You are here: Home / Archives for audit

by

Food Safety Standards Compared (2022)

 

food vulnerability assessment

 

When it comes to food fraud, each food safety standard has slightly different food fraud requirements. For example, some standards require food businesses to include counterfeiting in their vulnerability assessments, while others don’t; some standards specify that vulnerability assessments must be performed on ingredients, while others state they should be done on finished products.

Confused? We are here to help.  Read on to find out which standards have what requirements, and get recommendations for creating a great food fraud prevention (VACCP) program.

Background

Food safety standards are standards that describe requirements for food and related businesses.  The requirements aim to ensure that food and food-related goods are safe for consumers and customers.  The correct term for such standards is food safety management systems standards (FSMS).

There are food safety standards for all types of operations within the food supply chain, including:

  • growing and packing fresh produce;
  • manufacture of food and food ingredients;
  • buying and selling food (“brokers”);
  • storage and transport of food;
  • manufacture or converting of packaging materials;
  • manufacture of animal feed or pet food;
  • services such as cleaning, laundry, or pest control for food businesses.

The over-arching aim of all food safety standards is to keep consumers safe, but most standards also have secondary aims. Some of the most popular food safety standards were developed by food retailing groups, and these standards were written to protecting the retailers’ brands as well as keeping consumers safe. Other standards were developed to help food businesses understand best practices and gain a way to demonstrate their excellence through independent certifications.  Some standards include quality parameters, while others only address food safety issues.

There are dozens of internationally accepted food safety management system standards, each with slightly different requirements.  This can make it difficult to know which standards are ‘better’ or more suitable for your food company.

To solve this problem, a standard for food safety standards was created by the GFSI (Global Food Safety Initiative).  The GFSI assesses and approves food safety standards using a process called benchmarking. The aim of GFSI benchmarking is to define best practice in food safety standards and provide a way to compare and align different food safety standards.

Among the dozens of food safety standards, some are benchmarked by the GFSI (Global Food Safety Initiative), while others are not.  Benchmarked standards usually have more requirements and more rigorous expectations than non-benchmarked standards.  The auditing and certification processes for benchmarked standards are typically more time-consuming and often more expensive than for non-benchmarked standards.

Food Fraud in Food Safety Standards

Food fraud prevention activities are an important part of all food safety management systems because food fraud can pose a risk to food safety.  Some food safety standards have separate, stand alone requirements for food fraud prevention activities, while others do not.  Standards that are GFSI-benchmarked all include explicit, separate food-fraud-related requirements. Other standards rely on the hazard analysis elements of the food safety system to identify and control hazards from food fraud.

The GFSI requires all benchmarked standards to require food companies to do a vulnerability assessment for food fraud and create a mitigation plan for food fraud prevention.  Most GFSI-benchmarked standards also include details about which materials should be assessed and which types of food fraud need to be managed.

Non-GFSI standards vary in how they require a food company to approach food fraud.  Some specify or recommend a VACCP program, which is based on food fraud vulnerability assessment activities. Others, like AIB, require that food fraud risks be considered in the supplier approvals processes.  The regulations of the USA Food Safety Modernization Act (FSMA) require that food businesses identify hazards from economically motivated adulteration type food fraud and implement preventive controls to minimise the risks.

Among the most well-known standards there are some notable differences. For example, the SQF Food Safety Code requires food businesses to assess and manage risks from counterfeit-type food fraud, while the BRC Food Safety Standard only requires businesses to assess the risks from adulteration or substitution activities. BRC requires horizon scanning activities, while the SQF and IFS standards explicitly mention food fraud training.

Below you will find a table that compares the current food fraud requirements of each of the major food safety standards.

Table 1.  Food fraud requirements of major food safety standards, 2022. 

Click here to open or download a pdf version of this table

  AIB* BRC* FSSC* GlobalGAP* IFS* SQF*
Food types to include in food fraud prevention activities Ingredients (implied)

 

 

 Raw materials

 

 

 Products and processes

 

 

 Unclear

 

 

 Raw materials,

ingredients,

packaging,

outsourced processes

 Raw materials,

Ingredients,

finished products

 
Food fraud types

 

 

 

 Economically motivated adulteration (only)

 

 

 Adulteration,

substitution

(only)

 

 

 Any type where consumer health is at risk (in definition, Appendix A)

 

 Unclear, however counterfeit or non-foodgrade packaging or propagation materials are included as examples

 

 Substitution, mislabelling, adulteration, counterfeiting

 

 

 Substitution, mislabelling, dilution, counterfeiting

 

 
Vulnerability assessments explicitly required? Risk assessment (implied, Appendix A) Yes Yes Risk assessment Yes Implied (Edition 9)
Mitigation plan required?

