Assessing Error Vulnerability For Food Integrity Ebook

ASSESSING ERROR
VULNERABILITY FOR
FOOD INTEGRITY
ADELE ADAMS & KASSY MARSH
ASSESSING ERROR VULNERABILITY
FOR
FOOD INTEGRITY
ADELE ADAMS & KASSY MARSH
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | i
Assessing Error Vulnerability for Food Integrity
Adele Adams & Kassy Marsh
Published by Techni-K Consulting Ltd & Adele Adams Associates Ltd
Copyright © 2015 Kassy Marsh & Adele Adams

ISBN: 978-0-9931737-1-4
G5 Cavendish House, Welbeck, Nottingham, S80 3LL, UK
www.techni-k.co.uk & www.adeleadamsassociates.co.uk
All reasonable care has been taken in the compilation, preparation and issue of this publication,
but it is provided without liability in its application and use. The information contained in this
publication must not be reproduced without the permission of the publishers.
ii | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Preface
The issue of food integrity is one of legal and moral obligation to the consumer and is
becoming increasingly important to brand protection within the food industry. As a
consequence, the need for a systematic approach to the task of identifying, assessing
and managing the errors that may compromise the integrity of the product is required.
Product integrity is a basic expectation of all consumers when purchasing food. If the packaging makes a claim, then
the consumer clearly expects the food inside the pack to meet that claim.
Ensuring that claims on pack are adhered to has always been a legal requirement, however the industry is having
to move with the times and not only meet the legal requirements but also adhere to their moral obligation to the
consumer.
The horsemeat scandal was a turning point for the food industry. It highlighted the vulnerability to fraud in the
supply chain, and also raised awareness of the impact of cross-contamination within the manufacturing process,
which could put the integrity of the product at risk.
It is essential to brand integrity to ensure that food manufacturers take an ethical approach to ensuring that claims
on pack are adhered to. The legal requirement is no longer the only obligation, but it is key to consider what the
consumer would think or feel if they were to understand how the product was processed.
The integrity of the product may be compromised by quality or legal issues, rather than just food safety hazards,
therefore the typical HACCP style assessment is not applicable. The current threat assessment methodology is also
not suitable, as compromise to a product integrity tends to be due to errors within the manufacturing process and
therefore is not a deliberate act.
A new methodology, to assess the vulnerability of these errors occurring and the subsequent compromise of product
integrity, is therefore required.
This book takes the pioneering methodology from the previous publication “Assessing Threat Vulnerability for Food
Defence” and builds on it, to provide an approach to assessing the errors that may occur during the manufacturing
process, which may compromise the integrity of the product.
Kassy Marsh Adele Adams

