Due to the volume of content involved, this may take a few minutes to load!

Sign up for free today!

Sign Up

Premier Online Food Safety and Quality Management Resource

Food Defence

Development – To define detail, scope and purpose.

User Uploaded Image Let us help you to develop integrated Food Safety and Quality solutions that level the playing field and get you ready to control your hazards. In fact, we're experts in helping you to establish effective systemic tools, drive continuous improvements and show you where your most effective outcomes originate.
Website: https://alimentex.com/
Sales Contact Person: Aron Malcolm
Sales Contact Email: achievegreatness@alimentex.com

Training participants will gain a basic understanding of Food Defence and its applications within food safety and quality systems. Basic knowledge competency will be verified through successful completion of the accompanying Food Defence assessment activity. Basic skill competency can be verified through the Food Defence competency checklist available as a resource for this training activity.

Key Definitions for Food Defence
- Economically Motivated Adulteration or EMA: Economically Motivated Adulteration is a Food Defence risk generally facilitated by the food manufacturer itself, with the intent of increasing profits or lowering production cost at the expense of public safety.
- Food Defence: Food Defence covers the methodologies applied to identify risk to food from acts of unsafe modifications or intentional adulteration.
- Food Fraud: Defined by the deliberate and intentional adulteration or unsafe modification of food, its ingredients or packaging, product information, labelling, or misleading statements made about a food product for economic gain that could negatively affect consumer health.
- Food Security Management: Food Security Management is about the methods implemented to ensure adequate and appropriate control of foods and related materials throughout the production and supply chain.
- HACCP: Hazard Analysis Critical Control Point or HACCP as it is commonly known, is a science based risk management system, relying on identification and recognition of specific hazards, and nominates measures for their control to ensure the safety of food.
- TACCP: Threat Assessment Critical Control Point or TACCP is concerned with the prevention of deliberate and intentional food adulteration. Where VACCP focuses on discussing the vulnerability of multiple points, TACCP specifically identifies the threat of economically motivated food adulteration.
- VACCP: Vulnerability Assessment and Critical Control Point System or VACCP is the application of the HACCP system particularly to incidents of food fraud. This system helps identify the vulnerability of various points in the supply chain particularly due to the possible threat of economically-motivated adulteration.

Food Defence Development
When considering the development, documentation and implementation of Food Defence within food safety and quality management systems, the following information should be considered to ensure effective outcomes:

About Food Defence
Food defence is the protection of food products from adulteration or contamination intended to cause economic disruption and / or harm to public health. Food Defence is by no means a new concept – It has been applied in many different incarnations over time. The term “Food Defence” is used describe the various methodologies implemented to ensure the food provided to consumers is wholesome, genuine and not unnecessarily tampered with.

Food Defence events can generally be categorized into three types:
- Industrial Sabotage;
- Terrorism; and
- Economically Motivated Adulteration or EMA.

These events can be triggered by a frustrated employee, a company spy or insider, or by individuals who have a goal to compromise public health and safety.

Industrial Sabotage
Industrial Sabotage is an event intentionally performed by a frustrated employee or competitor with the goal of damaging the brand or name of the company as well as causing financial difficulties due to massive product recalls. This type of event is not usually conducted to cause widespread harm or public illness.

The food industry is considered one of the most vulnerable targets of terrorism due to their public reach, often done to promote fear and spread public illness. A malicious individual could use a popular food item as a means of spreading a deadly virus.

Economically Motivated Adulteration is a Food Defence risk variant generally facilitated by the food manufacturer itself, with the intent of increasing profits or lowering production cost at the expense of public safety.

About PAS 96
PAS 96 is a document created to standardize the elements of food defence and safety as well as protecting the integrity and wholesomeness of food and food supply. The PAS 96 document describes a risk management methodology called TACCP or Threat Assessment Critical Control Point as capable of being utilized by all kinds of food businesses and at all points in many types of food supply chains.

PAS 96 uses TACCP as it provides more focus on people and requires the inputs from non-food safety specialists such as the human resources department. It also requires safety specialists to think like a criminal to determine possible vulnerabilities in their system.

PAS 96 Methodology and Steps
The following steps are critical to the effective management of Food Defence within the Food Sector:
1. Determining Threats
2. Thinking like a Criminal
3. Applying TACCP

Step 1. Determining Threats
Attacks against food and food supply come in several forms. Some of them could be motivated simply for the sake of publicity while others only seek to spread fear and harm public health. In some cases, food attacks are also initiated by the very food supply chain itself.

