This article is written to meet the following sections of the Standards:
|BRCGS Food Safety Issue 8||5.4.2 Vulnerability assessment|
5.4.3 Output from the vulnerability assessment
4.2.1 Documented assessment of security
4.2.2 Additional controls to mitigate risks
4.2.3 Authorised access (protection measures)
|BRCGS Packaging Issue 6||3.8.2 Vulnerability assessment|
3.8.3 Output from the vulnerability assessment
4.4.1 Risk assessment of security
4.4.2 Site access (protection measures)
4.4.3 External storage (protection measures)
|BRCGS Agents & Brokers Issue 3||4.3.1 Product security/ food defence|
4.8.2 Vulnerability assessments
4.8.3 Products at risk of adulteration or substitution
|BRCGS Storage & Distribution Issue 4||126.96.36.199 Output from the vulnerability assessment|
10.3.3.2 Vulnerability assessment
188.8.131.52 Vulnerability assessment review
4.2.1 Threat assessment
4.2.3 Site security procedures
5.2.2 Vehicle security procedures
|FSSC 22000 Version 5.1||184.108.40.206a) Assess food defence threats|
220.127.116.11a) Assess food fraud threats
18.104.22.168a) Food defence plan
22.214.171.124a) Food fraud plan
126.96.36.199b) Develop and implement food defence protection measures
188.8.131.52b) Develop and implement food fraud protection measures
|IFS Food Version 7||4.20.3* Implement controls|
6.3 Control measures
|SQF Edition 9||184.108.40.206 iii) iv) v) vi) and vii) Protection methods|
The method of threat and vulnerability assessment must identify:
- Significant vulnerabilities.
- Protection measures to mitigate these.
To mitigate significant vulnerabilities, protection measures must be put in place, where possible.
These may include:
- Proactive actions to remove the vulnerability, such as changes to the supply-chain.
- Review of certificates of analysis from material suppliers.
- Material testing.
- Audits or enhanced supplier approval.
- Tamper-proof packaging or vehicle seals.
- Mass balance exercises with the material supplier.
- Access controls; perimeter fencing, restricted access, locking off external storage areas.
Quality not quantity
If you’ve carried out your identification process correctly, you should end up with a limited number of vulnerabilities which require assessment.
It’s common to see assessments which have pages and pages of vulnerable threats (we’ve done it ourselves!) but as your thinking develops, so should the quality of what you’re producing.
The aim now is to go for quality and not quantity. In HACCP, you spend time working out what the relevant hazards are and then only assessing those. This is now what you must do with product defence. We’ve now developed more simplified systems to identify just the pertinent vulnerabilities and only put these into the assessment.
This results in a really focused and robust plan. It’s much better to have just handful of entries in your assessment with robust protection measures, rather than pages and pages of ‘tick box’ entries.
You must have a documented method which details how you’re going to assess the vulnerable threats that you’ve identified from:
The method must establish which of the vulnerabilities are significant and therefore need protection measures.
The method should also look to remove the vulnerability wherever possible, for example, where a material is vulnerable because of where it’s processed – you could look to change supplier.
Where a significant vulnerability is determined, then you must put protection measures in place. Ideally these should be proactive, but where this isn’t possible then reactive measures should be considered.
The standards provide a list of the types of protection measures that are appropriate. These however are only suggestions, and not all of them will be relevant to you.
Examples of protection measures
The one we would advise not to use, would be the review of certificates of analysis. This implies that you check the certificate to establish adulteration. If you think about this – if a supplier was trying to defraud you by sending you something that was inauthentic, they wouldn’t send you a certificate telling you so. They’d provide a fraudulent certificate too.
Where significant vulnerabilities are identified upstream or downstream, this is a key protection measure. However, this doesn’t mean you can just chalk it down to the current systems – it means you must review what you’ve got and really think about whether it needs to be ‘enhanced’.