Techni-K Consulting Adele Adams Associates
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | iii
iv | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Executive Summary
The current risk assessment systems that are available, such as HACCP or a threat
and vulnerability assessment, do not meet the needs of assessing error vulnerability
for food integrity. The intention of the authors is to provide a detailed and robust
methodology for the assessment of error vulnerabilities, which meets the requirements
of standards such as British Retail Consortium (BRC Global Standard for Food Safety)
and customer codes of practise.
This publication describes how an error vulnerability assessment can be applied to all areas of the manufacturing
process and additional business processes such as new product development, which may cause product integrity
errors.
The methodology meets and also exceeds the current requirement in some standards such as British Retail
Consortium (BRC), where the requirement for an error assessment is purely limited to cross-contamination or loss of
identity of products such as organic or Halal.
The methodology meets the requirements laid out in more detailed customer codes of practise that require a much
wider and more detailed assessment to be completed.
As with the previous publication “Assessing Threat Vulnerability for Food Defence”, the methodology defined within
this publication is based, wherever possible, on the well accepted Codex Alimentarius HACCP approach (2003), this
publication assumes that the reader has a working knowledge of this. Although not an exact fit, most of the steps
from the Codex 12 step logic sequence are applicable. The authors take time to explain where a direct match can or
cannot be found. Drawing parallels with HACCP lessens the need to absorb and understand unfamiliar techniques
and should help to increase the speed of implementation.
Although the asset being protected is the same within HACCP and within an error vulnerability study, i.e. the
consumer (and the consequential impact on the business), the risks are different, although some overlap exists
around those that could cause harm. This publication discusses potential types of errors which may compromise the
integrity of the product, based on the claims that are made on the pack.
The scored risk assessment methodology has been pioneered by the authors and much consideration, trial and
error has gone into its development. It was the authors opinion that the typical two by two scoring matrix required
development, as this does not take into consideration the likelihood of the event occurring and so, the likelihood of
the event causing contamination of the finished product. For integrity assessment, splitting out the error and the
event, to give an overall vulnerability, provides a much more robust approach.
It is feasible, as risk assessment methodology develops, that vulnerability will become a more recognised term,
superseding ‘likelihood’ and providing a more structured approach that could be applied to other risk assessment
methods such as HACCP.
This publication includes the use of a unique decision tree to aid the objective identification of, what the authors
have termed, ‘vulnerable error points’ (VEPs). Existing terminology and definitions have been amended by the
authors to accommodate the differences between HACCP and error vulnerability assessment requirements.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | v
vi | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
Contents
Page
Preface iii
Executive Summary v
New Concepts ix
Glossary x
HACCP and Error Vulnerability Assessment 1
The Stages Involved in Carrying Out an Error Vulnerability Study 3

CHAPTER 1: PREPARATION STAGES OF AN ERROR VULNERABILITY STUDY 5
Obtain Senior Management Commitment 6
Define the Scope of the Study 8
1 Structure and start and end points 8
2
Processes covered 8
3
Defining the asset 9
4
Types of claims 10
5
Categorisation of claims 11
6
Describing the product 12
7 Reference documentation, guidance and legislation 12
Select the Team 14
Construct the Process Flow Diagram 17
On-site Confirmation of Process Flow Diagram 20
Describe the Process 21
Prerequisite Programmes 23
Protection Measures 25
CHAPTER 2: ASSESSMENT STAGES OF AN ERROR VULNERABILITY STUDY 29

Assessing Error Vulnerability 30
Establish the Errors 31
Define the Errors 33
Error Assessment 35
Assessing the Impact 37
Assessing the Vulnerability 39
Risk Rating & Significance 41
Establishing Protection Measures & Prerequisites 45
Establishing Management Techniques - Decision Tree 46
Implementing Techniques for Management 50
Management of Errors - Risk Register 51
Management of Errors - Prerequisites 52
Management of Errors - CCP 54
Management of Errors - Vulnerable Error Point (VEP) 55
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | vii
Documenting the Assessment 60
CHAPTER 3: CONTINUATION STAGES OF AN ERROR VULNERABILITY STUDY 71

Review 72
Maintaining the System 75
CHAPTER 4: CASE STUDY 77

Case study on The Yoghurt House Ltd 78
References 94
About the Authors 95
viii | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
New Concepts
This publication introduces a number of new concepts for assessing error
vulnerability, which are summarised below. These concepts should enable
manufacturers to carry out and implement robust and structured assessments
and management systems for product integrity.
Cumulative scoring system for risk assessment

The authors have pioneered the use of a new scoring system which takes into account the multiple factors
surrounding errors and the vulnerabilities to these errors, exceeding the obvious limitations of a two-dimensional
method.
Protection measures
The widely accepted terminology of ‘control measure’ is not suitable for use within an error vulnerability assessment
as some errors may only be detected and cannot be controlled. The term ‘protection measure’ has been introduced
and defined to accommodate this key difference.
Decision tree
The unique decision tree included in this publication provides an objective and consistent way of identifying how
significant risks should be managed. The tree includes multiple management options including management via
prerequisites, through a risk register, via an existing CCP or by the creation of a VEP.
Vulnerable error points (VEPs)

This publication details various potential options for the management of significant risks and creates a new option, a
VEP. A VEP being the food integrity equivalent of a CCP. Creating this new entity allows for those points which are
critical to food integrity to be identified and managed in a structured way.
Differentiation of critical limits and protection measure criteria

