue 6 4.4 Site security and product defence
BRCGS Agents & Brokers Issue 2 4.3 Product security/food defence
Storage & Distribution Issue 4 4.2 Site security and product defence

5.2.1-5.2.3 Vehicle security

FSSC22000 Version 5.1 2.5.3 Food defense
IFS Food Version 7 6 Food defence plan
SQF Edition 9 2.7 Food defense and food fraud

The areas covered in this article are:

Let’s start by looking at some of the terminology, because each standard uses different words so it can be confusing.

Product or food defence?

If you look at the list of sections above for the standards, you can see that some refer to this subject as food defence (or food defense if you’re in the US) and some refer to it as product defence. It means the same thing.

For sites who are making packaging, it’s referred to as product defence. For sites who are making food, it’s referred to as food defence. For storage and distribution sites, it’s referred to as product defence as they probably handle food, packaging and possibly other product too. The most important thing is the product – whether it be food or non-food.

At Techni-K we have a rule that we always refer to the product as product, not food – as we’re working with food and non-food companies. Which is why we’ll only use the term product defence in this article.

TACCP or VACCP?

These are relatively new terms and cause a lot of confusion:

  • TACCP: Threat Assessment & Critical Control Point
  • VACCP: Vulnerability Assessment & Critical Control Point

The terms and the purpose of these is shown below:

Term Type of risk assessment Purpose Applies to Results in
VACCP Vulnerability assessment Product fraud Raw materials prior to their delivery to you Fraud mitigation plan
TACCP Threat assessment Product security Product security while it’s in your control Security plan

We don’t use the terms; TACCP and VACCP, as the CCP refers to critical control point and there’s no such thing in either system. However, since these terms seem to have taken hold and get used a lot, you just need to know the difference between them.

VACCP and TACCP

Vulnerability (VACCP) is used when assessing fraud. This only applies to materials before they arrive with you.

Threat (TACCP) is used when assessing malicious contamination. This applies to the materials and the finished product while it’s under your control. This means – while it’s your responsibility. Which is typically, from the point of delivery of the material to you, throughout the process, to delivery of the finished product to your customer.

This means, that VACCP only applies to the supply-chain, before your materials get to you. From the point of delivery, through your process and to the point at which you deliver it to the customer – the rest is TACCP.

‘Delivery to the customer’ can vary…

  • If you deliver into one of the big retailers their depot vehicles may collect the product from your site. In this case, your responsibility finishes as soon as the product is put on their vehicle at your dispatch.
  • If you deliver into a depot using your own vehicles, then your responsibility finishes when you offload at that depot.
  • If you deliver into a depot using a subcontracted transport company, then your responsibility finishes when you put the product on the subcontractor’s vehicle. But your supplier management system would ensure that your subcontractor picked up the TACCP responsibility at that point.

The idea is that we’re all aware of where our responsibility for product defence starts and stops at each individual point in the supply-chain – where one responsibility stops, the next responsibility starts. Therefore, ensuring product security throughout the whole supply-chain.

This is probably a good place to pause and explain the confusion around product security and product defence….

Product defence

As we’ve explained, product fraud is what we’re concerned with in the supply-chain before materials get to you. To manage this risk, we carry out a vulnerability assessment to produce a fraud mitigation plan.

Product security is about keeping the product safe from malicious contamination and theft while it’s under your control. To manage this risk, we carry out a threat assessment to produce a security plan.

Product defence is a collective term for both of these things. Product defence is about protecting the consumer, whether it be from fraud or product security issues.

This means that:

A fraud mitigation plan + a security plan = a product defence plan

In this article we’re only going to look at product security, by carrying out a threat assessment, to produce a security plan.

Product Defence

Purpose

GFSI define product defence as “Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”

BRCGS only provide a definition in two of their standards:

  1. Food Issue 8 defines product defence as “Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”
  2. Storage & Distribution Issue 4 states “Procedures adopted to ensure the safety of products from malicious contamination.”

IFS define product defence as “Procedures implemented to assure the protection of food and their supply chain from malicious and ideologically motivated threats.”

SQF use the definition provided by the FDA “As defined by the US Food and Drug Administration, the efforts to prevent intentional food contamination by biological, physical, chemical, or radiological hazards that are not reasonably likely to occur in the food supply.”

