Professional Documents
Culture Documents
VULNERABILITY FOR
FOOD INTEGRITY
ADELE ADAMS & KASSY MARSH
ASSESSING ERROR VULNERABILITY
FOR
FOOD INTEGRITY
ADELE ADAMS & KASSY MARSH
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | i
Assessing Error Vulnerability for Food Integrity
Adele Adams & Kassy Marsh
All reasonable care has been taken in the compilation, preparation and issue of this publication,
but it is provided without liability in its application and use. The information contained in this
publication must not be reproduced without the permission of the publishers.
ii | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Preface
The issue of food integrity is one of legal and moral obligation to the consumer and is
becoming increasingly important to brand protection within the food industry. As a
consequence, the need for a systematic approach to the task of identifying, assessing
and managing the errors that may compromise the integrity of the product is required.
Product integrity is a basic expectation of all consumers when purchasing food. If the packaging makes a claim, then
the consumer clearly expects the food inside the pack to meet that claim.
Ensuring that claims on pack are adhered to has always been a legal requirement, however the industry is having
to move with the times and not only meet the legal requirements but also adhere to their moral obligation to the
consumer.
The horsemeat scandal was a turning point for the food industry. It highlighted the vulnerability to fraud in the
supply chain, and also raised awareness of the impact of cross-contamination within the manufacturing process,
which could put the integrity of the product at risk.
It is essential to brand integrity to ensure that food manufacturers take an ethical approach to ensuring that claims
on pack are adhered to. The legal requirement is no longer the only obligation, but it is key to consider what the
consumer would think or feel if they were to understand how the product was processed.
The integrity of the product may be compromised by quality or legal issues, rather than just food safety hazards,
therefore the typical HACCP style assessment is not applicable. The current threat assessment methodology is also
not suitable, as compromise to a product integrity tends to be due to errors within the manufacturing process and
therefore is not a deliberate act.
A new methodology, to assess the vulnerability of these errors occurring and the subsequent compromise of product
integrity, is therefore required.
This book takes the pioneering methodology from the previous publication “Assessing Threat Vulnerability for Food
Defence” and builds on it, to provide an approach to assessing the errors that may occur during the manufacturing
process, which may compromise the integrity of the product.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | iii
iv | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Executive Summary
The current risk assessment systems that are available, such as HACCP or a threat
and vulnerability assessment, do not meet the needs of assessing error vulnerability
for food integrity. The intention of the authors is to provide a detailed and robust
methodology for the assessment of error vulnerabilities, which meets the requirements
of standards such as British Retail Consortium (BRC Global Standard for Food Safety)
and customer codes of practise.
This publication describes how an error vulnerability assessment can be applied to all areas of the manufacturing
process and additional business processes such as new product development, which may cause product integrity
errors.
The methodology meets and also exceeds the current requirement in some standards such as British Retail
Consortium (BRC), where the requirement for an error assessment is purely limited to cross-contamination or loss of
identity of products such as organic or Halal.
The methodology meets the requirements laid out in more detailed customer codes of practise that require a much
wider and more detailed assessment to be completed.
As with the previous publication “Assessing Threat Vulnerability for Food Defence”, the methodology defined within
this publication is based, wherever possible, on the well accepted Codex Alimentarius HACCP approach (2003), this
publication assumes that the reader has a working knowledge of this. Although not an exact fit, most of the steps
from the Codex 12 step logic sequence are applicable. The authors take time to explain where a direct match can or
cannot be found. Drawing parallels with HACCP lessens the need to absorb and understand unfamiliar techniques
and should help to increase the speed of implementation.
Although the asset being protected is the same within HACCP and within an error vulnerability study, i.e. the
consumer (and the consequential impact on the business), the risks are different, although some overlap exists
around those that could cause harm. This publication discusses potential types of errors which may compromise the
integrity of the product, based on the claims that are made on the pack.
The scored risk assessment methodology has been pioneered by the authors and much consideration, trial and
error has gone into its development. It was the authors opinion that the typical two by two scoring matrix required
development, as this does not take into consideration the likelihood of the event occurring and so, the likelihood of
the event causing contamination of the finished product. For integrity assessment, splitting out the error and the
event, to give an overall vulnerability, provides a much more robust approach.
It is feasible, as risk assessment methodology develops, that vulnerability will become a more recognised term,
superseding ‘likelihood’ and providing a more structured approach that could be applied to other risk assessment
methods such as HACCP.
This publication includes the use of a unique decision tree to aid the objective identification of, what the authors
have termed, ‘vulnerable error points’ (VEPs). Existing terminology and definitions have been amended by the
authors to accommodate the differences between HACCP and error vulnerability assessment requirements.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | v
vi | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Contents
Page
Preface iii
Executive Summary v
New Concepts ix
Glossary x
HACCP and Error Vulnerability Assessment 1
The Stages Involved in Carrying Out an Error Vulnerability Study 3
CHAPTER 1: PREPARATION STAGES OF AN ERROR VULNERABILITY STUDY 5
Obtain Senior Management Commitment 6
Define the Scope of the Study 8
1 Structure and start and end points 8
2
Processes covered 8
3
Defining the asset 9
4
Types of claims 10
5
Categorisation of claims 11
6
Describing the product 12
7 Reference documentation, guidance and legislation 12
Select the Team 14
Construct the Process Flow Diagram 17
On-site Confirmation of Process Flow Diagram 20
Describe the Process 21
Prerequisite Programmes 23
Protection Measures 25
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | vii
Documenting the Assessment 60
References 94
About the Authors 95
viii | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
New Concepts
This publication introduces a number of new concepts for assessing error
vulnerability, which are summarised below. These concepts should enable
manufacturers to carry out and implement robust and structured assessments
and management systems for product integrity.
Protection measures
The widely accepted terminology of ‘control measure’ is not suitable for use within an error vulnerability assessment
as some errors may only be detected and cannot be controlled. The term ‘protection measure’ has been introduced
and defined to accommodate this key difference.
Decision tree
The unique decision tree included in this publication provides an objective and consistent way of identifying how
significant risks should be managed. The tree includes multiple management options including management via
prerequisites, through a risk register, via an existing CCP or by the creation of a VEP.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | ix
Glossary
Asset The entity requiring protection
Product integrity A product that has been produced honestly, following strong moral
principles
Protection measure - critical limits A value used to define acceptability for the protection measure
and one that can be validated
Vulnerable Error Point (VEP) A point in the process where protection is essential in order to
detect, prevent or reduce an error to an acceptable level
Vulnerability How exposed the business is to the error occurring and having an
impact on the consumer
x | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
HACCP and Error Vulnerability
Assessment
There are many parallels between the methodology used within HACCP and that
which is described in this text for carrying out an error vulnerability assessment.
This familiarity is beneficial as HACCP is so widely used and, in most cases, clearly
understood by the food industry, avoiding the need to reinvent the wheel.
The similarities between HACCP and an error vulnerability assessment, as described in this publication,
can include:
• Both systems require a structured and systematic approach to gain the preventative benefits and effective
risk reduction
• Both systems require genuine management commitment to enable their effective design, implementation
and maintenance. The key resources required, such as key people, time and training are common between
both systems. Both studies have the potential to highlight necessary capital spend, it is simply the focus of
this spend which differs
• The use of a team is fundamental to both systems in ensuring that the required expertise is utilised, however,
the type of expertise required will differ
• Effective prerequisite programmes are vital in both systems. The purpose of prerequisite programmes
remains the same, i.e. to manage general hazards (errors) not specific to a process step. However, the pertinent
prerequisite programmes required will differ, with systems such as new product development taking more of a
priority within an error vulnerability assessment
• A detailed and accurate flow diagram is required in both systems to provide structure to the risk assessment
stage. The flow diagram within an error vulnerability study may, depending on the defined scope, include
additional business processes such as new product development. Flow diagrams in both studies must be
confirmed and signed off as being an accurate representation
• The risk assessment element also has commonalities between both systems in such that it needs a consistent
approach based on valid methodology. Within an error vulnerability study the risk assessment element
is multi–dimensional, rather than the typically simplistic severity and likelihood approach used within current
HACCP studies. Due to this increased complexity a numerical system is also useful
• The options for control measures have parallels between the two systems, i.e. prerequisite systems and CCPs
in HACCP and prerequisites and VEPs (Vulnerable Error Points) in an error vulnerability study. VEPs are the
food integrity equivalent of CCPs, i.e. points in the process where protection is essential in order to prevent or
reduce a vulnerability to an acceptable level. The term VEP is unique to this publication
• HACCP clearly defines control measures as actions or activities used to prevent or eliminate a food safety hazard
or reduce it to an acceptable level (Codex Alimentarius HACCP approach, 2003). This definition is not an exact
match within an error vulnerability assessment as some errors may not have a robust control measure and
may need to rely on a testing or checking for detection. Including tests or checks (which are monitoring
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 1
activities and not controls) as control measures is not accepted within HACCP and would upset many purists
• Both systems utilise a decision tree to aid the objective and consistent identification of CCPs/VEPs. Within this
publication a unique decision tree has been created for the identification of VEPs or alternative options to
manage the integrity errors such as a risk register, existing CCP or a prerequisite programme
• Due to their similarity, the management of the VEPs again has many elements in common with the
established methodology for managing CCPs and can be documented in a similar format which is shown in
later worked examples
• Validation remains an essential part of both systems and is itself attracting more emphasis in current HACCP
systems. Both systems require validation, however within an error vulnerability assessment subjective
‘criteria’ are justified as opposed to validated, as validation requires an objective value
• The need for effective verification and review clearly applies to both systems with either system easily being
rendered ineffective if neglected. The type of evidence gathered to verify each system will differ but the need
for evidence of compliance remains the same. Within an error vulnerability assessment, verification activities
rely more heavily on auditing. Instances or changes prompting review may be common to both systems or
unique to either but the need to assess the potential impact of the change on the validity of the systems
remains vital
• Much of the typical documentation formats for existing HACCP systems can also be used for an error
vulnerability assessment. Using familiar formats can aid understanding of the system
It is therefore evident that much of the existing HACCP methodology can be utilised within an error vulnerability
assessment. However, this is not a perfect fit and the following differences should be noted.
