In this article
Consumers should have confidence that their food is safe. The key responsibilities for all food businesses under the Food Safety Act 1990 are to ensure that:
- Businesses do not include anything in food, remove anything from food or treat food in any way which means it would be damaging to the health of people eating it.
- The food businesses serve or sell is of the nature, substance or quality which consumers would expect.
- The food is labelled, advertised and presented in a way that is not false or misleading.
As a rule, we can be confident that our food is safe, as risk management through HACCP (Hazard Analysis Critical Control Points) has long been established to manage food safety, controlling any potential hazards that may be found in food due to processing faults or human error. However, potential threats and vulnerabilities to the food industry, where food is deliberately tampered with and potentially contaminated for malicious reasons or for financial gain, have been increasing over the past few years and these are not specifically identified and mitigated through HACCP.
Notable examples of where food adulteration has taken place in the UK food industry include:
- The horsemeat scandal which hit the headlines in 2013. Burgers being sold in Tesco, Asda, Lidl, Aldi and Iceland were found to contain quite high levels of horsemeat and, in some cases, pork and other meats too. The suppliers were committing food fraud by substituting beef with cheaper meat for economic gain. Tesco’s market value slumped by €360m and sales of frozen burgers dropped by 43% as a result.
- In 2020, a farmer was found guilty at the Old Baily of contaminating baby food jars with shards of metal as part of a £1.5m blackmail plot. He began threatening Tesco in spring 2018, writing to his local store in Lincolnshire and warning them that unless they paid him £750,000 worth of bitcoin, an online currency that would allow him to remain anonymous, he would contaminate the food on their shelves. He demanded larger sums of money, telling Tesco that he would also contaminate jars with salmonella, white powder and knives. His activities had escalated, as a mum in Lockerbie discovered small knife fragments in the baby food that she was about to give her child. A nationwide product recall was issued and the public was kept safe due to the swift action taken by the supermarket, police and other agencies.
- In August 2021, three supermarkets in Fulham were closed after a man was found injecting items with an unknown chemical using a syringe. These stores were closed temporarily, and shoppers were instructed to throw away everything they had purchased.
As the total consumer expenditure on food, drink and catering in 2021 was £240bn and the value of food and drink exports in 2021 was £20.2bn, the food sector is a multibillion-pound industry, employing in the first quarter of 2022, 4.1m people, 13.4% of GB employment. It is therefore imperative that the sector has in place procedures which will identify potential threats and vulnerabilities and specify methods to counteract them, in order to protect consumers and the industry as a whole. Economically motivated adulteration and food fraud is the biggest threat to food safety and it costs the food industry £11bn a year in the UK alone.
TACCP and VACCP work together with HACCP to ensure safety throughout the food chain; both are designed to prevent the adulteration of food.
What is TACCP?
TACCP is the acronym for Threat Assessment and Critical Control Points. This is all about food defence and the focus is on food tampering, intentional adulteration or contamination of food. TACCP builds upon the existing processes of HACCP in ensuring the safety of food products. HACCP is about managing food safety hazards in the food chain; TACCP aims to protect food products from deliberate contamination with the intention to cause harm (behaviourally or ideologically motivated).
TACCP implementation involves thinking like a potential attacker and examines vulnerability, likelihood, opportunities and an appreciation that intentional contamination requires human intervention. TACCP helps to proactively identify and manage control points in the supply chain that can be at risk of intentional contamination.
What is VACCP?
VACCP is the acronym for Vulnerability Assessment and Critical Control Points. The focus is more on adulteration for financial gain in the supply chain.
- Product substitution.
- Bulking out with a cheaper ingredient.
- The sale of counterfeit or stolen goods.
VACCP is a special type of risk assessment that helps identify and control vulnerabilities in the food supply chain that can be exposed to economically motivated food fraud. Unlike HACCP, which identifies all the potential hazards that can enter food unintentionally, VACCP is concerned with preventing food fraud, which is the intentional contamination of food during its production. This is usually done for economically motivated reasons.