The following types of threats may be relevant to your business:
- Economically Motivated Adulteration
- Malicious Contamination
- Extortion
- Espionage
- Counterfeiting
- Cyber Crime

Economically Motivated Adulteration

- This is the only threat on this list where the attacker is the food supplier itself. The primary goal of EMA is to gain financial advantage from selling food products in a way which deceives both consumers and customers.
- This can be done either by intentionally mislabelling price tags of which an otherwise cheap material is sold for a higher price or perhaps where an instance where a cheaper ingredient is used to extend or replace the more expensive one.
- The intention of EMA is always about gaining more money but sometimes it may cause harm or even death. Such was the case of the 2008 melamine spiking scandal where melamine was used to forcibly spike the protein content of dairy based products, resulting to the hospitalization of consumers of tainted product and numerous deaths.
- Common adulterants are usually harmless or have yet to be reported to cause harm. Ingredients such as water and sugar are generally regarded as safe for most food use but improper use is considered food fraud.
- EMA can be revealed by means of an auditor particularly when there are discrepancies between quantities sold and quantities purchased.

Malicious Contamination

- The primary motivation for malicious contamination is to cause public harm, whether localized or worldwide. Some do it for publicity or to promote attention towards the attacker's idea or beliefs.

- Like EMA, the motivation for extortion is financial gain except this time it's done by someone or a group that wants to exploit a victim organization's vulnerabilities.

- Gaining access to a competitor's intellectual property, which may aid to provide commercial advantage to their own, is the main goal of espionage.
- Espionage may be facilitated through insiders or through remote attacks such as facilitated through information technology systems.
- The interested party could also attempt to coax business executives into revealing confidential information or use covert recording to acquire the material they need. Alternatively, they could simply steal the material.

- The goal of counterfeiting is financial gain by means of procuring inferior goods and passing them off as popular and reputable brands. This could harm both a company's finances and reputation if not stopped.
- Organized crime groups may attempt to emulate the contents of the food product to delay investigation and detection. Petty criminals are more likely to make a quick buck and care less about food safety.

Cyber Crime

- The motivation for this financial gain but require the victims to be naive about technological advances which would make it easier for the attacker to steal personal information.
- An attacker might be trying to hack into a food company's servers but requires certain personal data from someone who has access. The attacker would then attempt to get the information they need through various means, such as social engineering, which on the surface does not always resemble a food defence threat.

Step 2. Thinking like a Criminal

Thinking like a criminal or understanding the attacker’s mindset goes a long way when it comes to safeguarding a food supply chain’s vulnerabilities. Knowing where or how the attacker or attackers will likely strike allows the construction of proper barriers on all critical points. The following types of Criminal mentalities need to be considered:
- The Extortionist;
- The Opportunist;
- The Extremist
- The Irrational Individual
- The Disgruntled Individual;
- Hacktivists; and
- Professionals.

The Extortionist
- This attacker is motivated by money but does whatever it takes to avoid detection. Extortionists target big players in the market especially those that only need a hint of bad news for their reputation to suffer a downward spiral.
- Extortionists can be just one person or a small group of individuals who are resourceful, secretive, and ambitious.
- As threatening extortionists sound, an extortionist can claim to have the power to ruin a company’s name while lacking the actual machinery to carry it out.

The Opportunist
- Opportunists are the type of attackers who have direct access inside the food supply chain. They are usually those who hold influential positions within the company to be able to bypass internal security.
- These attackers are usually motivated by the open opportunity to modify a food product but not before making sure they can get away with it. Success on one occasion will likely entice the opportunist to go for a repeat.
- One of the best ways to deter this type of attacker is by making it known the company holds unannounced visits by customers or audits. Even random sample collecting for analysis will help scare opportunists from proceeding with their plans.

The Extremist
- This type of attacker is among the most dangerous. They take their causes or campaigns so seriously they end up distorting the context so it always justifies their actions. Extremists may very well intend to cause harm, to both company and consumers, and will welcome the publicity after the event.
- What separates extremists from other types of attacker is they may not care whether they harm themselves as they carry out their goal. The risk of failing may persuade them think twice but the risk of getting caught does not scare them.

The Irrational Individual
- Some individuals have no real valid reason as to why they do what they do. The same apply to those who would attack food or the food supply because they can. The irrational attackers may be suffering from a mental disorder or have some traumatic event that caused them to have a distorted sense of right and wrong.
- Fortunately, the irrational attackers are easy to deter through ordinary means. Simply putting up the right kind of barriers to prevent access or making easy detection public knowledge will definitely hinder their actions.

