Vulnerability AssessmentsBackground, Elliott, PAS 96 and TACCP Elliott Review into the Integrity and Assurance of Food Supply Networks – Final Report “The British Standards Institute has worked with Defra and industry, to develop a Publicly Available Specification ‘Defending Food and Drink’ (PAS 96).............elements such as the use of the threats analysis and critical control points, or ‘TACCP’ approach, are relevant in the prevention of food crime. BSI and Defra should continue to focus on the TACCP approach, and to consider the overlap and avoid duplication between malicious contamination and food crime. This approach will provide the building blocks of any future standards that could be developed on preventing food crime.” Safety. Fraud and Defence Overlaps Food Fraud Food Quality Food Defence Food Safety Accidental Acts Deliberate Actions .Food Quality. 7. Consumers First Zero Tolerance Intelligence Gathering Laboratory Services Audit Government Support Leadership Crisis Management . 5.Elliott’s Eight Pillars 1. 4. 8. 2. 3. 6. APPLICATION ROUTE TACCP TEAM SELECTION DEFINING THE SCOPE OF THE STUDY / PROCESS FLOW REVIEW CURRENT TACCP MEASURES IN PLACE THREAT CHARACTERISATION •Personnel •Premises •Process •Services •Logistics •Cybercrime MITIGATION STRATEGY DEVELOPMENT HORIZON SCANNING IMPLIMENTATION RECORDING / DOCUMENTATION AUDIT / REVIEW .GUIDELINE 72 . “Defending food and drink. is a system that was developed in accordance with the PAS96:2010. • Title for the revised PAS96:2014 is. Updated from PAS96:2010.• TACCP. or Threat Assessment and Critical Control Point. “Guide to protecting and defending food and drink from deliberate attack”. detection and defeat of ideologically motivated and other forms of malicious attack on food and drink and their supply arrangements” . Guidance for the deterrence. provenance (unsafe origin) Toxic Japanese star anise labelled as Chinese star anise Mislabelled recycled cooking oil •GREY MARKET PRODUCTION / THEFT / DIVERSION Sale of excess unreported product .Seven Sources of Food Fraud •UNAPPROVED ENHANCEMENTS Melamine added to enhance protein value Use of unauthorized additives (Sudan dyes in spices) •COUNTERFEITING Copies of popular foods – not produced with acceptable safety assurances. potentially using non-potable / unsafe water) Olive oil diluted with cheaper substitutes •SUBSTITUTION Sunflower oil partially substituted with mineral oil Hydrolyzed leather protein in milk •CONCEALMENT Poultry injected with hormones to conceal disease Harmful food colouring applied to fresh fruit to cover defects •MISLABELLING Expiry of dates. •DILUTION Watered down products (Also. 2 “A documented Vulnerability Assessment shall be carried out of all raw materials to assess the potential risk of adulteration or substitution.BRC V7 New Clause 5.4. This shall take into account: •Historical evidence of substitution or adulteration •Economic factors •Ease of access to raw materials through the supply chain •Sophistication of routine testing to identify adulterants •Nature of the raw material” . which may be used to achieve a structured approach to the assessment process. for example CARVER+Shock and TACCP (Threat Assessment Critical Control Points).BRC V7 Interpretation Guide “A number risk assessment tools have been published including some specialist vulnerability assessment tools.” . The aim of the assessment is not to assess the potential for fraud at the site.BRC V7 Interpretation Guide “A vulnerability assessment is a search for potential weaknesses in the supply chain in order to prevent food fraud i. such that appropriate controls need to be put in place. to prevent the adulteration or substitution of raw materials before they arrive at the site.e. but to examine the supply chain for potential concerns or weaknesses to identify those raw materials which are of particular risk of adulteration or substitution.” . BRC V7 Interpretation Guide “Typical information to incorporate into the assessment includes: • Any emerging issues and information identified • Historical evidence of substitution or adulteration of the ingredient • Cost/value of material • Availability . • Country of origin • Length and complexity of the supply chain • The nature of raw material may change the potential for food fraud” .for example. then the likelihood of adulteration is reduced. a poor harvest may restrict