Areas where HACCP and an error vulnerability assessment can differ include:
• The identification of the intended use and user of the product has much less relevance with an error
vulnerability assessment. A HACCP study should already consider known instances of misuse by the
consumer or customer, such as incorrect microwave heating. However when assessing food integrity, the errors
which may occur during production, are not influenced by the use of the customer or consumer
• The term ‘control measure’ is not directly applicable within an error vulnerability assessment, this can be
better replaced with the more relevant term of ‘protection measure’. A ‘protection measure’ is defined as ‘an
action, activity or monitoring technique designed to prevent, detect or reduce an error to an acceptable level’.
This change in terminology reflects the fact that many significant risks from errors cannot be ‘controlled’, i.e.
prevented, eliminated or reduced to an acceptable level. Some can only be detected by testing or checking
• Where possible the criteria used around protection measures should include objective and measurable critical
limits. This is possible with, for example, detection methods such as rapid species testing. However, there will
be other protection measures which contribute to a reduction in vulnerability but which are a more subjective
way of assessing if the error has occurred, such as a visual check of printed packaging. To highlight this difference
this publication utilises two terms to describe values used to define protection measures, these being ‘critical
limits’ and ‘criteria’. Protection measures which can detect an error will have ‘critical limits’ and therefore will
require validation. Protection measures which provide additional control but are not an absolute
will have defined ‘criteria’ that will need justification
• The description of the product is essential in both HACCP and an error vulnerability assessment, although the
type of description is different. HACCP looks at describing the food safety elements of the product, whereas
error vulnerability must describe the integrity of the product, through the types of claim that are made.
2 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
The Stages Involved in Carrying
Out an Error Vulnerability Study
Define the
Describe the process
protection measures
Implement management
techniques
Validation or justification
& verification of VEPs
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 3
CHAPTER 1
PREPARATION STAGES OF AN
ERROR VULNERABILITY STUDY
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 5
Obtain Senior Management
Commitment
The need for management and workforce commitment applies equally to assessing
errors to product integrity claims as it does to any other management system such
as HACCP. The key resources required are also likely to be similar, primarily being key
people and time, both of which can be in great demand in many food businesses.
Without genuine management commitment, the error vulnerability assessment is in danger of being a
purely paper exercise to satisfy requirements with little or no impact on risk reduction. As with HACCP, gaining full
attendance at regular meetings can be a challenge. However, the need for multi-disciplinary input and expertise
when carrying out an error vulnerability assessment is just as vital, and exposes the system to the same potential
flaws if not achieved.
Along with the resources of people and time, the study may also highlight the need for capital expenditure such as
increasing storage space to allow for improved segregation or the purchase of sole use equipment to reduce the risk
of cross-contamination, if identified as necessary. Any capital expenditure will also clearly need the budget holders to
understand the rationale and be willing to release the required spend.
A product integrity management system cannot function with just management commitment alone. For successful
risk reduction the workforce also need to be on board. In fact, many of the key controls rely on personnel to control
the steps where product integrity could be compromised.
As with HACCP, the findings, results and failures of the product integrity management system should be
communicated back to senior management and other interested parties, to ensure that they remain aware of the
effectiveness of the system. A member of the senior management team may well be part of the product integrity
assessment team.
Ongoing resources will also be required to ensure the system remains effective. This may include refresher training for
the team, resource of time or spend for updating activities or the implementation of additional protection measures.
It will be the responsibility of senior management to regularly review and maintain the risk register, which will contain
known potential product integrity errors currently beyond the control of the organisation. Discussion of product
integrity errors on the risk register should become part of the regular dialogue of the business and incorporated
into established meetings and communication channels. This has been the case for many years for topics such as
health and safety. It has taken most of the industry some time to achieve the same for food safety so raising product
integrity issues to the same level may pose another challenge.
6 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Key points
• Management commitment is vital in ensuring that the system is taken seriously within the business
and the required resources are released
• The main resources required will be people and their time, training, access to information
and perhaps an increased spend on areas such as segregation techniques, where necessary
• The workforce must also be engaged and committed as they will be vital in the effectiveness of the
protection measures
• The commitment of both the management team and workforce must be maintained over time to
allow the system to remain valid and supported
• Management will need to take responsibility for the regular review of the risk register, where
potential integrity errors which cannot currently be controlled are managed
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 7
Define the Scope of the Study
Agreeing and defining the scope and terms of reference of the study requires
careful consideration, as a product integrity assessment needs to encompass a wider
scope than typically defined within a HACCP system, i.e. it is broader than solely the
manufacturing process.
The scope and terms of reference of a product integrity assessment can potentially be very broad. Whichever way the
business decides to define the scope of their assessment, the important point is to ensure that the scope is agreed,
documented and followed.
The scope and terms of reference may include, but is not limited to the following:
1 Defining the start and end points of the study
2 Defining the processes covered
3 Defining the asset
4 Types of claims made within the current product range
5 Categorisation of claims
6 Describing the product
7 Reference documentation, guidance and legislation
As with HACCP, the structure of the system should also be agreed and documented. A linear approach is simplest
and helps to ensure that the system is viewed and considered in its entirety. A modular approach may be useful for
larger companies with more complex business systems. Processes such as new product development or artwork
generation could be classed as individual modules.
The start and end points of the study also require careful consideration. This will again differ from the HACCP
approach where generally only steps under the direct control of the business are included with typical start and end
points of intake and dispatch. As many of the errors considered within an error vulnerability assessment may come
from the processes such as new product development or procurement, so the starting point clearly needs to be
much further back than intake. The final stage to be considered could be defined as the point in which the product
is packed or labelled, as at this point the product integrity is complete.
2 Processes covered
From the outset, the team must be clear about which business processes will be covered by the study. There is much
flexibility here and different businesses will take their own approach to suit their specific needs. Currently many of
the recent changes in industry standards, such as the BRC Global Standard Food Safety, have focused their attention
predominantly, or exclusively, on the cross-contamination or loss of identity from the manufacturing process,
8 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
however customer standards may expect a wider scope.
• Include all stages in the internal product flow, inputs such as new product development, procurement,
artwork generation and follow the entire process through to the point in which it is packed or labelled
• Consider the integrity errors of just the product flow, from raw material intake up to the point at which the
product is packed or labelled
• Only consider the cross-contamination or loss of identity errors at specific points in the manufacturing process in
isolation, as currently required by the BRC Global Standard for Food Safety
• If the nature of the process affects the potential vulnerability. For example a process involving lots
of manual checks versus a process which is automated, such as a bar code reader
• Where the production process is the same but the type of equipment is different, meaning that the cross
contamination risks are different
In addition to the examples given above, potentially there will be a broad spectrum of differences when assessing
the use of raw materials, manufacturing and packing processes.
Potentially many business processes can be included within the scope, this being clearly wider than just the intake,
manufacturing and storage elements as considered within a typical HACCP study. The scope of an error vulnerability
assessment can also include business processes such as artwork generation and raw material sourcing. The following
list provides some suggestions for inclusion. This is not an exhaustive list and all or many areas may not be applicable
to or required by, all businesses.
• Activities such as specification and pack copy generation, artwork sign off and first print run approvals
A multi-site business may carry out a study which covers various production sites; however it must be remembered
that local differences, such as the management of PRPs or equipment specifics, must be taken into account at a local
level.
Before progressing, the team must first be very clear about exactly which asset they are trying to protect. A system
to assess product integrity errors clearly has the product as its focus and objective. Therefore the scope and terms of
reference can be initially defined as errors that could impact the integrity of product claims. It must be remembered
that the fundamental asset we are trying to protect is the consumer. A food integrity system clearly needs to have
the product at its centre, however, ultimately this is in order to protect the consumer from harm, upset or repulsion/
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 9
disgust.
The impact on the consumer must be a key consideration as any loss or harm to the business is generally due to the
effect that it has on the consumer. As the team are considering compromises to product integrity it is valid to assume
that any false or dubious claims which reach the market place will have an impact on the consumer in some form,
ranging from upset to potential death. It is generally the level of impact on the consumer that drives the level of loss
for the business.
4 Types of claims
There is a diverse range of on-pack claims, potentially all of which could make the product illegal and affect the
product integrity. Before beginning the assessment the team need to be very clear about what on pack claims are
currently made within their existing product range.
• Legal names
• Farming/ sourcing standards such as - wild, free range, barn eggs, farming standards, sustainability claims
(palm oil, fish catching), fishing standards, catching methods
•
Certification standards - LEAF, Red Tractor, Fairtrade, Rainforest Alliance, Freedom Foods, Marine Stewardship
Council
• Vegetarian, vegan
• Nutritional claims - enriched, low fat, reduced calorie, low sugar, diabetic, low salt, 10% less, vitamins and
minerals
• Legal requirements for composition - % fat in milk and cream, meat content, % water
• Protected Geographical Indication (PGI), Protected Designation of Origin (PDO), Traditional Speciality
Guaranteed (TSG)
10 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
5 Categorisation of claims
The claims listed previously which may affect integrity, can be categorised due to the their affect.
Most errors regarding on pack claims will render the product illegal by nature, substance or quality, due to their
non-compliance with the Food Safety Act 1990 or current labelling regulations.
Some may pose a food safety risk such as incorrect allergen information, due to cross packing or cross-contamination
of allergens.
The third category is due to the businesses moral obligation to the consumer, to do the right thing. These are not
direct non-compliances to the claims made on pack, but would cause the consumer upset, repulsion or disgust if
they were to know the truth about how the product was produced. This is a much more complex category as it
requires the business to produce the product in an ethical manner. The table below shows some examples of these
types of moral obligations, along with allergenic and illegal by nature, substance or quality examples..
Nature, substance & quality Errors which compromise the product, so legally it is not of the
correct:
Moral obligation Errors which compromised the ethical nature of the product
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 11
6 Describing the product
It is important to describe the products that are being assessed and also to describe what errors the products may be
at risk from.
This can be done by detailing each of the products, the claims that are made on-pack for each product and then
listing the errors that may compromise the product.
This information can then be used as a guide when carrying out the assessment and assessing which errors need to
be included.
Pertinent errors Non organic on same line Non British blueberries used on site
Use of non-Morello cherries Incorrect average weight
Incorrect average weight Wrong product, wrong pack
Wrong product, wrong pack
There are many guides, books and pieces of legislation that can be used as guidance when assessing food integrity.
The Food Standards Agency website is a good source of information which provides links to the pertinent pieces of
legislation, and also guidance documents which help to interpret the legislation.