The Disgruntled Individual

- The disgruntled individual’s motivation is revenge, whether the company has done them “wrong” or they interpreted the company’s decision as an attack against their well being.
- These could be anyone from the low ranking employee to the vice president of the company. They do not intentionally want to cause public harm as much as financial loss or embarrassment to the company.
- They may also have firsthand information on the operations as well as have direct access to sensitive data.
- While these are most likely individuals rather than groups, there is strength in numbers and it would be best to make sure the disgruntled individual does not entice other employees to rebel against the company even if it means termination of contract.

- This is the type of attacker that aims to subdue the company by corrupting their computer and data systems, stealing sensitive information, or to hold data as “hostage” in an attempt to get what they want.
- These individuals are not always motivated by money or revenge as they can sometimes hack for the sake of proving a point or showing the company their capability to breach tight security software.

- These are large groups of attackers who often conduct illegal activities continuously for as long as they are not detected.
- They may mimic a popular brand with cheaper and potentially unsafe materials and sell it as authentic items or attack vulnerable points within the system such as the raw material trade route.
- They can be stopped by conducting market monitoring procedures and by collaborating with national and international police authorities.

Step 3. Applying TACCP

When implementing the TACCP Methodology, the objective is to answer the following questions:
- Who might want to attack our business, our products and our brands?
- How might an attack occur?
- Where is our business vulnerable?
- How can we stop them?

To address these questions, it’s important to create a TACCP plan.

The Threat Assessment Critical Control Point or TACCP methodology should be used by food businesses as part of their general risk management processes. TACCP can also be used as a way of assessing risks systemically.

TACCP aims to:
- Decrease the odds of a deliberate attack;
- Decrease the impact of an attack;
- Protect the company’s reputation;
- Reassure the public, the media and especially customers that necessary steps have been taken to guarantee food protection;
- Surpass international expectations and provide support towards trading partners; and
- Show reasonable precautions are set in place in protecting food.

TACCP will accomplish this by:
- Identifying possible threats to the organization’s business;
- Studying the chances of an attack happening by considering the motives of the potential attacker, the vulnerabilities in a specific process, their capability as well as the numerous opportunities they have of carrying out the attack;
- Measuring the potential impact by considering a “what if they were successful?” scenario;
scoring the priority to be given to different threats based on impact and likelihood;
planning on setting the right type of barriers to hinder the attacker and provide early notification of an actual attack; and
- Ensuring information and intelligence systems are ready for possible revisions of priorities.

Though it is based on a structured and considered methodology, TACCP is not capable of stopping individuals or organizations who claimed to have adulterated the food. It is intended to be used as a Risk Assessment and Control Methodology.

TACCP Methodology and Steps
The following steps are integral elements of the TACCP Process:
1. Form the TACCP Team
2. Assess New Information
3. Identify and Assess Threats to your Organization
4. Identify and Assess threats to your Operation
5. Select Product
6. Identify and Assess Threats to your Product
7. Format a Flow Chart of Product Supply Chain
8. Identify Key Staff and Vulnerable Points
9. Consider the Impact of Threats Identified
10. Identify Critical Supply Points
11. Determine if Control Procedures Will Detect the Threat
12. Likelihood with Regards to Impact should be Prioritized
13. Identify Potential People Who Could Carry It Out
14. Decide and Implement Necessary Controls
15. Review and Revise
16. Monitor Horizon Scans and Emerging Risks
17. Repeat the Process.

1. Form the TACCP Team
The TACCP team should be composed of individuals from all parts of the food supply chain. A team can include those from security, human resources, research and development, process engineering, production and operation, purchasing, supplies, distribution, communications, and the marketing team. Small organizations may also use one individual to represent multiple or all roles necessary.

The team may also be composed of key suppliers and customers if needed as long as they are excluded from parts where sensitive information is being discussed.

2. Assess New Information
Evaluate any and all new information that could open up new ideas on improving a company’s defence against attackers.

3. Identify and Assess Threats to Your Organization
Identify individuals or groups that may be considered a threat to the company and carefully assess their motivations, determination, and capabilities.

4. Identify and Assess Threats to Your Operation
Identify individuals or groups that can become possible threats to specific operations.

5. Select Product
Choose a product that can represent a particular process. This could be a product from an especially vulnerable production line.

6. Identify and Assess Threats to Product
Identify individuals or groups that may want to attack the chosen product.

7. Format a Flow Chart of Product Supply Chain
Draw a flow chart for the chosen product from “farm to fork” which can also include domestic preparation. The flow chart should be visible at one time. Less transparent parts of the supply chain may need a subsidiary chart specially if the process is complex.