The authors have recognised the fact that protection measures for error vulnerabilities are often not as
absolute as those required for food safety. For this reason, a distinction in terminology has been created, allowing for
absolutes such as testing to be differentiated from those which are less so, such as visual checks of printed
packaging.
Validation and justification

The differentiation between protection measure critical limits and protection measure criteria continues on to the
area of validation. Here, a distinction is made between science-based validation and ‘justification’. Validation is
applied to absolute critical limits but is not appropriate for protection measure criteria as these are not absolute
values. Here the term ‘justification’ has been introduced, this being a rationale for the selection of the criterion where
science-based validation techniques cannot be applied.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | ix
Glossary
Asset The entity requiring protection
Compromise Where the product does not meet the objectives
Contaminant Harmful or objectionable matter
Error An unintentional act that compromises the product
Justification Subjective rationale for the effectiveness of the protection

measure criteria
Morals A set of values, with the intention to do the right thing
Product integrity A product that has been produced honestly, following strong moral
principles
Protection measure An action, activity or monitoring technique designed to prevent,

detect or reduce an error to an acceptable level
Protection measure - criteria Criteria which contribute to a reduction in vulnerability which

cannot be validated but can be justified
Protection measure - critical limits A value used to define acceptability for the protection measure
and one that can be validated
Risk register A register of identified significant errors where a protection

measure cannot currently be applied
Validation Objective evidence that the protection measure is capable of