12 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Key points
• The scope and terms of reference must be clearly defined, documented and followed
• The scope of an error vulnerability assessment can potentially be very broad and is certainly not as
consistent as within most HACCP systems
• The scope may be limited to errors in the manufacturing process or broadened to include other
business processes such as the new product development or procurement
•
The start and end points of the study may differ from HACCP, with the inclusion of other business
processes
• A modular approach may be useful where additional and potentially complex business processes are
defined within the scope
•
The products to be assessed must be described, including details of the errors that they may be at risk
from
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 13
Select the Team
Carrying out an error vulnerability assessment can require specialist expertise and
is unlikely to be exactly the same as that required for HACCP. A multi-disciplinary
approach covering the key functions of the business is required to ensure a robust
system is designed. The team should also include an inter-hierarchical dimension,
including junior management or operatives, as and when appropriate.
The specific constitution of the team will be driven by the defined scope and terms of reference of the
study. However, a typical team for an error vulnerability assessment may include:
• Procurement - with knowledge of sourcing of raw materials, to ensure that claims such as provenance or
composition are met
• Technical - including those with responsibility for organising site approval of certification standards and
knowledge of the requirements
• Production and operations staff - with a detailed understanding of production methods, the production
environment and staffing requirements. This team member may also be responsible for the goods in process
•
Process technologist - with an understanding of the product characteristics and existing process control
measures
• Engineer - with knowledge of the equipment and processes used on site including specialist knowledge of
processing and packing equipment
• Distribution or logistics - with knowledge of the storage and distribution processes and requirements,
including those carried out by third parties
• New product development - with responsibility for the development of new or existing products
• Specifications technologist - with knowledge of the specifications systems and pack copy generation. This
team member may also manage the artwork approval process
• Packaging technologist - with knowledge of the supplier print process, responsible for approving first print run
of packaging
14 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Larger companies may choose to establish a core error vulnerability assessment team and support this with
additional members who can be called upon to provide specialist knowledge when required or to stand in for absent
core members. Within smaller operations, multiple roles may be covered by one individual thereby reducing the size
of the team.
Ensuring the team have undergone training in how to carry out an error vulnerability assessment is vital to ensure
success and prevent wasted effort and confusion. The team should also have an identified leader who can drive
progress and provide feedback to senior management.
It is recommended that the team include a representative from senior management. As with any system, certain
resources, particularly time and key people, will be required and senior management support will need to be in place
to enable the on-going release of these resources.
To ensure the study and system can continue to function effectively, each member of the team should have a
suitably experienced stand-in to cover their absence. As with HACCP, continued absence of individual members
should not be tolerated due to the impact this may have on the validity of the plan.
• Validating or justifying the protection measures relied upon within the study
• Ensuring the workforce is aware of the importance of the system and trained in the necessary protection
measures as they relate to their roles
• Verifying that the protection measures are effective in reducing or detecting the identified significant risks and
vulnerable error points
• Reviewing the system in response to change, such as new information from legislation or standards to ensure it
remains valid
• Maintaining the system and the elements that support it such as the team membership, ongoing training and
on-site awareness
As with HACCP, it is good practice to retain minutes from the team meetings and to also include information from the
error vulnerability assessment into the management review process.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 15
Key points
• The use of a suitably experienced and knowledgeable team is essential for the creation of a robust
and valid system
• The composition of the team will differ from that of a typical HACCP team
• The team must draw information and expertise from a broad range of sources and take a
global viewpoint
16 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Construct the Process
Flow Diagram
As with HACCP, the risk assessment element of the error vulnerability assessment is
easier to complete if driven by a clear and accurate flow diagram of the process(es) as
defined within the scope of the study. The purpose of the flow diagram is to provide
a detailed illustration of the processes being considered. This is especially important
for processes which may be less commonly understood across the site such as
procurement or new product development.
The following points could be included in the flow diagram, where applicable as defined in the scope, this is
not an exhaustive list:
• Sequence and interaction of all steps and business processes being considered
• Inputs including raw materials, packaging, processing aids, utilities/services where applicable (water, steam, gas,
air, coolants), equipment
• Outputs such as finished product, intermediate products, by-products, rework, waste and recycling
• Additional flow diagrams to show further detail of specific activities should be produced where necessary
• Equipment specifics which effect the risks, such as separate or segregated equipment
The flow diagram for an error vulnerability assessment may become quite complex. Ideally all the diagram should be
visible on one page with a linear approach taken. However, it may be necessary to create more detailed sub flows for
complex areas and processes. It may be possible to combine the requirements of the error vulnerability process flow
with the current HACCP process flow, to reduce the repetition of documentation.
Unlike a HACCP process flow, which ideally should focus on the process that the product goes through, rather than
the types of equipment, an error process flow needs to take into account the actual equipment as well. Where
equipment is segregated for particular products such as allergens for example, this will effect the risks involved.
Therefore where multiple pieces of equipment can be used to carry out a production process, each piece of
equipment needs to be assessed individually.
It is good practice to give each step a unique identification by the use of a numbering system. Arrows are essential
to show the direction of flow. Colour coding can aid clarity on complex flow diagrams and it is useful to define any
colours or symbols used in the process flow diagram in a key. Where the HACCP and the error vulnerability flow
diagrams have been combined, ensure that the key used makes all the pertinent elements of the process steps clear
for both studies.
On the following page is a basic example process flow diagram for the development of a new product.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 17
Key
Optional step
1. New product brief
Process step
2. Capability study
3. Recipe development
5. Factory trial
6. Transit trials
11. Launch
18 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Flow diagrams should be produced for all processes defined within the scope of the study, which
may include:
• The storage, preparation and manufacturing processes taking place on site (this should already be in place for
the existing HACCP system)
• Any activities carried out by third parties such as contract production and, or packing
Key points
• A clear and accurate flow diagram is essential to ensure the process being considered is understood
by the team
• The flow diagram should include detail such as the sequence and interaction of all steps, inputs,
outputs and subcontracted activities
• Sub-flows or modules may be useful for complex flows or where the scope includes multiple
business processes
• Where multiple pieces of equipment are used for one process, each must be shown as a process step
to ensure they are assessed individually
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 19
On-site Confirmation of Process
Flow Diagram
Once completed it is vital that the flow diagram is confirmed as being accurate by
the team members, including additional expertise where required. Omissions or
mistakes may result in pertinent error vulnerabilities being missed, leaving the business
potentially exposed. It is useful to document the confirmation process as evidence of
its completion. As within HACCP, variations across shift patterns, seasons, etc. should
be taken into account.
It is good practice to ensure that the confirmed final version of the flow diagram is signed off by the team and kept
up to date.
Key points
• A thorough on-site confirmation of the flow diagram is essential to ensure its accuracy
• Inaccuracies may lead to error vulnerabilities being missed or the inaccurate assignment
of protection measures
• The flow diagram should be confirmed and signed off by the team
20 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Describe the Process
Once the process flow diagram has been confirmed, describing the process and
equipment at each step will help to focus the assessment. It is also a really useful tool
during audits to explain the processes that occur at each step.
On completion of the process flow, each step can be listed and then explained. This helps the team to clarify the
actions taking place at each step which are pertinent to product integrity.
HACCP teams will be familiar with how to describe the processes involved in production, however, additional
business processes such as development and procurement processes may also need describing (if included within
the scope). The purpose of the process description is to provide clear information about the key parameters which
are pertinent to, or influence, the level of vulnerability around the business process under consideration. Where
multiple pieces of equipment are used for one process and these have therefore been shown on the process flow as
individual process steps, the equipment and the differences between the equipment should be described.
Within HACCP systems, there is a clear requirement to describe the product in a detailed and structured way. If the
process flow diagrams have been combined for HACCP and error vulnerability, the information which is important for
integrity can added to the existing HACCP descriptions.
When compiling a description of the production process the following factors could be included:
• Where ingredients, work in process materials, rework, finished product and waste are segregated
• How ingredients, work in progress materials, rework, finished product and waste are labelled
Once completed the process description should be documented and kept up to date. An example of how to
document the process description is shown within the case study, in Chapter 4 (page 84).
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 21
Key points
• The content of the process description will be driven by the defined scope
• The information within the process description should include key parameters which are pertinent to,
or influence product integrity
22 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Prerequisite Programmes
The concept and purpose of prerequisite programmes (PRPs) is now well understood
by the food industry. Exactly what is classed as a prerequisite continues to differ
between businesses, depending on the circumstances and level of development, but a
typical list will generally contain many well recognised topics.
The concept that PRPs control general, often site-wide, hazards which are not specific to a particular process step
is well accepted. Other controls such as those around critical control points (CCPs) or operational prerequisite
programmes (OPRPs) are designed to control significant food safety hazards at specific steps in the process.
For the purposes of an error vulnerability study, a PRP can be defined as a set of generic protection measures which
are not specific to a process step.
Typical PRPs for an error vulnerability study may include the following, noting that not all of these will be
relevant to all businesses and additional ones may be required:
• Process control
• Product control
• Change management
• Specifications
• Chemical control
• Product packaging
• Procurement
• Traceability
• Hygiene
• Personal hygiene
• Storage
• Segregation
• Labelling
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 23
There will be elements of many existing prerequisite programmes that could be relevant within an error vulnerability
study. There may also be the need to add new prerequisite programmes or add new elements to the existing
programmes.
Key points
• Prerequisite programmes play an important role in reducing the level of vulnerability
• The type and nature of the prerequisites required for an error vulnerability management may differ
in parts from those typically relied upon for food safety
• Additional prerequisites that provide specific detail of elements which are key to ensuring on pack
claims are met may be required, such as segregation
24 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Protection Measures
Historically the principles of HACCP, as defined by Codex Alimentarius 2003, have
defined a control measure as an action or activity which is used to prevent, eliminate or
reduce a hazard to an acceptable level.
Therefore monitoring activities cannot be included as a true control measure as defined by HACCP. However, it is
known that this is not always achievable and at times the only way of ensuring that the product is safe is to apply a
monitor, such as a test or a check. If, at this stage, it was to be found to be unsafe, there are procedures that would be
put in place to either correct the problem or stop the product from being released.