In a vulnerability assessment, a food business will look for vulnerabilities in its production processes and supply chain to work out the points at which food fraud can happen. This is useful because it makes it easier to complete a threat assessment and identify the specific kind of food fraud that can occur.
Food fraud occurs when food or drink is sold in a way that deliberately misleads or deceives consumers or customers for financial gain. Food crime interventions demonstrate the UK food safety authorities’ ability to receive, assess and respond to intelligence concerning food crime. The National Food Crime Unit focuses its work on seven types of food crime, including food fraud.
VACCP is concerned with preventing two of these:
- Adulteration – including a foreign substance which is not on the product’s label to lower costs or fake a higher quality.
- Substitution – replacing a food or ingredient with another substance that is similar but inferior.
What is the difference between TACCP and VACCP?
TACCP and VACCP look at specific potential adulteration opportunities within the supply chain. The difference between the two is:
- TACCP is concerned with the prevention of malicious threats to food, such as sabotage, extortion or terrorism.
- VACCP is concerned with the prevention of economically motivated food fraud.
How do TACCP and VACCP work?
Both TACCP and VACCP use the same risk management approach but there are subtle differences between the two. Threat Assessment and Critical Control Point (TACCP) helps food producers identify weak points in their supply chain and processing activities that may be open to intentional and malicious attacks. The TACCP protocol focuses on tampering, intentional adulteration of food and food defence. In most cases TACCP should be a team activity, as that is the best way to bring skills, especially people management skills, together. For many small businesses, the team approach is not practicable and it may be the job of one person.
The TACCP team can and should modify the TACCP process to best meet its needs and adapt it to other threats as necessary to deal with four underlining questions:
- Who might want to attack us?
- How might they do it?
- Where are we vulnerable?
- How can we stop them?
The aim is to minimise the chances of loss of life, ill health, financial loss and damage to business reputation that an attack could cause.
TACCP cannot stop individuals or organisations from claiming that they have contaminated food, but it can help judge whether that claim is likely to be true. Any such claim, if judged to be credible, and any actual incident should be treated as a crisis. The organisation needs to take steps to keep operations running and to inform those involved.
TACCP risk assessments might follow this process:
- Identify specific threats to the business.
- Assess the likelihood of an attack by considering the motivation of the prospective attacker, the vulnerability of the process, the opportunity and the capability they have of carrying out the attack and the certainty of information on which the assessment is based.
- Assess the potential impact by considering the consequences of a successful attack.
- Judge the priority to be given to different threats by comparing their likelihood and their potential impact.
- Prioritise threats based on risk, and communicating such a prioritisation across trading partners for shared risk acceptance.
- Decide upon proportionate controls needed to discourage the attacker and give early notification of an attack.
- Maintain information and intelligence systems to enable revision of priorities.
VACCP on the other hand aims to help protect businesses from the risk of food fraud that can cause serious food safety incidents, costly product recalls, business closure, and legal action. Fraud in the food industry is more prevalent than you might want to believe.
As it is, there are three main types of food fraud:
- Mislabelling – the most common mislabelled foods are olive oil, honey, coffee, alcohol, fish, orange juice, milk and saffron. Mislabelling can include stating a food is organic when it is not.
- Counterfeiting – ingredients and products with similar packaging, or the mixing of inferior ingredients to increase the volume of products; for example, counterfeit spices such as saffron, oregano or pepper are mixed with different materials.
- Dilution – the addition of ingredients such as sugars or sweeteners to honey or maple syrup to create a similar taste; adding volume to foods such as tea, coffee, flour etc.; and substituting ingredients for cheaper alternatives such as in the horsemeat scandal.
Conducting a VACCP risk assessment involves two main factors that will need to be addressed:
- Identifying the risk areas for each ingredient.
- Devising a plan to mitigate the risks.
There are seven main sources of food fraud that need to be considered for both ingredients and finished products within the VACCP. These include:
- Unapproved enhancements such as the use of unauthorised additives.
- Dilution – the reduction of premium grade products by dilution with lower quality materials.
