TACCP / VACCPThreat Assessment Critical Control Points / Vulnerability Assessment Critical Control Points

TACCP and VACCP are sister disciplines that emerged from PAS 96 (BSI) and were rapidly adopted by the GFSI-benchmarked schemes after the 2008 melamine-in-milk fraud and the 2013 European horsemeat scandal. They share methodology (structured assessment, scoring, mitigation, review) but address fundamentally different actor motivations:

• TACCP — Threat: someone deliberately wants to harm consumers, embarrass the brand, or extort the company. Motivation is ideological, criminal, political or psychological. Defence is access control, surveillance, supply-chain integrity, employee vetting, incident response.
• VACCP — Vulnerability: someone wants to make money by adulterating or misrepresenting food. Motivation is financial. Defence is supplier qualification, raw-material testing, mass-balance, authenticity testing (DNA, isotope, NIR), price-monitoring.

• FDA FSMA Intentional Adulteration rule (21 CFR Part 121) — TACCP-territory regulation, mandatory for most US food-processing facilities (excluding very small, certain animal-food, etc.). Requires identification of Key Activity Types (KATs), mitigation strategies, monitoring, corrective actions, verification, training, records and a written Food Defense Plan.
• FDA FSMA Preventive Controls (21 CFR Part 117) — includes economically motivated adulteration (EMA) as a hazard requiring a preventive control where it has the potential to cause illness or injury. Addresses the food-safety face of VACCP-style adulteration.
• GFSI-benchmarked schemes (BRCGS, SQF, FSSC 22000, IFS) all require documented TACCP and VACCP assessments, mitigations, and periodic review (annually at minimum).
• EU — no single horizontal regulation but Regulation (EU) 2017/625 on official controls and the EU Food Fraud Network coordinate cross-border investigations.
• UK — FSA's NFCU operates a national food-crime function; PAS 96 remains the practitioner reference.

1. Assemble the TACCP team — operations, security, HR, IT, QA, supply-chain.
2. Identify the threats — sabotage by current/former employee, tampering by consumer or visitor, malicious contamination, cyber-attack on process control, supply-chain interception, ideological or extortion attack.
3. Identify vulnerable points — receiving docks, storage tanks, mixing vessels, exposed conveyors, packaging lines pre-seal, warehouses, transport, retail.
4. Score each threat × vulnerable point — likelihood and impact, typically 1-5 scales with anchored definitions.
5. Design and implement mitigations — physical (locked vessels, CCTV, fencing, access cards, tamper-evident packaging), procedural (visitor escorts, two-person rule for sensitive vessels), and personnel (background checks, anti-fraud training).
6. Test the defences — table-top exercises, mock incidents, supplier penetration tests.
7. Review — minimum annually and on any significant change (new ingredient supplier, new line, security incident, regulatory change).
8. Maintain a Food Defense Plan (FSMA IA mandate; GFSI-acceptable artefact).

FDA's IA rule identifies four KATs where intentional adulteration would most plausibly cause wide-scale public-health harm. Each KAT must be evaluated at every covered facility:

• Bulk liquid receiving and loading — tankers, IBCs.
• Liquid storage and handling — silos, tanks, bulk hoppers.
• Secondary ingredient handling — large-quantity ingredient hold-add into a batch.
• Mixing and similar activities — high-throughput batch mixers, blenders.

For each KAT the facility documents the vulnerability assessment (using FDA's three elements: potential public-health impact, degree of physical access, ability to contaminate successfully), the actionable process steps, and the mitigation strategy. Mitigations must be implementable and verifiable.

1. Build the ingredient inventory — every raw material, packaging item and supplied service.
2. For each, identify potential adulterants based on history (e.g. melamine in dairy, methanol in olive oil, sudan dyes in spices, horse in beef).
3. Score vulnerability — economic incentive, supply-chain complexity, supplier history, geopolitical situation, ease of detection, historical incidents, market price volatility.
4. Use credible sources — RASFF (EU rapid-alert), HorizonScan, USP Food Fraud Database, NFCU, internal supplier-history.
5. Design mitigations — supplier audits, raw-material authenticity testing (DNA-PCR, stable-isotope, NIR/Raman fingerprinting), mass-balance reconciliation, price-anomaly monitoring, dual-sourcing for high-vulnerability raws, allergen-statement verification.
6. Verify and review — at least annually, and on any signal (price spike, RASFF alert, supplier change, geopolitical disruption).

Both assessments use likelihood × impact matrices, typically 5×5 with anchored definitions. The single most common audit finding is unanchored scales — "likelihood: medium" with no frequency definition, "impact: high" with no harm or financial definition. Use concrete anchors:

• Conflating TACCP and VACCP into one assessment — different threat actors, different defences.
• No FSMA IA Food Defense Plan despite being a covered facility.
• VACCP with no authenticity-testing programme — vulnerabilities scored but never verified.
• Annual review skipped after "no incidents" — incidents elsewhere in the industry still warrant review.
• No employee training on the food-defence programme.
• Risk-scoring scales unanchored; "medium" means whatever the assessor felt.
• Cyber-attack on process control omitted from TACCP — increasingly a top threat for MES/SCADA-controlled plants.