An example is the hazard of glass or brittle hard plastic directly above open product. There is no control for this
hazard, as there is currently no reasonably practicable technology that would stop a breakage of glass or brittle
plastic above open product occurring. The only way to ensure that the finished product is safe is to apply a check
to these items at a frequency which will ensure that any breakages are highlighted while the product is still within
the control of the manufacturer. Thereby allowing any possibly affected product to be quarantined, ensuring unsafe
product is not released to the customer or consumer.
Currently the only way of managing this restriction in HACCP is to word the monitor as a control. For example rather
than stating ‘glass and brittle hard plastic checks’ the wording of ‘glass and brittle hard plastic procedures’ would
be used.
Ultimately it is understood that the two above statements mean the same thing, but it does cause restrictions within
the HACCP system that are not reflective of the contemporary food manufacturing industry. In addition, there is no
reason to look upon the application of monitoring systems negatively in situations where no control measures can
be applied, it is just a different type of management, one of reaction rather than prevention. By facing the fact
that a reactive monitor is required, it actually highlights the issue and enables the application of stricter controls
where necessary.
For this reason the system of assessing vulnerabilities for food integrity requires a more pragmatic approach, which
allows both controls and monitoring systems to be applied. To overcome this conflict the term ‘protection measures’
has been chosen.
Therefore the original HACCP definition of control (Codex Alimentarius 2003) which is:
‘An action, activity or monitoring technique designed to prevent, detect or reduce an error to an acceptable level’
Note that the word ‘eliminate’ has been removed as it would be too strong to state that an error could be eliminated,
as it is an unintentional act.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 25
The word ‘detection’ also appears in the amended definition, as it is not always possible to ‘control’ an error, it may at
times be necessary to put protection measure in place to detect if the error has occurred.
As with controls in HACCP many protection measures are managed through a prerequisite programme, as discussed
in the previous prerequisite section.
Key points
• Protection measures are the equivalent of control measures within HACCP
• The definition of ‘protection measure’ allows for the inclusion of monitoring and detection methods
• The reference to elimination has been removed as it would be very difficult to claim or prove that a
protection measure could totally eliminate an error
• Many of the protection measures will sit within prerequisites, either existing or highlighted as
necessary by the study
26 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 27
28 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
CHAPTER 2
ASSESSMENT STAGES OF AN
ERROR VULNERABILITY STUDY
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 29
Assessing Error Vulnerability
The following section details how the error vulnerability assessment should be
carried out.
• Using the impact and vulnerability scores to calculate the risk rating to determine significant risks
• Putting each protection measure for each significant risk through the decision tree to identify the required
management techniques, which could be:
• Risk register
• Prerequisite programme
• Current CCPs
Each of the following sections detail the requirements and process for completing each element of the error
vulnerability assessment.
30 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Establish the Errors
An error is something that can compromise the integrity of the product. The pertinent
errors at each process step should be listed, in line with the error categories stated in
the scope.
The errors to be considered are centred on ensuring that the claims on-pack are not compromised and that the
product does not contain anything which is not detailed on the pack.
The team must ensure that all of the claims on-pack which are defined in the scope are considered within the
assessment.
When establishing the errors, the team must ensure that all of the events that potentially could cause an error are
considered.
Using the process flow diagram as a guide, the team must assess each process step, identify and record the relevant
errors at each step.
Thinking about the potential errors that could occur is vital in order to establish effective protection measures and
implement these in the areas of greatest vulnerability.
The following list of possible errors can be used as a thought prompter to aid discussion with the team:
Specification
• Incorrect specification agreed with supplier – e.g. characteristic relating to on-pack claim not specified or
incorrectly specified
Packaging details
•
Incorrect pack design – either via lack of awareness of legislation or errors in calculation e.g. QUID
declarations
Cross-contamination
• Inadequate segregation – during storage, debox/debag, weigh up, prep/mixing, assembly, packing, finished
product
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 31
• Inadequate cleaning of equipment
• Illegible labelling
• Wrong quantity
NPD processes
• Loss of certification to claim standard due to failing audit (at supplier or on-site)
32 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Define the Errors
Documenting the error
In order to achieve a consistent result, it is beneficial to establish a defined and repeatable way of describing the error.
This will help to ensure an objective result rather than a subjective or emotive one.
In order to ensure that the error is outlined consistently the following method can be used:
How the asset is
due to the error caused by the event
affected
For illustrative purposes, an example of organic contamination with a non-organic ingredient is built up below.
As defined in the scope, the asset ultimately being protected is the consumer and the subsequent effect that the
consumer has on the business. In this example, the effect on the consumer is one of upset from eating a product
which is not entirely organic.
Upset to the
consumer
The error
This should provide a description of the error which may occur, which causes the claim on-pack to be compromised.
The event
The final part of the error detail is to define the event that caused the error to occur. The event should detail where in
the process the event occurred, if possible.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 33
Further examples
The following examples provide detail on how the error should be defined, for events which occur not only during
the manufacturing process, but also in process steps which occur prior to production - such as recipe development
and artwork generation and approval.
insufficient
Food Upset
poisoning
to the caused by
due to underweight product monitoring of average
of the consumer
consumer
pack weights
The error of not developing the recipe with nutritional requirements in mind could be defined as follows:
FoodDisgust
poisoning
to the inaccurate nutritional caused by incorrect recipe
due to
of the consumer
consumer information development
The error of not ensuring that allergen labelling is correct on the artwork could be defined as follows:
FoodDeath
poisoning
to the inaccurate allergen caused by lack of artwork
due to
of the consumer
consumer information approval and sign off
Key points
• The error needs to be carefully and accurately defined to enable the rest of the study to be precise
• The methodology for detailing the error should be defined, documented and consistently applied
• Sufficient detail should be included in the event description to ensure that the error is thoroughly
understood and an appropriate protection measure can be applied
• Providing sufficient detail will provide transparency and clarity during audits and assist understanding
when personnel in the team change
34 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Error Assessment
The aim of the error assessment is to:
• Establish and score what impact the error would have
A benefit of a cumulative scoring system over the 2-dimensional model of severity and likelihood commonly used in
HACCP is that it allows for mitigation where protection measures can be applied, and the event or the error can be
detected. Thereby meaning that the product will not reach the consumer.
This assessment methodology takes into account the impact on the consumer and the subsequent impact on the
business, providing a system for grading and scoring the overall impact.
It then progresses to consider the vulnerability of the business to that error. This is decided upon by considering both
the vulnerability of:
In both cases it is essential that the ability to detect the error is considered.
An event could occur, but if there were protection measures in place which ensured that the event would be
detected, the error would be addressed ensuring that compromised product would not be allowed to reach the
consumer.
For example, if the event of insufficient cleaning occurred on a pork meat depositor, this could be detected by
carrying out a rapid swab of the filler. If pork meat was detected, it could be re-cleaned, meaning that the product
which was produced next would not be compromised.
In the same way, if the error was to occur, and there were protection measures in place to detect the error, the error
would be addressed, again ensuring that corrective actions are put in place, so that he compromised product would
not reach the consumer.
If either the event or the error is detected and this causes the issue to be resolved, then there is no risk to the
consumer.
For this reason, the event score and the error score are multiplied together. The impact score and the vulnerability
score are then also multiplied together.
This would mean that even if a high impact score was achieved, if the vulnerability score was low, the overall risk
score would be low - as the consumer and so the business, are not vulnerable to the error.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 35
Once the overall risk score has been calculated the methodology provides a technique which defines which risks are
significant.
Once significant risks have been established the system provides a decision tree which can be used to identify how
each of the protective measures should be managed.
There are four possible management techniques resulting from the use of the decision tree:
1 The error is managed through a risk register
2 The error is managed through the application of current prerequisites, through the amendment of a current
prerequisite or introduction of a new prerequisite
3 The error is managed through current CCPs
4 The error is managed through the application of a vulnerable error point (VEP)
The following sections provide further detail on each management technique, explaining how they are applied.
The latter sections explain how the information generated by the study could be documented.
36 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Assessing the Impact
The first aspect to assess is the impact that the identified error could have on the asset,
i.e. its impact on the consumer, and the subsequent impact on the business which is
driven by the affect on the consumer.
To do this objectively and consistently a scoring system for each impact is required. The following example
illustrates how this may look:
Consumer Business
Death 9 Closure 4
Repulsion/Disgust 6 Disruption 1
Upset 5 None 0
None 0
It must be noted that the scoring system is higher for the consumer than for the business, this is because the
consumer is the primary concern. Any loss or harm to the business is generally a consequence of the affect that the
error has on the consumer, resulting in loss of sales or financial impact due to fines, recalls etc.
Unlike HACCP, repulsion/disgust and upset have been included in the impact on the consumer. Food integrity is not
restricted to food safety and therefore repulsion/disgust and upset of the consumer must be included.
Adding upset and repulsion/disgust allows consumer impact to be assessed for errors such as vegetarian products
being contaminated with meat substances, or organic products being contaminated with non-organic ingredients.
Within this system, the scores for consumer impact and business impact are added together. The addition of the
numbers ensures that the impact to the consumer has a greater weighting as this is the ultimate asset to protect.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 37
Key points
• The potential impact is the first aspect to be assessed and scored
• The impact on both the consumer and the consequential impact on the business must be considered
• The impact on the consumer is given a higher weighting as the consumer is the ultimate asset
to protect
• The levels of impact are not limited to food safety but also include upset and repulsion/disgust
38 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Assessing the Vulnerability
Vulnerability is how exposed the business is to an error having an impact on the
consumer. An error can exist but, if there is no weakness to that error, then there is no
vulnerability. Therefore vulnerability measures how susceptible the business is to the
error having an impact.
Once the overall impact has been assessed, the team must progress to assess how vulnerable the business is to the
identified error having the defined impact.
As with impact, a scoring system for each vulnerability is required. The following illustrates how this may
look:
Vulnerability
Event Error
The event has occurred before and would be 3 The error would be undetectable and would 2
undetectable compromise the product
The event has not occurred before and would 2 The error would be detectable and would 1
be undetectable compromise the product
The event has occurred before and would be 1 The error would not compromise the product 0
detectable
‘The event’ is the event that causes the error to occur, such as mislabelling leading to non-organic contamination
or poor cleaning resulting in species cross-contamination. For the event, the scoring system describes if the event
is detectable or not. In order for the event to be detectable, there needs to be a positive confirmation (protection
measure) in place that confirms that the event has or has not occurred, such as a check. For the example of poor
cleaning resulting in species contamination, a positive confirmation of the event would need to be a check such as
ATP of the cleaning.