Therefore, the purpose of the product defence section of the standards is to protect the product from malicious contamination and theft. And we do that using product security.

Scope

In our article How to implement a robust and effective internal audit programme we explained that the term scope is used to define what the system is going to cover. What’s included and what’s not included.

When referring to product security the scope must cover:

  • All activities and physical locations within your company control
  • From the point at which the material is delivered
  • To the point where you hand over responsibility to your customer or the next point in the supply-chain
  • Internal threats: people on site; employees, agency, contractors, visitors
  • External threats: anyone who shouldn’t be on site

The purpose is to ensure that the product is protected from malicious contamination and theft, while on site and during distribution. This includes food product and packaging product.

Threat assessment

A threat assessment is a new term that replaces the security risk assessment that we had before.

Inputs – information sources

Every type of risk assessment has to have an input and an output. The input gives us the facts and data we need to carry it out and the output is the reason we are doing the risk assessment in the first place.

A threat assessment is no different, we need information to base our assessment on. This information can come from a two main sources:

  1. Internally from your team (which we’ll come on to)
  2. Externally from information sources such as industry bodies, government bodies and industry incidents

To comply with the standards, you’ll need to identify where you’re going to get your external information, how it will be received, who’s responsible for receiving it, reviewing it and then feeding it into the threat team if needed.

Also make sure that when information is received, it’s logged so you can prove that you received it. This doesn’t have to be complicated, just having a filing system in your emails would work.

Methodology

To comply with the standards, you need a methodology for your threat assessment. The standards don’t define how you must do it, just that you must have one and that it’s documented. The purpose of the methodology is to provide structure and consistency to your assessment.

When you’re creating your methodology, there are a number of things you’ll need to take into consideration:

  • You need to define what impact the threat will have. Typically, in risk assessment you’d think about the severity on the consumer and your customer. But, with threats, the consumer or your customer might not be the only target, as some threats (such as sabotage) are aimed at hurting the business. So, it’s a good idea to consider not just the impact on the consumer and customer, but also the impact on your business too.
  • Because you can’t always control a threat, i.e., you can’t stop it from happening, you also have to consider the likelihood of someone detecting that it’s occurred. This would be where security measures such as seals or tamper evidence packaging would come in. So, it’s a good idea to include detection, or likelihood in your methodology.
  • Make sure your risk assessment method provides a result as to whether the threat that you are assessing, is significant or not. As significant threats would need to go forward (like you do in HACCP) to determine if they need special consideration.

Alternatively, you could use the well-defined and proven methodology, that’s provided in our book ‘Assessing Threat Vulnerabilities for Food Defence.

Threat team

To ensure that your assessment is robust you’ll need to have a team who have responsibilities for product security, site security and transport security. You also need to have people on your team who can provide you with information about known or possible threats, for example:

  • HR will be able to provide insights into staff moral and contractual changes that may affect your assessment.
  • Technical will be able to provide information about any malicious contamination complaints or relevant industry incidents.

The team will need training on the methodology that you’ve set and the procedure for receiving and reviewing information. The team will also need to be trained to ensure that they know that when they become aware of new information that may impact the threat assessment, that they must highlight it to the team for review.

Identify the threats

As a team, map out the process that the materials go through, from the point at which they arrive to the point at which they are delivered to the customer (if it’s your vehicles that deliver your product), or wherever your responsibility ends. At that point, you can then look at what threats are applicable at each stage, using the information sources from your team or from external industry sources.

The threats must cover any known or possible threats from malicious contamination and theft, including substitution of product with substandard product.

Once you’ve got your list of threats at each point in the process, you can assess them using your threat assessment methodology.

Threat analysis

Once you have your list of threats at the relevant steps, you can carry out your analysis using the methodology you’ve defined.

Output

The purpose of the analysis is to define which threats are significant and therefore need security measures – this is your output to the threat assessment and it creates your security plan.

Security measures

Note here, that we’ve said ‘security measures’, not ‘control measures’. This is because you can’t always control a threat, as you may not always be able to stop it from happening.