 

 

 Mitigation activities are to be included in the vulnerability assessment Yes Yes Yes Yes
Does packaging need to be included in the vulnerability assessment? Yes

(implied)

 

 Yes

(see 3.5.1.1)

 

 Yes

(as per food fraud definition, Appendix A)

 Yes

 

 

 Yes

 

 

 Implied

(primary packaging is a ‘raw material’)
Is a separate food fraud procedure explicitly required? Yes Implied

(“responsibilities shall be defined”)

 Implied

(“methods and responsibilities shall be documented”)
Is training in food fraud explicitly mentioned? Implied

(Clause 5.4.1)

 Yes

(Clause 3.3.4)

 Yes
Is an annual review explicitly required? Yes Yes Yes
Other

 

 

 Horizon scanning for developing threats must be done (Clause 5.4.1) Criteria for vulnerability assessments must be defined

(4.20.2)

 Food safety risks from food fraud must be specified (2.7.2.2)

*  The full names of the standards are as follows:

AIB International Consolidated Standards for Inspection of Prerequisite and Food Safety Programs, 2023 (NEW!)

BRCGS Food Safety, Issue 9 (NEW!)

FSSC 22000, Version 5.1

GlobalG.A.P. Integrated Farm Assurance (IFA), Version 5.4-1

IFS Food, Version 7

SQF Food Safety Code, Edition 9

Takeaways

Among the major food safety management system standards, there are small but significant differences between food fraud prevention requirements.  Key differences include whether finished products or ingredients are to be assessed, which types of food fraud must be included and the presence/absence of requirements related to horizon scanning and training.

If that all seems confusing, don’t despair…

Recommendations for a robust and compliant food fraud prevention program (VACCP)

At Food Fraud Advisors we have been working at the intersection of food fraud and food safety since the very beginning!  Creating a robust and compliant food fraud program can take time and effort but it isn’t complicated.  Follow the steps below to get started:

  1. Carefully read the food fraud clauses of the standard you are/will be certified to.
  2. Pay attention to the food types and the food fraud types that are mentioned in your standard. HINT: you may need to check the definitions or glossary.
  3. Create a robust vulnerability assessment (here’s how) and a mitigation plan for identified vulnerabilities.
  4. Whether or not it is explicitly required in your standard, we recommend you create a food fraud prevention procedure that defines the methods, responsibilities and criteria for food fraud prevention.
  5. You should also conduct training for all relevant staff and ensure that the food fraud system is reviewed at least annually.

Get a complete guide to the food fraud requirements of all the major food safety standards from us, the food fraud experts, here.

by

Vulnerability Assessments

What is a vulnerability assessment?

 

A vulnerability assessment is a risk-assessment-style evaluation of a food’s vulnerability to food fraud.

A food fraud vulnerability assessment is a documented assessment that identifies vulnerabilities to food fraud and explains how those vulnerabilities were identified.

Vulnerability assessments are also done to assess the threat of a malicious attack on food.  Malicious attacks include attacks conducted for extortion, ideological reasons or terrorism. We call these issues of food defense. To learn more about vulnerability assessments for food defense (intentional adulteration), click here.

Why ‘vulnerability’ and not ‘risk’? 

 

  • A risk is something that has occurred before and will occur again. A risk can be quantified using existing data.
  • A vulnerability is a weakness that can be exploited.  A vulnerability can lead to a risk.

Food fraud is difficult to estimate and quantify, so we use the word vulnerability rather than risk.

Why do a vulnerability assessment?

 

  1. To protect consumers: Food that is vulnerable to food fraud presents significant risks to consumers.  Food that is adulterated or diluted   [Read more…]

by

HACCP, VACCP and TACCP

  1. HACCP (Hazard Analysis Critical Control Point)  Pronounced ‘hassup’.  HACCP = keeping food safe from accidental and natural risks to food safety.
  2. VACCP (Vulnerability Assessment Critical Control Point) Pronounced ‘vassup’.  VACCP = prevention of economically motivated food fraud.
  3. TACCP (Threat Assessment Critical Control Point) Pronounced ‘tassup’.  TACCP = prevention of malicious threats to food, such as sabotage, extortion or terrorism.  This type of malicious threat is also referred to as Intentional Adulteration within the US Food Safety Modernization Act.  Outside of the US, TACCP is more often called ‘food defense’.