- Substitution – declaring an ingredient(s) is made from a different source than specified.
- Mislabelling – incorrect expiry dates, country of origin or ingredient type or variety.
- Grey market production / theft / diversion.
There are typically four categories of potential attackers which need to be considered during TACCP and VACCP risk assessments:
- Outsiders – those individuals with no current contact with the business.
- Supply chain personnel – no direct contact with the business but have access to the wider supply chain with which the business interacts.
- Suppliers / Contractors – trusted status so will have direct contact and open access to areas of the business.
- Insiders – ongoing direct contact with the business as permanent / temporary / agency members of staff.
Controls to reduce and remove threats should be implemented in areas such as:
- Business systems.
- Distribution networks.
- Finished products.
- Raw materials.
You should conduct a full review if a new risk emerges; for example, whenever there are shortages in the market, food fraud incidents, or price increases. If none of these happen, you should review the plan annually, as a minimum. The key to the successful identification of new risks in this area is communication with procurement, who may hear about issues in advance of more public notifications.
The mitigation strategies that have been developed need to be collated and documented in a central TACCP / VACCP register. Document procedures and keep records for each assessment and references. The implementation process also provides an opportunity to test and challenge the TACCP and VACCP mitigation strategies to ensure that they work as intended in the real world.
Where would TACCP and VACCP be used?
TACCP and VACCP are employed by all types of food businesses as part of a systematic approach to risk management to address the issues of malicious attacks and food adulteration/fraud which will compromise food safety and product integrity. TACCP and VACCP should be used as part of a broader risk management process which includes HACCP.
TACCP and VACCP apply to all ingredients and all possible occurrences of food fraud or intentional food adulteration. Having identified the threats and quantified the significance of the threats to the business there needs to be an evaluation of who is likely to attack the business and where the attack could be introduced by understanding the impact of personnel, premises, processes, services, logistics and cybercrime. Controls should be implemented on raw materials, packaging, finished products, processes, premises, distribution networks and business systems to reduce and remove threats.
Why are TACCP and VACCP important?
Creating a food defence system based on TACCP and VACCP is not a strict legal requirement. However, the Food Safety Act 1990 requires all food businesses to produce food that will not cause harm, complies with food safety requirements, and is as the consumer expects. Taking steps to prevent food contamination is a key part of ensuring that this legislation is met.
TACCP and VACCP help food producers identify weak points in their supply chain and processing and/or retailing activities that may be open to intentional and malicious attacks or fraud.
Food and feed safety, including incidents, food poisoning, outbreaks, allergens and intolerances, recalls and risks associated with food crime are regulated by the Food Standards Agency (FSA) in England, Wales and Northern Ireland, and by Food Standards Scotland (FSS) in Scotland. These independent government departments work with local authorities to enforce food safety regulations and check that standards are being met.
The number of food safety incidents reported has increased; much of this is due to better ways of detection and increased voluntary reporting by food businesses and does not necessarily indicate a change in the food and feed safety profile of the UK. The types of incidents that are reported, however, provide an insight into the causes of incidents and the associated risks. This is an important reason why TACCP and VACCP risk assessments, mitigation planning and incident reporting need to be implemented.
What are the benefits of TACCP and VACCP?
Some of the benefits of a food business implementing TACCP and VACCP include that it:
- Demonstrates your commitment to food safety.
- Reduces the likelihood of a deliberate attack or fraud.
- Demonstrates that reasonable precautions are in place to protect the supply chain.
- Reassures stakeholders and customers that the organisation is appropriately managing the risks in the supply chain and demonstrates due diligence about the safety of your production and supply chain.
- Reduces the impact of an attack on your food business.
- Protects and enhances your brand and organisation’s reputation.
TACCP and VACCP are the best available defences against food fraud and contamination incidents. If employed correctly, both TACCP and VACCP help a business to minimise the chances of such an attack or to reduce the damage if an attack should occur. Together with HACCP they help you ensure the safety of your products from both intentional and unintentional contamination.