What you can do, is put security measures in place to protect the customer or the consumer, using techniques such as tamper evident packaging or seals on vehicles. This way you can identify when a threat has occurred, so that it can then be managed. Where your security measures identify that monitoring is required, this will also need writing into relevant procedures and records.

Expected security measures

There are certain measures that are expected, which are:

  • External storage areas are locked when not in use
  • Intake points (e.g. to silos) need to be locked when not in use
  • Site security such as perimeter fencing, CCTV, access control to internal areas
  • Tamper evident packaging
  • Seals on vehicles and tankers
  • Visitor and contractor sign-in processes

This doesn’t mean that you don’t need a threat assessment if you have all of the above in place, you do – your assessment would need to have these security measures as the output. And it doesn’t mean that these are the only security measures you need, your threat assessment should define which additional ones you may need.

If you have to subcontract any parts of your process (including logistics), then you must relay the required security measures to your approved service supplier. The monitoring of the supplier must also include monitoring of the required security measures.

Review

Your team must be constantly looking for new information (this is called horizon scanning) which will trigger a review if needed.

A review would also be needed when a security incident occurs, and at least annually. You’ll also need to make sure you record the review, what was discussed, who attended and any actions that arise from it.

Training

To comply with this section of the standard you need to implement two types of training:

  1. All on site personnel must have an awareness of site, product and vehicle security and any site security rules.
  2. The threat team must be trained in the site procedure for threat assessment, information sources and review.
Free Product Defence Training

We have developed a free product defence awareness course, for you to train all of your staff on site.

It’s very light-hearted and fun, but gets across the key points about why product defence is important.

It only takes a few minutes to complete and you can set up all of your staff on site – so, you’ll be one step closer to being compliant!

  • (If multiple site)

Have your say…

5 thoughts on “How to carry out a threat assessment and implement a product security plan, for product defence

  1. A great article and thank you for stating “We don’t use the terms; TACCP and VACCP, as the CCP refers to critical control point and there’s no such thing in either system”, as this is exactly what has always puzzled me and my candidates. I also like the adoption of “product defence” instead of just food and drink, so we can apply this equally to packaging and packaging materials and so on.

  2. Really good article and has helped reassure me I am approaching them appropriately- thank you.

    Be interested though to hear yours or any other readers thoughts on hauliers. Noting the part where you say ‘If you deliver into a depot using a subcontracted transport company, then your responsibility finishes when you put the product on the subcontractor’s vehicle. But your supplier management system would ensure that your subcontractor picked up the TACCP responsibility at that point’.

    I work with large well known hauliers (that actually are often more freight forwarders who subcontract European deliveries) they do an excellent job of both customs clearance and moving the goods from A to B, but none are S&D certified and when asked about providing a copy of their ‘product defence’ or security plan as part of supplier approval, they do not have anything in place and do not seem willing to work with me to do one? It’s something they apparently are not familiar with (I’m surprised that no one else is asking too?) and I guess they think why should they waste time on this for one customer. Some peoples gut reaction might be to say find a new provider, but this is not one difficult provider, but a frequent finding with multiple providers. Interested to know if anyone else has found this and has any suggestions?

    Thanks

    1. Hi Techigeek12
      Brilliant question! Totally understand where you’re coming from. This will sounds really sceptical, but my experience is that businesses ultimately only change or implement requirements if there is a ‘push’ to do so. And, that ‘push’ comes from there being a financial benefit in doing it, or not doing it could cause loss of customer orders.
      Taking this theory and applying to your situation, at the moment there is no ‘push’ for them to do it. No finanical gain and no threat of loss of business.
      So, the question is – how do you create one or other? To me the only way you’re going to do this is by involving your commercial and senior management team – they should be able to help you to create such a ‘push’.
      Is that something that your business would be interested in doing?
      Kassy

  3. Really good article. Clear, logically and simply explained. My feeling is that from here on in this subject is going to become more and more important to businesses so getting the fundamentals in place now is absolutely the right thing to do.

    I also believe that an established food safety and quality culture is part of the process in reducing threats.

Share your thoughts…

Your email address will not be published. Required fields are marked *

We've tagged this article as: ,

The icing on the cake

We've got a range of products for organisations of every size. Our clients agree that they really do put the icing on the cake…