The scoring system, then determines if the error (caused by the event) would contaminate the product and if the
error itself would be detectable through the application of protection measures. Again, in order for the error to be
detectable there needs to be a positive confirmation in place that confirms that the error has or has not occurred. For
the example of poor cleaning resulting in species contamination, a positive confirmation of the error would require
something like testing of the product produced for species contamination.
The scoring system allows for mitigation of the event and the error, to reduce the vulnerability. If protection
measures are in place to ensure that the event and, or the error is detected, this reduces the vulnerability score. For
this reason the event and error scores are multiplied together.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 39
If the event has not occurred before and there are protection measures in place to ensure that it would be detected if
it was to occur, the score would be 0. Therefore when this is multiplied by the error score an overall score of 0 would
be achieved, because if this error could not occur, the product would not be compromised, because the event is
detectable.
The error assessment also takes into account if the error being assessed will compromise the product. If the error
does not compromise the product, a score of 0 is given, so that when the event and error scores are multiplied
together the result is 0.
Key points
• Vulnerability is the next aspect to consider once the overall impact has been assessed
• Vulnerability is made up of two separate elements, which are event and error
• For an error to reach the consumer both the event and the error need to occur without detection
• For an error to have an impact on the consumer it must compromise the product
40 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Risk Rating & Significance
Once the overall scores for impact and vulnerability have been calculated, these two
numbers are then multiplied together to give the risk score for that error.
The reason for multiplying these figures is to allow situations where the vulnerability score is deemed to be zero, to
mitigate the impact score, giving a result of zero. This is because no matter how high the impact of the error, if there
is no vulnerability to it, then there is no risk.
Impact
Consumer Business
Death 9 Closure 4
Repulsion/Disgust 6 Disruption 1
Upset 5 None 0
None 0
Vulnerability
Event Error
The event has occurred before and would be 3 The error would be undetectable and would 2
undetectable compromise the product
The event has not occurred before and would 2 The error would be detectable and would 1
be undetectable compromise the product
The event has occurred before and would be 1 The error would not compromise the product 0
detectable
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 41
Impact Vulnerability
Vulnerability Score
Impact Score
Consumer
Business
Error Risk Score
Event
Error
Upset to the consumer due to contamination from a 5 2 7 3 2 6 42
non-organic ingredient caused by lack of labelling of
ingredient weigh up tubs.
The above scoring shows and example of the scoring, based on a medium sized business.
You will notice that the allergen issue on the last example above comes out as a low score, even though it could
cause death to the consumer. This is because there are a number of protection measures in place which detect both
the event and the error, therefore this reduces the vulnerability to the error occurring.
42 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Significance
A significant error is an error which would be totally unacceptable to the consumer and subsequently, one which the
business is unacceptably vulnerable to.
The methodology described in this publication uses a cut-off point for a significant error as any score of 24 or more.
The rationale for this is described below. However, it may be necessary for the business to reassess or amend this
score depending on the current circumstances or business requirements.
The cut-off score of 24 has been defined by taking a minimum score for what would be deemed as an unacceptable
impact on the consumer and the business, and similarly for the event and the error, as described below.
The horsemeat scandal showed us the impact that upset to the consumer can cause on the industry, the brand and
the businesses involved. Therefore the score that would need to be applied as unacceptable would be upset to the
consumer, so the score which would cause a significant impact is 5 and above.
Because the impact on the consumer drives the impact on the business, given that upset to the consumer is
significant, any disruption would need to be considered as significant, providing a score of 1.
The greatest risk from an event is where it has cannot be detected, therefore a score of 2 or more would be
unacceptable.
As with the event, the greatest risk is where the error cannot be detected, therefore this also provides a score of 2.
These scores have then been multiplied together to give the significance score.
Therefore the overall significance score is 6 x 4 = 24. Therefore a score of 24 or more is deemed to be significant.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 43
Key points
• The risk rating is calculated by multiplying the overall score for impact with the overall score
for vulnerability
• The multiplication of the event and error scores allows for a zero rated vulnerability score where
the event has not occurred before and would be detectable, or where the error would not
compromise the product
• The multiplication of the impact and vulnerability score allows for a zero rated overall vulnerability
score to cancel out an impact score, where the business has no vulnerability to the error
• Within this guidance the boundary for significance has been identified as 24, based on deeming what
would be unacceptable for the consumer impact, business impact, event and error
44 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Establishing Protection Measures
& Prerequisites
Protection measures should be identified for each error. Protection measures are
required for both significant and non-significant risks.
As determined previously the protection measures applied can be controls or monitoring activities. The aim of the
protection measure is to prevent, detect or reduce the error to an acceptable level.
The protection measure(s) assigned to each error may already be in place, or the errors may necessitate the
identification and implementation of new protection measures, which may or may not be known.
It may be necessary to consult with internal resources such as research centres or head office specialists or where
additional assistance is required, external private resource centres, trade associations or government sources.
Protection measures which prevent the error should clearly be the first focus, however if these are not available,
options for detection and then reduction should be considered. Any protection measures that are in place to
positively confirm that the event or error has or has not occurred must be listed.
Generally, the more protection measures that can be assigned to the error the better, as this obviously reduces the
vulnerability but will also give the business more flexibility with regard to cost of frequency of application of each
protection measure.
Each protection measure should be assigned to a prerequisite programme, where applicable. In doing so it may
become apparent that additional prerequisite programmes are required, which specifically manage errors. It may
also be necessary to add protection measures to existing prerequisites which originally were outside the scope of the
typical HACCP prerequisites.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 45
Establishing Error Management
Techniques - Decision Tree
All significant errors should be put through the decision tree to establish how each of
the protection measures should be managed.
It is likely that a higher number of errors and associated protection measures will be put through the decision
tree than would be expected within a HACCP study. This is because the standard CCP decision tree only has two
outputs - to be managed through the prerequisite programmes or as a CCP. However, within the error vulnerability
methodology the decision tree allows for a number of outputs, each of which provide effective and appropriate
management techniques.
Each protection measure should be considered individually to establish the appropriate management technique.
46 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Implement changes to
Question 1: Can the error be eliminated? Yes eliminate the error
No
No
No
Yes
No
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 47
The following section explains each of the questions within the decision tree and how they should be applied. Each
protection measure for each error should be put through the decision tree individually. The result of each question
should be recorded.
It is important to not just accept all errors that have been identified and manage them as such. Prior to accepting the
error it should be reviewed to ensure that it cannot be eliminated and where it can, it should be.
Where errors have been identified and can be eliminated, record ‘yes’ to question 1. It is advisable to document the
actions applied to eliminate the error.
It is not always possible to apply a protection measure to every error and therefore it is key to highlight where the
consumer and the business are exposed to an error, due to the lack of protection measures.
Where a protection measure is not currently in place, record ‘no’ for question 2 and move on to question 2a.
Review whether an immediate protection measure can be applied. Where, following a review, a protection measure
can be applied, document the protection measure along with any relevant prerequisites, record ‘yes’ for question 2a
and reassess.
Where, following a review, an immediate protection measure cannot be applied, record ‘no’ for question 2a and add
the error to the risk register. For further details on the risk register, see the following error management section (page
51).
If the protection measure is generic and is managed through an existing prerequisite, then no additional
management is required, record ‘yes’ to question 3.
If the protection measure is not managed by an existing prerequisite or it is not a generic protection measure then
additional management is required. If this is the case, record ‘no’ and move to question 4.
48 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Question 4: Is this protection measure at this process step designed to protect against
this specific?
When answering this question it is important to remember that the question applies only to the particular process
step that is being assessed. If the protection measure is not specific to that process step it is considered a generic
protection measure and therefore it should be managed through the prerequisites. Therefore document ‘no’ to
question 4.
However, if the protection measure has been designed to manage the error at this particular process step, answer
‘yes’ to question 4 and move on to question 5.
If the protection measure has been designed to specifically control the error at the process step being assessed
it is possible that it may already be managed through HACCP for food safety purposes, as a critical control point.
Therefore, if this is the case, no further management is required, as the CCP should always take precedence. If so,
document ‘yes’.
If the protection measure is not managed through HACCP as a critical control point, record ‘no’ to question 5. If this is
the case it must be controlled as a vulnerable error point (VEP). For more information on managing vulnerable error
points, see the following management section (page 55).
For each protection measure that is put through the decision tree, document the error management system which
will be either via a PRP, Risk Register, CCP or VEP.
It must be remembered that there may be more than one protection measure for each error and each of
these protection measures may be managed in different ways.
Key points
• The decision tree provides an objective and repeatable way of identifying the management technique
required for each error
• Each protection measure must be considered individually through the decision tree as their
management may differ
• The results of the decision tree will be to manage the error either via a risk register, through
prerequisites (current or additional), through current CCPs or via a vulnerable error point (VEP)
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 49
Implementing Techniques for Error
Management
Once each of the protection measures has been put through the decision tree, one of
the four following management techniques will have been selected:
2 The protection measure is managed through the application of current prerequisites, through the amendment of
the current prerequisite or the introduction of a new prerequisite
4 The protection measure is managed through the application of a vulnerable error point (VEP)
50 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Management of Errors
- Risk Register
In the event that a significant error identified does not have a protection measure,
it is essential that the business is aware of it, so that it can be regularly reviewed for
improvement and action taken to ensure that the vulnerability to the error is reduced
to an acceptable level.
It may be that there are currently no protection measures available, but future developments in the industry
may mean that they become available at a later date. Regular review of the risk register will ensure that these
developments are included and they should be recorded.
In addition, the risk register must be reviewed following errors in the industry or on site.
The risk register should retain details of the original assessment, as well as the revised scores as the register is
reviewed and amended regularly to reflect progress in reducing the vulnerabilities. The rationale for including an
error on the risk register, rather than implementing immediate protection measures, must be robust and clearly
documented.
The register should include where applicable short, medium and long term actions for how protection measures will
be implemented. Once these protection measures are available, they should be assessed again through the scoring
and the decision tree system.
The frequency of review and the triggers for unscheduled reviews should be defined. The minutes from reviews and
actions, with close out, should be recorded within the risk register documentation.