8. Identify Key Staff and Vulnerable Points
After creating the flow chart, examine each step of the process and identify vulnerabilities where a potential attacker might find success and the exact people who would have access.

9. Consider the Impact of Threats Identified
Identify any and all possible threats for a specific product at each step and assess the impact the process may have in reducing the chances of the threat occurring, For example, risk mitigation methods may include cleaning or the application of heat in the process may destroy the contaminant.

10. Identify Critical Supply Points
Choose the points in the process step where the threat would have the most impact and where it’s best detected.

11. Determine if the Control Procedures Will Detect the Threat
Check whether the routine control procedures within the process may be enough to detect the threat. For example, using routine laboratory testing to monitor key parameters.

12. Likelihood with Regards to Impact Should be Prioritized
Rate the likelihood or chances of the threat occurring, rate the impact it would have, then create a chart out of the results and prioritize those who have high scores on both likelihood and impact. These scores are subjective so revising should always be considered if the whole team agrees to an error has been made.

13. Identify Potential People Who Could Carry It Out
Check the people who have unsupervised access to the said product or process and assess their level of trustworthiness and whether that trust can be justified.

14. Decide and Implement Necessary Controls
Identify, confidentially record, and implement preventative measures or critical controls. The team should have a confidential recording and reporting procedure capable of allowing management to act on decisions but does not expose vulnerabilities to those without a need to know.

15. Review and Revise
Review of the final TACCP evaluation should be scheduled to occur after any alert or at least yearly, and during times when new threats emerge or when there are changes in good practice.

16. Monitor Horizon Scans and Emerging Risks
Display vigilance towards official and industry publications which can alert the team of changes that can become new threats especially local issues as they develop.

17. Repeat the Process
The TACCP process will likely cover sensitive information and could enable a potential attacker to successfully infiltrate the food supply chain if they ever get hold of such information. When forming the TACCP team, make sure each member is not only knowledgeable of the processes but also trustworthy and loyal with regards to keeping secrets.


The Vulnerability Assessment Critical Control Point or VACCP is the systemic management of risk through evaluation of different kinds of vulnerabilities in the food supply chain. A vulnerability is defined as a state of being that can lead into an incident, an exposure to risk. It’s like leaving a window open. An open window makes your house more vulnerable to a break in than if you close your window. The act of you closing the window is VACCP and the possibility of an attacker breaking your window to get inside is what TACCP covers.

The key difference is the likelihood to contaminate or adulterate food. TACCP protects food from attackers who would contaminate the food regardless of any deterrent while VACCP concerns itself from the individual’s inexperience with handling a specific food product such as accidental spoilage, or product spills which could contaminate other food products.

VACCP Methodology and Steps
The following steps are integral elements of the VACCP Process:
1. Form The VACCP Team
2. Pre-Screening
3. Product Flow
4. Vulnerability Assessment
5. Audit Strategy
6. Supplier Relationship
7. Potential Impacts Assessment
8. Overall Vulnerability Characterisation
9. Food Fraud Reduction

1. Form the VACCP Team
Since VACCP works hand in hand with HACCP, the HACCP team should provide a good start if forming for a VACCP team with the addition of required human resources.

2. Pre-Screening
After forming the VACCP team, they should gather information regarding potential sites for adulteration, mislabelling, or substitution of raw materials.

3. Product Flow

When the team has chosen a particular product, the next step would be to create a flowchart of how the product is handled from start to finish. It is important to be specific and to be as detailed as necessary since this will be the basis for the whole VACCP plan.

4. Vulnerability Assessment
Assess for potential weaknesses in the supply chain. When examining for vulnerabilities, it is important to note that the goal of the assessment is to examine the supply chain for potential weaknesses and not potential for fraud at the site. The team will need to consider:
- Information relating to each ingredient;
- Risks that are actually the same; and
- The nature of the raw material.

5. Audit Strategy

The auditor should look for evidence of systematic checking and the processes involved in ensuring information is converted into action as necessary.

6. Supplier Relationship
Knowing the suppliers in the food company will help determine the vulnerabilities involved in a certain raw material. The team should have someone who has access to supplier’s history of regulatory issues and has documents proving a supplier’s quality or safety issues.

7. Potential Impacts Assessment
Just like TACCP, assessing for impact is necessary in determining the order of priority withinn the relevant process. This step will also determine the amount of security or barriers needed at a certain point in the food supply chain.