HACCP

  • HACCP is a set of principles designed to control and prevent food safety risks during food production.
  • HACCP is not enforced or regulated by any single organization.
  • The ideas of HACCP form the basis of every food safety management system standard that is in use today, including GFSI food safety standards.
  • The principles of HACCP are codified (written down) by the Food and Agriculture Organization of the United Nations (FAO), in a set of documents called the Codex Alimentarius , a latin phrase which translates to “Book of Food”.
  • FAO’s General Principles of Food Hygiene CXC 1-1969 contains the HACCP principles (sometimes called HACCP Codex).  Download the 2020 revision of the HACCP Code here: http://www.fao.org/fao-who-codexalimentarius/codex-texts/codes-of-practice/ (click the green check/tick mark on the right side of the page to download).

VACCP and TACCP

  • VACCP and TACCP are terms that emerged during the 2010s as standards agencies, government regulators and industry groups started considering methods to prevent food fraud and malicious tampering.
  • VACCP is for food fraud.
  • TACCP is for food defense.
  • The acronymns VACCP and TACCP are designed to leverage the food industry’s familiarity with HACCP.  However, the critical control ‘points’ in a VACCP and TACCP plan are nothing like the ‘critical control points’ in a HACCP plan.
  • The control points in a HACCP plan are operational steps in a food manufacturing process.  The points are connected to processes over which the food manufacturer can exercise direct control.
  • For deliberate tampering (food fraud and food defense) the controls do not fit onto a linear set of processes, they do not fit the definition of ‘critical control points’ in HACCP.
  • The terms VACCP and TACCP are falling out of favor within the food safety industry.  They are not referenced specifically within any of the GFSI food safety standards, nor within the USA’s FSMA.
  • Instead of ‘”VACCP” and “TACCP”, it is much better to say “Vulnerabilities to food fraud” or “threats of malicious tampering (=food defense)”.

More acronyms demystified here.

Take a free short course on food fraud here.

food safety food fraud

by

Food Fraud Online Training Course

Food fraud requirements of BRC, SQF, FSSC and other food safety standards

How to meet the food fraud prevention requirements of major food safety standards

This course will make audit preparation a breeze.  It contains step-by-step instructions, worked examples and downloadable templates to help you meet the food fraud requirements of all major food safety standards.

sqf edition 8 food fraud

 

  • Learn about food fraud and how it can put your brand and your consumers at risk
  • Hear food fraud stories that will surprise you and learn ways to protect your business
  • Get step-by-step instructions for food fraud vulnerability assessments and food fraud mitigation plans, using real life examples
  • Download templates for vulnerability assessments, mitigation plans and food fraud prevention procedures
  • Proceed at your own pace; skip forward and back through the lessons, start and stop at your convenience*

The content is a mix of written words and short video clips, plus downloadable worked examples.

Ask the trainer a question at any time.

What’s included?

  • Food Fraud Commonly Affected Foods Ebook
  • Food Fraud Vulnerability Assessment template
  • Food Fraud Prevention Procedure template
  • Food Fraud Mitigation Plan template
  • Vulnerability assessment document – worked example
  • Raw Material Specification template
  • Food Fraud Team Job Descriptions
  • Top tips for audit preparation
  • Special 40% discount code for use on www.foodfraudadvisors.com
  • Optional exam and Certificate of Competency

Duration: 3.5 hours

Visit our training academy today

* course is available for 6 months after commencement

by

Beyond vulnerability assessments

How to verify a food defense plan

The USA FSMA Intentional Adulteration Rule deadline is fast approaching, with implementation required by 26th July.  Food defense plans are our most requested service this month, and not just for companies in the United States.  Businesses that export to the US are also affected.

The Intentional Adulteration (IA) rule

The Intentional Adulteration (IA) rule requires food businesses to identify vulnerable parts of their food manufacturing processes, implement strategies to reduce the vulnerabilities and monitor and verify that those strategies are working.  As part of the verification processes, some experts are recommending that food businesses challenge their food defense system on a regular basis.  Food safety management system standards, including SQF Edition 8, also require that manufacturing facilities challenge their food defense system.  What exactly does it mean to ‘challenge’ a food defense system, and how is that different to monitoring and verification of the system?