In the event of an error which is detailed on the risk register occurring, it is expected that this would be managed
through the implementation of the crisis management system. The crisis management system must be reviewed to
ensure that it provides the required processes for the errors identified on the risk register. Where there are specific
requirements for the management of these errors through the crisis management system, these should be clearly
detailed on the risk register. In addition, crisis management tests should include the challenge of the errors identified.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 51
Management of Errors
- Prerequisites
The management of quality, legality and food safety hazards is generally accepted
and well-established within the food industry. However, it is possible when assessing
error vulnerabilities for food integrity that not all necessary protection measures will be
already included in the current set of prerequisites. It is likely that new prerequisites,
such as product segregation, which is not generally defined as its own prerequisite
within HACCP plans, will be required to manage food integrity errors.
Therefore it is likely that when carrying out an error vulnerability assessment for the first time there may be changes
required to the current prerequisite programmes and new topics may be created.
The decision tree assists in defining when a protection measure should be managed through the current defined
prerequisite or added to the prerequisite suite, whether that is as an existing prerequisite or as a new topic.
Where the protection measure is to be managed through an existing prerequisite, the documentation for this
prerequisite should be reviewed and amended. The documentation should clearly show how the protection
measure is managed and that this element of the prerequisite is managing a significant risk for food integrity.
Where the decision tree defines that the protection measure should be added to the prerequisite suite, it should be
first established if a new prerequisite topic is required. If this is the case, the topic documentation should be written,
establishing the criteria for how the protection measure is to be managed. Again, the prerequisite documentation
should clearly show that the protection measure is managing a significant risk for food integrity.
52 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
The PRP procedure below is shown as an example of how the documentation could be laid out, but does
not include all the required detail.
2.0 Responsibilities
It is the responsibility of the site management team to ensure that the requirements laid out in this
document are implemented and effectively enforced.
3.1 Dedicated and segregated storage of raw materials must be in place during storage. Ingredients
which are similar in nature must be clearly labelled to ensure that errors are not made in picking
of ingredients.
4.1 Raw ingredients must be segregated from ready-to-eat or drink ingredients during storage to
ensure that pathogenic cross-contamination is minimised.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 53
Management of Errors
- CCP
Where a protection measure has been defined as being managed through an existing
CCP, it should be recorded within the error vulnerability assessment, but no further
additional management is required as HACCP takes precedence.
The HACCP plan should be updated to include, in the CCP summary, that the CCP is not only managing a food safety
hazard, but has also been identified as managing an integrity error. Failures of the CCPs and the corrective actions
implemented should be fed into the error vulnerability reviews.
Cooking Pathogenic outgrowth Alcohol ≥5.2 % Test sample at Mix for a fur- Alcohol
in the finished addition aqueous start, hourly and ther 3 minutes record sheets
product due to alcohol end of run. and re-sample. checked and
insufficient alcohol If the re-test signed off by
addition Responsibility: does not meet supervisor
Production the critical
This CCP has also operative limit. Inform Complaints
been identified as supervisor, data
managing a food Record: Ref 5.49 to request
integrity error: Alcohol Record approval to Routine
Upset to the Sheet add additional pathogen
consumer due to alcohol. surveillance
inaccurate QUID Responsibility: on finished
caused by inaccurate Production product
alcohol addition operative
CCP audits
Record: Ref
6.12 Non-
conforming
product form
Investigation
into reason for
test failure
54 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Management of Errors
- Vulnerable Error Point (VEP)
The main difference between CCPs and VEPs is that a CCP must be controlled to ensure
that every product that is released to the consumer is safe to eat. Therefore critical
limits, monitoring and frequency and must be effective at all times.
Errors could include food safety issues such as ensuring that the allergens listed on pack are correct. They could
also include errors where the weight of the product does not meet the legal requirements. Therefore the a degree
of pragmatism is required around the how the VEP is validated. The validation of the protection measures does
not always, as with CCPs, require evidence that the system is effective at all times, but can also include a degree of
justification for the frequency at which the protection measure is applied.
The aim is to ensure that the VEP reduces the vulnerability of the error to an acceptable level. The ‘acceptable level’
therefore must be justified if it does not provide 100% protection.
There may be more than one protection measure for an identified error managed as a VEP which reduces the
vulnerability to the error. Where this is the case, this should be taken into account when determining the frequency
at which each of the protection measures are applied.
Where a critical limit can be applied to a protection measure it should be validated to prove that it is effective. The
frequency at which the protection measure is applied should be justified (if it doesn’t confirm that the whole batch
each time it is produced, is correct).
Where a critical limit cannot be applied, criteria are required and they must be justified.
In order to ensure that the vulnerable error points are managed as effectively as possible, they should be structured
in a similar way to CCPs within the HACCP system.
Therefore the following should be established, implemented and recorded on a VEP summary:
• Corrective actions
The VEP summary should also be backed up with validation and justification documentation, for the critical limits,
criteria and frequencies applied.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 55
Protection measures - critical limits & criteria
For each protection measure either critical limits or criteria should be applied.
A critical limit is an objective measure, one that can be determined through validation, by proving that the limits
provide the results that are required within the process specified. For example, a critical limit could be applied to
nutritional testing, as the test would have limits for pass and fail.
A criterion is a subjective measure, one that cannot be validated, but can be justified. For example checking a piece
of printed packing for print legibility is a subjective task and so criteria would be applied, in the form of picture
standards. Therefore the criteria for the pass or fail of a check would need to be justified.
For each VEP protection measure there must be a procedure which defines who is responsible, how it should be
managed, when the measure should be applied and at what frequency, the critical limits or criteria and how the
result should be recorded.
The procedure must include what corrective action is required in the event of the measure not meeting the set
criteria or critical limits, who is responsible for applying it and when it should occur.
Corrective action should be considered for the three main types of failure:
• Where an error has occurred without detection (such as when a complaint is received)
• Where an error has not occurred, but the protection has been found to have failed (this may be discovered by an
internal audit or supervision)
Where an error has occurred and has not been detected, the crisis management system must be implemented if it
is suspected that the error is not confined to an isolated product. Additional actions may also be required, these may
include additional protection measures or increased frequency of protection measures, while there is a risk of the
error reoccurring. The root cause of the error should be investigated and corrective actions implemented to ensure
that the risk of the error reoccurring is minimised.
Where an error has occurred but has been detected, the protection measure has been successful in preventing
the error from affecting the asset, (the consumer and subsequently the business) the action required will be based
around removing the root cause of the error.
Where an error has not occurred and the set protection measure criteria or critical limits have been found to have not
been met (through supervision or internal auditing), the corrective action should be based around the prevention of
a failure of the protection measure in the future. This should include investigation and root cause analysis as to why
the protection measure was not effective.
56 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
In all cases the corrective action applied should consider where possible:
• Investigation as to how the vulnerability occurred and corrective action, using root cause analysis to
prevent re-occurrence
Verification is defined here specifically as internal auditing. Within HACCP systems there is a range of verification
activities, such as end product testing or confirmation micro testing. However, within the error vulnerability
assessment, typical verification activities such as checks and tests are now classed as valid protection measures.
Therefore the only true verification activity is internal auditing.
This makes internal auditing an essential control and therefore it is important to define the specific elements of the
internal audit which will verify that the protection measure is effective.
For example, when defining the key internal audit elements for the protection measure of nutritional
testing to meet legal fat percentage in milk,
• Observing the operator carrying out the fat test against the procedure
• Ensuring that the operator is trained to the current version of the fat test procedure
It is vital to ensure that the activity is well managed, through the use of trained and experienced auditors. This
may require shadowing of auditors and also calibration to ensure that the results are consistent and to the required
standard. Any non-conformances arising from the audits must be managed effectively and closed out in a timely
manner to root cause. The results of the audits should also be trended and analysed in management meetings and
error vulnerability reviews.
It is essential that validation and justification is documented for all protection measure(s) managed as a VEP.
As detailed previously unlike HACCP, validation may include a level of justification. The first aspect to consider when
working through the VEP, is whether the protection measure requires validation or justification.
Where critical limits are applied to a protection measure they will require validation.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 57
Where criteria are applied to a protection measure they will require justification.
The frequency of application of the protection measure in both cases will require a clear justification.
All validations and justifications should be documented. The level of detail should be sufficient to explain the theory
and methods used, this should allow other trained individuals to be able to follow, understand and, where necessary,
replicate the data.
To do this, the following should be used as a guide when creating the document:
• Legislation - detail any legislation that may be applicable and explain how it impacts on the validation
or justification
• List of protection measure(s) that manage the error. For each protection measure it should be explained why
each is either objective; and therefore requires critical limits and validation, or subjective; and therefore requires
criteria and justification
• Where equipment is used as part of the protection measure procedure, the specification should be included.
The functionality of the equipment should be explained and any limitations highlighted. Where there are
limitations that will affect the consistency or effectiveness of the equipment these should be challenged, to
show how they will be controlled or monitored
• Establish critical limits - if critical limits are applied, they should be challenged and the results of these challenges
recorded. Where possible, trials should be carried out and for the worst case scenario i.e., at the extremes of the
critical limits, to prove that they work
• Where protection measure criteria are to be applied rather than critical limits, the justification should
be documented
• Challenge the process - for protection measures which have critical limits or criteria, the process should be
challenged, either in theory or in practice. What could happen to cause the protection measure to be
ineffective? Is there a part of the process that, if not controlled, may have an effect on the critical limits? Where
these are identified they should be documented and validated or justified.
• Review - the frequency of review for validation or justification and what the review should include
58 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Key points
• The required error management techniques should be identified using the decision tree
• A risk register is used for errors which currently have no feasible protection measure. Errors on the
risk register must be regularly reviewed
• Many of the required PRPs may already be in place, others may need expanding or amending to
include the required protection measure. PRP documentation should show a clear link to how the
significant error is managed within the PRP
• Where existing CCPs have been identified as also controlling error vulnerability, this should be stated
on the CCP summary. Failures in CCPs should be fed back into the error vulnerability assessment
review
• VEPs are a new concept and have many parallels with food safety CCPs
• Limits around VEPs are not as absolute as those around CCPs. VEP critical limits and criteria need
careful consideration
• VEP critical limits require validation, whereas protection measure criteria require justification. Both of
these should be robust and documented
• Verification within an error vulnerability study mainly comprises of internal auditing activities
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 59
Documenting the Assessment
This section provides an example of how the error vulnerability assessment could
be documented.