8. Overall Vulnerability Characterisation
Once assessment of vulnerability and impact is done, it’s now important to judge whether the specific food or process is vulnerable to a point where it needs a security overhaul or if the safety protocols laid out prior to the VACCP meeting is sufficient to deter would-be attackers.

9. Food Fraud Reduction
A key part of the plan is to form appropriate controls or levels of action entirely based on the outcome of the vulnerability assessment.

In the case of raw materials, it’s important to inquire for certificates of analysis from suppliers. The tests involved must demonstrate the authenticity of the material and should be relevant to the risks identified. The company may also conduct their own raw material testing to see whether the test results provided by the supplier matches with the company’s own results.

Supply chain audits, mass balance exercises, and enhanced supplier approval and risk assessment may also be done to guarantee the material’s authenticity as well as ensuring the quality of each delivered sample conforms to what is within the range agreed upon by the VACCP team.

The general idea for VACCP is to look for weak links in the system that might be a cause of accidental food fraud. It is therefore important to form a team from multiple parts of the system and to have each one’s ideas be put to the table and assessed for level of priority and threat.

Commonalities between TACCP, VACCP, and HACCP
TACCP, VACCP, and HACCP are three important methodologies involved in the safety of food production systems. While each have their own specific function, they also share similar qualities, including:
- Team Assembly;
- Threat Assessment;
- Monitoring; and
- Auditing.

Team Assembly
All three methods require teams and all teams require a variety of members coming from possibly all major parts of the food supply chain. The only difference is that VACCP and TACCP may require the assistance of additional human resources particularly when developing solutions to attacks initiated by personnel.

Threat Assessment
HACCP deals with the possible physical, microbiological, and chemical contamination that could occur during the food supply process. Both TACCP and VACCP watch out for the same types of attacks with a special focus on human intervention.


Once the plans are set, it is the duty of the teams involved in all three plans to disseminate information and delegate official monitors in making sure all standards set are met and those that don’t are remedied immediately.

All three plans require some form of auditing activity to assess whether the barriers set in place are effective or if the company meets the standards required by the HACCP, VACCP or TACCP teams.

Additional Relevant Information
The following information is provided from other foodindustrycompliance.com Training Activities as the content is relevant to Food Security Management:

About Food Security Management
Security is a critical issue for every food industry sector. It is important to consider the potential for people to influence the safety or quality of a food product if the environment and conditions under which it is produced, handled, stored or transported are not appropriately controlled.

Food Security Management generally involves the control of potential deliberate contamination of foods by a variety of potential threats including biological, chemical and physical hazards. Deliberate contamination is a criminal action that involves wilful intent to inflict harm. The motivation for deliberate contamination often includes the ability to cause serious illness and deaths following consumption of adulterated product. This is aligned with the desire to cause economic damage whilst including inspiring fear among the public and loss of confidence in the safety of food supply.

Food security should always be considered as a separate element from food safety, though element of the two may be shared when applied to a food business. Food safety generally addresses the “unintentional” contamination of food products by biological, chemical or physical hazards. Because of the differences in applications for food safety and food security, a HACCP Plan should not be applied as a substitute for a food security plan; however, the HACCP methodology is commonly used as a risk assessment tool to define food security related risks.

Food Security Management may include the following aspects:
- Screening of staff members prior to beginning work at a food business;
- Using a system which allows tracking of staff movements;
- Video surveillance;
- Securing of the food premises, to ensure only authorised staff, visitors and contractors access specified areas;
- Using a visitor book to track the movements of visitors and contractors;
- Facilitating visitor and contractor screening and induction training.

It is important when initiating some of the above mentioned components, that the rights of staff, visitors and contractors are not compromised. The requirements of Privacy legislation are commonly used as a basis for the implementation of systems which track people’s movements, especially where the use of video surveillance is concerned.

You can find out more about the implementation of Food Security Programs within the Food Security Management element of foodindustrycompliance.com.

If your food business supplies foodstuffs manufactured to a customer’s specifications, it is important to consider any specific Food Defence Development requirements in relation to their items. 

The "General Content" pages within foodindustrycompliance.com include current and relevant information broken into the following elements: Develop, Document, Implement, Monitor, Corrective Action, Verify, Validate and Skills and Knowledge.

You can use the tabs provided at the top of the page body to navigate between these elements!

foodindustrycompliance.com is Your Food Quality, Food Safety and Food Risk Management resource! We encourage your participation in recommending content addition, updates and adjustment to ensure you access to the most current and relevant Food Safety and Quality information and resources available on the web. Please don’t hesitate to contact us with your suggestions.