Monitoring vs verification vs challenge testing

Monitoring, verification and challenge testing are different, but the terminology can be confusing when used with food defense plans.  Some commentators and trainers are using the three words almost interchangeably; however, the three words actually refer to different elements of a food defense plan.

Monitoring means, at its most basic level, to check that procedures are being followed and that processes are happening as they should.  The checking process must be documented.  So, the act of monitoring is documenting in real time the actions taken to follow a given procedure or the measured outputs of a specific process.

Within a food safety plan, an example of monitoring would be checking the internal temperature of three pies from each batch after a cooling step and recording the temperature on a form.  Within a food defense system, a mitigation strategy might be the implementation of a procedure to lock all external doors, or to leave all external doors locked.  For this procedure, the monitoring activity could be a once-per-shift process of checking and recording the lock/unlock status of each door.

Verification is the process of making sure that monitoring has been done properly.  When cooling pies, for example, verification could include a once-per-shift check by a supervisor or manager that the cooled pie temperatures are being recorded AND that appropriate action has been taken if the temperature has exceeded critical limits.  Verification also includes internal audits; the internal auditor checks that the managers have been signing off the monitoring records, that the records are complete and available for all shifts and that corrective actions have been properly recorded.

In our food defense example, verification could include a check of the door lock monitoring records by a manager or supervisor.  The manager would review the records to see that they were completed on time, at the correct frequency and that any deviations, such as a broken lock, have been identified and actioned correctly.  Verification of door lock status could also be included in a weekly plant walk-through by a manager.  Internal audits would check that all these activities were being done and recorded properly.

Challenge testing is real-world scenario testing of a system’s efficacy.  A challenge test aims to validate whether procedures are effective when implemented as expected, as well as highlighting any failures in implementation.  A challenge test is different to a verification process because it would usually test the implementation and effectiveness of many food defense mitigation strategies rather than focussing on one element such as door locks.

What is the weakest link in your food defense plan?

 

How to conduct a food defense challenge

  1. Decide on a challenge action. For example, a common food defense challenge test is a penetration test, in which an unauthorised person attempts to gain access to a sensitive area.
  2. Create a food defense challenge report. In the report document exactly what you plan to do in the challenge test.  Include what, when, how, who and next steps.

For example: A person unknown to staff (Ms Jane Doe, of Acme Services) will attempt to get from the main reception area into ingredient weighing area A.  She will be wearing a business suit covered by a lab coat.  Once there, she will remain for up to twenty minutes unless challenged by an employee.  She will then leave.

If the intruder is challenged, she will claim to be a new food safety consultant/pest control account manager/new human resources manager and attempt to remain in the area.

  1. Include written contingency plans in case of escalation, for example, what will be done if police are called.
  2. Get approval for the plan from senior management.
  3. In the report record the following:
    • Name of Senior manager who has signed off on this plan.
    • Names of people who have been informed of the challenge test
    • Names of people who will be working in the affected areas at the time of the challenge, have they been trained in food defense?
    • A description of what staff are supposed to do in this scenario; what procedures should be followed.
  4. Define and document the criteria for failure and success; what will happen if the food defense procedures are working 100% correctly; what will happen if the food defense procedures are working only partially; and finally, how might the scenario progress if there is a complete fail of procedures and systems?

For example, if the ‘intruder’ is able to remain in the ingredient weighing area for 20 minutes without being challenged by an employee this could be considered a complete fail of the food defense system.  If the intruder is challenged but can convince the employee to allow them to remain in the area unattended, this could be considered a partial fail; if the employee chooses to remain with the intruder to ‘keep an eye on them’ this could be considered a better outcome than leaving the intruder unattended.

  1. Run the challenge. Have a trusted staff member observe from a discreet distance.
  2. Describe in the report what happened.
  3. Convene a meeting of the food defense team and analyse the results of the challenge test.
  4. Perform root cause analyses and raise corrective action/s for any failures in the system.
  5. Close out corrective action/s
  6. Take action to prevent a scenario like this from reoccurring, based on the root cause analyses.

Learn more about food defense

Register your interest in learning more about food defense by entering your email address in the box below.

We will never supply your email address to anyone without your written permission. View our privacy policy.