For the purpose of this guidance, it is presumed that prior to documenting the assessment, the team will have already
documented their assessment methodology. The introductory information including, the team, the scope, the terms
of reference, process description and confirmed flow diagram for the process(es) under consideration should also
have been documented by the team.
The errors
Impact assessment
Vulnerability assessment
• Risk register
• VEP summary
Prior to detailing the errors at each process step, it is recommended that standardised error impacts are defined. This
helps to ensure that the way in which the errors are evaluated is consistent, to both the consumer and the business.
Like severity within a HACCP assessment, the impact of the error is less variable and has an element of repetition.
Therefore work through all the errors that could occur and work out what the standardised consumer impact would
be. For example, an allergenic error would always be assessed as death to the consumer in the worst case. An error
which may effect celiacs may be assessed as hospitalisation. An intolerance error may be always assessed as minor
harm. Each standardised consumer impact can then be considered for its potential impact on the business. These
impact scores can then be set for the rest of the assessment.
The vulnerability to the error is more variable, as with the likelihood within HACCP. This depends on many factors,
such as which process step is being evaluated, the current protection measures in place and how effective they are.
60 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Using the following as an example:
‘Upset to the consumer due to contamination from a non-organic ingredient caused by lack of labelling of
ingredient weigh up tubs.’
In order to show how and where information should be documented the text entry points on the subsequent tables
have been labelled with (step 1), (step 2) and so on.
Each error should be listed against each process step. To do this, document the process step and step reference (step
1), then number each error for that process step (step 2) as this will assist in referencing later. Finally, document each
of the errors (step 3), (using the structure shown in the diagram above ) as shown in the example below.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 61
Documenting the impact assessment
Impact
Consumer Business
Death 9 Closure 4
Repulsion/Disgust 6 Disruption 1
Upset 5 None 0
None 0
Continuing with the organic error example, on assessing the impact to the consumer, the error would not cause the
consumer harm but they would be upset that they have purchased and consumed something that was not true to
the label. Therefore the consumer impact score would score 5.
The result of such an error on the business would depend on the size of the business, but could be standardised for
the business in question. For this example, presuming the business is a medium sized operation, the loss of sales
could cause minor financial loss. Therefore the business impact score would be 2.
In order to confirm why the score has been defined as 5 for the consumer and 2 for the business, it is advisable to
document the theory behind it. An example of what this may look like is shown in the table below.
Impact
Using the impact table assign the correct impact assessment to each error, ensuring that for each score (step 4) for
the consumer and for the business the reason behind the score is defined (step 5). Calculate the impact score by
adding the two scores together (step 6).
62 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Documenting the vulnerability assessment
Vulnerability
Event Error
The event has occurred before and would be 3 The error would be undetectable and would 2
undetectable compromise the product
The event has not occurred before and would 2 The error would be detectable and would 1
be undetectable compromise the product
The event has occurred before and would be 1 The error would not compromise the product 0
detectable
Repeat the exercise for the vulnerability assessment, again ensuring that the scores (step 4) and the explanation of
the score (step 5) are included. Multiply the two scores together to give the overall vulnerability score (step 6).
Vulnerability
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 63
Documenting overall risk scoring
Document the overall risk scoring by multiplying the impact and vulnerability scores (step 7). Anything above the
significance score of 24 should be highlighted (shown in bold and underlined), to show that it should be taken
through the decision tree.
Impact Vulnerability
Consumer Score Business Score Impact Motivation Score Opportunity Score Vuln. Risk
Score Score Score
(Step 5) (Step 4) (Step 5) (Step 4) (Step 6) (Step 5) (Step 4) (Step 5) (Step 4) (Step 6) (Step 7)
64 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Documenting the protection measures & PRPs
Document a reference for each protection measure (step 8), then document the protection measure (step 9) and
which PRP, if applicable that the protection measure relates to (step 10).
The reason each protection measure is listed with its own reference is because each one has to be taken through the
decision tree individually. Giving each one its own row makes this easier and clearer to read.
It is recommended that a different referencing system, than that used to reference the errors is chosen. For example,
if errors have been referenced through a sequential number, sequential lettering could be used for protection
measures.
Protection Measures
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 65
Documenting the decision tree assessment, including the result
In order to ensure that the answers to the decision tree questions are captured it is advisable to document them.
To document, record the answer to each question as yes or no. Where the set of questions comes to an end also
record ‘stop’ and record the resulting error management result.
The table below shows example routes through the decision tree and how the resulting error management method
can be documented.
(Step 11) (Step 12) (Step 13) (Step 14) (Step 15) (Step 16) (Step 17)
66 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Process Error Rationale Mitigation Mitigation Mitigation
step - Short Term - Medium Term - Longer Term
Risk register
Mixing Replusion of the consumer Currently there is no Action: Monitor ATP Action: Carry out labora- Action: Implement rapid
due to meat cross evidence to suggest that results for cleaning, to en- tory swabbing of the line test for all meat species for
contamination of a cleaning is not effective sure that they are effective. to establish if cleaning is positive release of the line
vegetarian product caused to remove traces of meat, Responsibility: Hygiene effective in removing meat after a change over clean
by ineffective change over prior to vegetarian produc- Manager traces. Responsibility: Technical
cleaning tion. Timescale: Weekly Responsibility: QA Manager
Review: Monthly Manager Timescale: Within 12
Timescale: Within 3 months
months Review: 6 Monthly
Mixing Replusion of the Rapid pork Negative pork Swab sample Where the error has occurred Key audit aspects:
consumer due testing test result to be tested on without detection: investigate the
VEP summary
• As with any system, documentation must be subject to robust methodology, which are adhered to at
all times
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 69
70 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
CHAPTER 3
CONTINUATION STAGES OF AN
ERROR VULNERABILITY STUDY
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 71
Review
The team need to review the error vulnerability assessment on a routine basis, the
frequency of which should be defined.
The reviews should be documented and any actions arising from the review should be assigned and formally
closed out.
• Risk register
• Complaints
• Incident reviews
• Business plans which may affect future changes in procedures and processing
Routine challenge of the crisis management system should form part of the review. This should include tests of the
crisis process for the management of the specific errors within the risk register.
In addition to the routine review, additional reviews should take place when:
• Changes to the product or process occur, particularly when claims are added, removed or amended
• Changes to staffing or human resources policies occur, which may impact on the frequency of errors occurring
Continuous improvement
The review should include an evaluation of the integrity assessment itself, with the objective being one of continuous
improvement. Regular review of the assessment should ensure that any new protection measures that were added
in the last review, are assessed for their effectiveness. Where new protection measures that detect an event or error
are found to be effective, this may allow re-assessment and re-scoring. This should ensure that all current risks remain
the focus, as they are most likely managed as VEPs, and those that have been previously a risk, but are now under
control, move into the normal day to day excepted ways of working.
To explain how this may work, an example has been provided below - for cross-contamination of dairy in a dairy-free
72 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
product due to ineffective cleaning of a depositor. In the first instance, when this error is assessed there may not be
any protection measures in place to detect if the event of ineffective cleaning has occurred, or if the error of cross-
contamination of dairy has occurred. The assessment may look something like this:
Impact Vulnerability
Consumer Score Business Score Impact Motivation Score Opportunity Opp. Vuln. Risk
Score Score Score Score
Therefore the score achieved would be significant. Protection measure(s) would then need to be assigned, such as
rapid allergen swabbing of the equipment to prove it is clean. Product testing may also be introduced to prove that
the batch is dairy-free. When assessing these protection measures, this may be determined through the decision
tree as VEPs, if allergen techniques such as these are not a site wide measure which is managed by a PRP. The VEPs of
allergen swabbing and testing would then need to be implemented and adhered to.
When the integrity assessment is then reviewed 6 months, or a year later, the assessment of the error could be
revisited. At this time, the effectiveness of the protection measure of allergen swabbing and product testing could
be reviewed. If the protection measures have been effective in managing the event and the error, this would reduce
the scoring, as shown below:
Impact Vulnerability
Consumer Score Business Score Impact Motivation Score Opportunity Opp. Vuln. Risk
Score Score Score Score
Therefore the scoring for the vulnerability to the error occurring is reduced, so that it is no longer significant. It would
therefore need to be included in the sites PRPs and controlled as standard day to day activity.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 73
At the time of the review any new or emerging issues would be also be reviewed and added to the assessment. This
would include evaluation of any existing protection measures and PRPs which may not be effectively managing
errors. Re-assessment and re-scoring of these may mean that poorly performing protection measures become
significant and their management techniques may be heightened to VEPs.
74 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Maintaining the System
Once implemented the system will require maintaining, which is an additional
activity to review. System maintenance activities include ensuring the maintenance of
elements that support the system such as, but are not limited to:
• The gathering of data - in order to ensure that the system is constantly in a state of continuous development it
is essential that data is gathered which can be used during the review process, to establish where improvements
or changes are needed
Key points
• Review of the error vulnerability management system is vital to ensure its continued effectiveness
• Maintenance of the supporting elements of the system (the team, the information sources and
documentation control) is essential
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 75
76 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
CHAPTER 4
CASE STUDY
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity || 77
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity 77
Case Study
This case study has been created to give an example of how the methodology described in the guide can be applied
in practice.
The case study includes extracts of an error vulnerability assessment, not the study in its entirety. The flow
charts shown in this case study are for the manufacturing process and the product development process.
They are not intended to cover all possible steps, but are shown as an example.
The case study is based on The Yoghurt House Ltd who are a small, independent manufacturer. The Yoghurt House
Ltd produce organic and non-organic yoghurt products for a range of retailers. The case study focuses on the
development and production process and considers a selected number of steps through the scoring system.
78 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
The Yoghurt House Ltd -
Error Vulnerability Assessment
Scope & Terms of Reference
The aim of this study is to identify and manage the potential error vulnerabilities to the integrity of the product,
which could have an impact on the consumer and thereby a consequential impact on the business.
The study is split into modules of the manufacturing process, development process including specifications and
approval and also the procurement process. There are separate flow charts for the manufacturing process and
development flow and these are linear in structure. The flow chart of the manufacturing process is shared with the
HACCP plan.
Yoghurt Production
The study starts at receipt of raw materials and finishes at the process step of check weighing, which is after packing
into printed coded packaging. Errors associated with the raw materials from the supply chain are assessed at the
point of raw material intake.