availability and may increase the potential for adulteration • Sophistication of routine testing to identify adulterants – if testing within the supply chain is comprehensive and specifically focused on potential fraud issues. Depending on the perceived risk assurance controls may include: • Certificates of analysis from raw material suppliers • Raw material testing • Supply chain audits • Use of tamper evidence or seals on incoming raw materials • Enhanced supplier approval checks • Mass balance exercises at the raw material supplier • Changes to the supply chain eg a change of supplier or a move to a shorter supply chain” .BRC V7 Interpretation Guide “Output from the vulnerability assessment Where raw materials are identified as being of particular risk then appropriate assurance controls need to be in place to ensure that only genuine materials are purchased. amount of direct loss from an attack as measured by loss of production • Recognizability .ability to physically access and egress from target • Recuperability .ease of identifying target • shock . and psychological impacts of an attack .measure of public health and economic impacts of an attack • Accessibility .the combined health. economic.ease of accomplishing attack • Effect .CARVER + shock A method from the FDA that puts a scoring system on attributes of: • Criticality .ability of system to recover from an attack • Vulnerability . to conduct a Vulnerability Assessment (VA) of the food system • A VA is the process of identifying. quantifying. among other things. and prioritizing (or ranking) the vulnerabilities in a system .Vulnerability Assessment Section 106 of the Food Safety Modernization Act (FSMA) • requires the FDA. What is a Vulnerability Assessment? • In food safety there are "hazards" to accidental contamination • In food defense there are "vulnerabilities" to intentional contamination. if it is attempted • By conducting a vulnerability assessment of a food production facility or process. you can determine the most vulnerable points in the infrastructure and focus resources on the most susceptible points . the common measure of vulnerability is the likelihood that an attack succeeds.FSMA . • In calculating risk of intentional threat. TACCP & HACCP Differences and Integrating the Systems . But there are also unknown unknowns. TACCP is an analysis of some “known unknowns” and “unknown unknowns”. There are things we don't know we don't know.A Quote…. there are things that we know we don't know.February 2002 It could be said that HACCP is perhaps a study of the “known known's” and the “known unknowns”. “There are known known's. US Secretary of Defense .” Donald Rumsfeld. That is to say. There are known unknowns.. These are things we know that we know. . but also cover the elements of radiological hazards and of adulteration.g. in parallel with Prerequisite programmes and Critical Control Points. the potential hazards may detail not only Chemical. ‘Heightened’ and ‘Exceptional’.Key Differences • The team may cover the need for slightly different or additional disciplines • The Process Flow Diagram (PFD) will be written to capture the entire process. • Potential contaminants within the TACCP study may not be confined to those which are pertinent to the process involved (e. Metal swarf from stirrer blade) • At times with TACCP. • TACCP suggests implementing response levels of ‘Normal’. the specific hazard at each process step might not be listed. Physical and Biological hazards. . not just that which takes place at the manufacturer’s site • As a result of the requirements. minced Pork and other ingredients Discharge into tote bins Form meatballs on forming machine Place in containers / trays / packaging Chill or Freeze Load Vehicle Storage Weigh Primals Mince through 5mm plate Store in Chill Intake of other ingredients Dispatch Central delivery Depot Deliver to meatball in sauce manufacturer Weigh batch seasonings and other ingredients .Meatball manufacture Primal Intake of Beef Primal Intake of Pork Store in Freezer Store in Freezer Store in Chill Thaw Thaw Weigh Primals Store in Chill Mince through 5mm plate Weigh batch Quantity Minced Beef Weigh batch Quantity Minced Pork Blend minced Beef.Flow diagram . FSMA Vulnerability Assessment The key activity types identified in the most vulnerable production environments are: • • • • Coating / Mixing / Grinding / Rework Ingredient Staging / Prep/Addition Liquid Receiving / Loading Liquid Storage / Hold / Surge Tanks . Minced Pork / Ingredients Store in Chill Discharge Into Tote Bins Form Meatballs on Forming Machine Place in Containers / Trays / Packaging Chill or Freeze Load Vehicle Dispatch Central delivery Depot Deliver to Meatball in Sauce Manufacturer .Primal Intake of Beef Primal Intake of Pork Store in Freezer Store in Freezer Store in Chill Thaw Thaw Store in Chill Weigh Primals Weigh Primals Mince Through 5mm Plate Mince Through 5mm Plate Weigh Batch Quantity Minced Beef Weigh Batch Quantity Minced Pork Blend Minced UK Beef. TACCP Human Elements . The Centre for the Protection of National Infrastructure (CPNI's) Insider Data Collection Study indicated: • Significantly more males engaged in insider activity (82%) than females (18%) • The majority of insider acts were carried out by permanent staff (88%). Instances of insider cases increased with age until they peaked within this category and then decreased beyond 45 years of age . only 7% of cases involved contractors and only 5% involved agency or temporary staff • 60% of cases were individuals who had worked for their organisation for less than five years • 49% of insider cases occurred within the 31-45 years age category. 7-10 then step 8 Situational When under time or other constraints.Human factors Skill based errors Errors Mistakes Human Factors Slips of action Lapses of memory Thought the setting should be 4 when in fact it should be 6 Rule based mistakes Used baking powder instead of baking soda Knowledge based mistakes Used a thermometer that wasn’t calibrated Routine Violations Intended to set dial to 3 accidentally set to 6 Knows to follow steps 1 to 10 in order but always performs steps 1-5. the action not carried out as per the procedure Exceptional Disgruntled employee received a warning that day and chose to act in a way they shouldn’t . Criminality: 3 Business Threats . Incompetence.Complacency. Subject Matter: • Complacency – “Smug self satisfaction” • Incompetence – “Lacking the necessary skill” • Criminality – “Tendency to illegal acts” • Sudan dyes • Melamine . prohibited for use in food) May’03 France reports Sudan dyes as an issue in Indian chilli products Jul’03 Pan-EU controls introduced Feb’04 FSA reminds UK industry of issue Jan’05 56 Alerts issued in UK since 2003 Feb’05 Worcestershire sauce found with sudan (made with 2002 chilli) Mar’05 580 products withdrawn from the UK market .Case study I: Sudan dyes (genotoxic carcinogens. . Significance of problem recognised Dec’08 Estimated number of cases: >250.Case Study II: Melamine 2005/6 Local reports of melamine as an in issue in Chinese milk Mar’07 First US pet deaths directly attributable to melamine Aug’07 >5300 products recalled Jun’08 Linkage between baby kidney damage and Sanlu milk in Gansu province Aug’08 Melamine found by Fonterra (NZ) Sep’08 Fonterra advise NZ government who advise the Chinese govt.000 babies & infants . g. Colour) • Fraud is becoming more sophisticated – “chemically identical” substitutes (e.g. olive oil / basmati rice / tomato paste) . vanilla) – Commodity items (e.Points to consider • Understand the historical perspective • Inevitable lag time between commencement and detection • Value of certification • Adulteration often relates to value (money) determining product attributes – Attribute quality is often measured to an indirect or subjective end-point (e.g. How To Conduct a TACCP Study . APPLICATION ROUTE / LOGIC TABLE TEAM SELECTION DEFINING THE SCOPE OF THE STUDY / PROCESS FLOW REVIEW CURRENT TACCP MEASURES IN PLACE THREAT CHARACTERISATION •Personnel •Premises •Process •Services •Logistics •Cybercrime MITIGATION STRATEGY DEVELOPMENT HORIZON SCANNING IMPLIMENTATION RECORDING / DOCUMENTATION AUDIT / REVIEW . Threats categorised by likelihood / impact and plotted 5 EXCEPTIONAL 4 Impact 3 HEIGHTENED 2 NORMAL 1 1 2 3 Likelihood 4 5 . 1 2 3 Process step description Step No.DOC REF: TACCP1 DATE: XX/XX/XX EDITION: 1 VERSION: 1 TACCP ANALYSIS: FOOD SECURITY Product / Process: No. Threat description and job role involved Response: Normal Heightened Exceptional Preventative Actions / Control Measures Severity Likelihood Total . Thank you Lorraine Green Quality Management Systems Specialist – Campden BRI Tel: 01386 842458 Email: [email protected] .