Development
The study starts at the point of receipt of a brief from the customer or sales team for customer branded products, or
the on-site marketing team for own label products, through to the launch of the product in production.
Procurement
The study starts at the point of a new raw material or supplier, or a change to an existing raw material through to the
approval of the raw material and/or supplier, prior to supply.
Processes covered
This assessment is for yoghurt manufacture and covers the activities of:
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 79
Defining the asset
The asset to be ultimately protected is the consumer. The Yoghurt House Ltd is a small business and therefore the
impact on the business due to the impact on the consumer, would be great. The impact on the business has been
assessed as follows:
• Upset, repulsion or disgust of the consumer would cause minor financial loss
• Minor harm or hospitalisation to the consumer would cause major financial loss
This study considers the following categories of claims, this includes the list of claims currently made on pack:
Moral obligation:
Claims currently made on pack are:
80 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Team
Name Job Role Number of years with the Joined Training Team Role
company/experience in team
the industry
Julia Brown Technical 3 years with company as Aug 2015 One day error Core member
Manager Technical Manager. 15 years vulnerability Team Leader
experience in technical course
management in food industry August 2015
David White Production 2 years with the company as Aug 2015 One day error Core member
Manager Production Manager. 12 years vulnerability
experience in a variety of course
manufacturing roles August 2015
Simon Green Engineering 10 years with the company. Aug 2015 One day error Core member
Manager 12 years experience in food vulnerability
engineering course
August 2015
Steve Smith Goods in 1 year with the company. Sept 2015 In-house briefing Core member
Supervisor 6 years experience in various from team leader
warehouse roles September 2015
Helen Davies Head Buyer 4 years with the company. 8 Aug 2015 One day error Core member
years experience in food vulnerability
procurement course
August 2015
Chris Blues Development 9 years with the company. 20 Sept 2015 One day error Core member
Manager years experience in production vulnerability
and 8 years in development course
August 2015
Melanie Specifications 2 years with the company. 3 Aug 2015 One day error Core member
Shaw technologist years experience in specifications vulnerability
and artwork approval course August
2015
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 81
Prerequisite programmes
• Change management
• Human resources
• Internal auditing
• Segregation
• Development
• Hygiene
• Chemical control
• Process control
• Procurement
• Storage
• Packaging control
Further details of each prerequisite system can be found in the relevant Quality Management System documentation.
References
The following references have been used during the development of this error vulnerability study:
82 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Process Flow - Manufacturing
4. Cooling
5. Incubation
1a. Debox & High care transfer 6. Chilled storage (≤5°C) 2a. Debox & High care transfer
8. Lidding
9. Sealing
Key
10. Coding
Process
Step
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 83
Describe the process
1. Raw material intake The ingredients and packaging are bought in from approved suppliers
All delivery vehicles are checked for hygiene and temperature control
Printed packaging is checked for print quality and version
2. Chilled storage Ingredients are stored within a secure goods in warehouse at ≤5°C.
System is automated and alarms when the temperature rises above 8°C
3. Pasteurisation & Product is pasteurised and held at ≥85°C for at least 10 minutes to cause denaturation
denaturation
6. Chilled storage Product is chilled down to ≤5°C and held ready for filling
1a & 2a. Debox & high Raw materials are removed from their outer packaging (boxes)
care transfer Raw materials are passed through a sanitising tunnel into high care
Chemical strength is checked every 4 hours
1b & 2b. Debag Raw materials are debagged at the point of use and loaded onto the automatic feed
into the filler
11. Check weighing All product passes through an in line check weigher
12. Metal detection All product passes through an in line metal detector
Detector is checked at the start of the run, hourly and at the end using 3mm SS,
2.5mm NF and 2mm F
84 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Error Vulnerability Assessment - Manufacturing
Impact assessment
2b. Debag Upset to the The consumer 5 The impact of upset 2 5+2=7
consumer due to would be upset if to the consumer
inaccurate they purchased a may cause minor
provenance product that did not financial loss
information caused contain British
by non-British blueberries, as
blueberries being labelled
loaded onto the
filler
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 85
Error Vulnerability Assessment - Manufacturing
Vulnerability assessment
1. Raw Upset to the The event has not 0 The error of the 2 0x2=0
material consumer due to occurred before wrong printed
intake inaccurate organic and the event of the packaging would
or provenance wrong packaging be undetectable
information caused being delivered is and would
by delivery error of detectable as compromise the
the wrong packaging is product
printed version of checked on arrival
the artwork to ensure it is the
correct version
2b. Debag Upset to the The event of the 3 The error of the 2 3x2=6
consumer due to wrong blueberries use of the wrong
inaccurate being used at the compote would not
provenance filler has occurred be detectable and
information caused before and would would compromise
by non-British be undetectable the product
blueberries being
loaded onto the
filler
86 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Overall risk score
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 87
Protection measures and PRPs
1. Raw Upset to the consumer due to Intake printed packaging checks Packaging control
material inaccurate organic or provenance
intake information caused by delivery error
of the wrong printed version of the
artwork
2. Chilled Upset to the consumer due to Storage segregation and labelling Storage
storage inaccurate organic or provenance Scanning of raw materials on issue
information caused by poor
segregation of fruit during storage
2b. Debag Upset to the consumer due to Line clear procedure at change over Segregation
inaccurate provenance information Blueberry loading checks
caused by non-British blueberries
being loaded onto the filler
As an example, the protection measures for the step of debag (2b) have been put through the decision tree.
Decision tree
Remember each of the protection measures for the error need to be put through the decision tree separately.
88 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Risk register
VEP summary
Process Error Protec- Critical limit/ Procedure & Corrective Action Internal
step tion Criteria Frequency Auditing
measure (Verification)
2b. Upset to the Blueberry Product label Prior to Where blueberries Supervisor to
Debag consumer due loading to be checked starting are found to be in- carry out daily
to inaccurate checks prior to production correct, put on hold check
provenance loading into and each time and obtain
information filler and a new bag is replacement. Ensure that the
caused by verified by a added procedure is clear
non-British second team Investigate the
blueberries member Record: reason for failure Assess training
being loaded Process Record of procedure and and question
onto the filler Sheet implement action. relevant
personnel against
Resp: Where the protec- understanding of
Production tion measure has procedure
operative failed and product
has been Assess
compromised, understanding of
affected product corrective actions
must be put on
hold. Assess records for
compliance
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 89
Process Flow - Development
1. Product brief
3. Recipe development
5. HACCP assessment
6. Factory trial
7b. Shelf life verification 7. Factory sample approval 7a. Nutritional verification
9. Artwork approval
Key
10. Launch
Process
Step
CCP
CCP
VEP
90 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Describe the process
1. Product brief Product brief is received from the customer, marketing or procurement
2a. Source new New raw materials - ingredients and packaging formats sourced
raw materials New raw material and/or supplier process instigated
4. Kitchen sample Product assessment and approval with the customer or project lead
approval Samples kept for assessment against factory trial samples
5. HACCP HACCP assessment including allergen assessment of any new raw materials
assessment
7. Factory sample Product assessment and approval with the customer or project lead
approval Product assessed against kitchen sample
Photographs and eating quality agreed for QAS
7a. Nutritional Product from factory trial is sent off for nutritional assessment
verification Products with a claim are assessed over three separate runs
7b. Shelf life Product from factory trial is sent off for microbiological assessment
verification Organoleptic assessment is completed over life
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 91
Risk assessment - Development
Impact assessment
2a. Source Upset to the The consumer 5 The impact of upset 2 5+2=7
new raw consumer due to would be upset to the consumer may
materials inaccurate if they purchased cause minor financial
provenance a product that loss
information caused by did no contain
sourcing error of the ingredients with
wrong type of fruit provenance, as
labelled
Vulnerability assessment
2a. Source Upset to the The event of 1 The error would be 2 1x2=2
new raw consumer due to sourcing the detectable and would
materials inaccurate wrong type of compromise the
provenance fruit has occurred product
information caused by before but would
sourcing error of the be detectable
wrong type of fruit during the
specification ap-
proval process
92 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Protection measures and PRPs
2a. Source Upset to the consumer due to New/change raw material request Procurement
new raw inaccurate provenance form
materials information caused by Raw material specification check Development
sourcing error of the wrong type of
fruit
Decision tree
Risk register
VEP summary
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 93
References
British Retail Consortium (2015) Global Standard Food Safety Issue 7
Codex Alimenatrius Commission (2003) Hazard Analysis and Critical Control Point (HACCP) System and Guidelines for its
Application, Annex to CAC/RCP 1-1969 Rev - 4
94 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
About the Authors
After gaining a degree in Food Science from Kassy started her career in the food manufacturing
Nottingham University in 1993, Adele started her industry in 1998 and has an exceptional ability to
career in technical management within the meat implement simple and practical solutions, which
industry. She then moved into consultancy and can be effectively implemented into the factory
training and began to specialise in HACCP and food environment. With a background of NPD, process and
safety management, achieving the role of Managing quality control, compliance, auditing and technical
Director of a consultancy firm in 2000. As a Senior management, she has a wealth of experience in
Lecturer at the University of Salford Adele helped meeting the required standards effectively. During
to establish their MSc in Food Safety Management. her time within compliance she became well known
In 2003, Adele set up her own company to provide for her pioneering risk assessments which Marks &
practical training and advice on how to get the best Spencer used as examples of best practice. Since
out of the HACCP principles. Adele regularly delivers starting her own consultancy business in 2012 she
a wide range of HACCP and food safety programmes, now specialises in the practical application of HACCP
specialising in higher-level courses, to help teams and validation techniques.
become competent in HACCP techniques. She has
also helped many large companies to remodel their
HACCP systems in line with best practice, as well as
being involved with several projects for the Food
Standards Agency. With over 20 years of HACCP
experience, Adele is well known for her engaging
training and practical approach.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 95
96 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
The issue of food integrity is one of legal and moral obligation to the consumer
and is becoming increasingly important to brand protection within the food
industry. As a consequence, the need for a systematic approach to the task of
identification, assessment and management of the errors that compromise the
integrity of the product is required.
This book takes the pioneering methodology from the previous publication
“Assessing Threats & Vulnerabilities for Food Defence” and builds on it, to provide an
approach to assessing the errors that may occur during the manufacturing process,
which may compromise the integrity of the product.