delivering the required level of protection
Vulnerable Error Point (VEP) A point in the process where protection is essential in order to
detect, prevent or reduce an error to an acceptable level
Vulnerability How exposed the business is to the error occurring and having an
impact on the consumer
x | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
HACCP and Error Vulnerability
Assessment
There are many parallels between the methodology used within HACCP and that
which is described in this text for carrying out an error vulnerability assessment.
This familiarity is beneficial as HACCP is so widely used and, in most cases, clearly
understood by the food industry, avoiding the need to reinvent the wheel.
The similarities between HACCP and an error vulnerability assessment, as described in this publication,
can include:
• Both systems require a structured and systematic approach to gain the preventative benefits and effective
risk reduction
• Both systems require genuine management commitment to enable their effective design, implementation
and maintenance. The key resources required, such as key people, time and training are common between
both systems. Both studies have the potential to highlight necessary capital spend, it is simply the focus of
this spend which differs
• The use of a team is fundamental to both systems in ensuring that the required expertise is utilised, however,
the type of expertise required will differ
• Clarity of scope and terms of reference are paramount to both approaches
• Effective prerequisite programmes are vital in both systems. The purpose of prerequisite programmes
remains the same, i.e. to manage general hazards (errors) not specific to a process step. However, the pertinent
prerequisite programmes required will differ, with systems such as new product development taking more of a
priority within an error vulnerability assessment
• A detailed and accurate flow diagram is required in both systems to provide structure to the risk assessment
stage. The flow diagram within an error vulnerability study may, depending on the defined scope, include
additional business processes such as new product development. Flow diagrams in both studies must be
confirmed and signed off as being an accurate representation
• The risk assessment element also has commonalities between both systems in such that it needs a consistent
approach based on valid methodology. Within an error vulnerability study the risk assessment element
is multi–dimensional, rather than the typically simplistic severity and likelihood approach used within current
HACCP studies. Due to this increased complexity a numerical system is also useful
• The options for control measures have parallels between the two systems, i.e. prerequisite systems and CCPs
in HACCP and prerequisites and VEPs (Vulnerable Error Points) in an error vulnerability study. VEPs are the
food integrity equivalent of CCPs, i.e. points in the process where protection is essential in order to prevent or
reduce a vulnerability to an acceptable level. The term VEP is unique to this publication
• HACCP clearly defines control measures as actions or activities used to prevent or eliminate a food safety hazard
or reduce it to an acceptable level (Codex Alimentarius HACCP approach, 2003). This definition is not an exact
match within an error vulnerability assessment as some errors may not have a robust control measure and
may need to rely on a testing or checking for detection. Including tests or checks (which are monitoring
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity | 1
activities and not controls) as control measures is not accepted within HACCP and would upset many purists
• Both systems utilise a decision tree to aid the objective and consistent identification of CCPs/VEPs. Within this
publication a unique decision tree has been created for the identification of VEPs or alternative options to
manage the integrity errors such as a risk register, existing CCP or a prerequisite programme
• Due to their similarity, the management of the VEPs again has many elements in common with the
established methodology for managing CCPs and can be documented in a similar format which is shown in
later worked examples
• Validation remains an essential part of both systems and is itself attracting more emphasis in current HACCP
systems. Both systems require validation, however within an error vulnerability assessment subjective
‘criteria’ are justified as opposed to validated, as validation requires an objective value
• The need for effective verification and review clearly applies to both systems with either system easily being
rendered ineffective if neglected. The type of evidence gathered to verify each system will differ but the need
for evidence of compliance remains the same. Within an error vulnerability assessment, verification activities
rely more heavily on auditing. Instances or changes prompting review may be common to both systems or
unique to either but the need to assess the potential impact of the change on the validity of the systems
remains vital
• Much of the typical documentation formats for existing HACCP systems can also be used for an error
vulnerability assessment. Using familiar formats can aid understanding of the system
It is therefore evident that much of the existing HACCP methodology can be utilised within an error vulnerability
assessment. However, this is not a perfect fit and the following differences should be noted.
Areas where HACCP and an error vulnerability assessment can differ include:
• The identification of the intended use and user of the product has much less relevance with an error
vulnerability assessment. A HACCP study should already consider known instances of misuse by the
consumer or customer, such as incorrect microwave heating. However when assessing food integrity, the errors
which may occur during production, are not influenced by the use of the customer or consumer
• The term ‘control measure’ is not directly applicable within an error vulnerability assessment, this can be
better replaced with the more relevant term of ‘protection measure’. A ‘protection measure’ is defined as ‘an
action, activity or monitoring technique designed to prevent, detect or reduce an error to an acceptable level’.
This change in terminology reflects the fact that many significant risks from errors cannot be ‘controlled’, i.e.
prevented, eliminated or reduced to an acceptable level. Some can only be detected by testing or checking
• Where possible the criteria used around protection measures should include objective and measurable critical
limits. This is possible with, for example, detection methods such as rapid species testing. However, there will
be other protection measures which contribute to a reduction in vulnerability but which are a more subjective
way of assessing if the error has occurred, such as a visual check of printed packaging. To highlight this difference
this publication utilises two terms to describe values used to define protection measures, these being ‘critical
limits’ and ‘criteria’. Protection measures which can detect an error will have ‘critical limits’ and therefore will
require validation. Protection measures which provide additional control but are not an absolute
will have defined ‘criteria’ that will need justification
• The description of the product is essential in both HACCP and an error vulnerability assessment, although the
type of description is different. HACCP looks at describing the food safety elements of the product, whereas
error vulnerability must describe the integrity of the product, through the types of claim that are made.
2 | Assessing Error Vulnerability for Food Integrity © Techni-K Consulting Ltd & Adele Adams Associates Ltd
The Stages Involved in Carrying
Out an Error Vulnerability Study
Preparatory Stages Assessment Stages Continuation Stages
Obtain senior Establish & define

Review
management commitment the errors
Define the scope

Assess the impact Maintain the system
of the study
Select the team Assess the vulnerability
Construct process Calculate risk score

flow diagram & establish significance
Define the
Describe the process
protection measures
Use decision tree to establish

Define prerequisites
management techniques
Implement management
techniques
Validation or justification
& verification of VEPs
CHAPTER 1
PREPARATION STAGES OF AN
ERROR VULNERABILITY STUDY
Obtain Senior Management
Commitment
The need for management and workforce commitment applies equally to assessing
errors to product integrity claims as it does to any other management system such
as HACCP. The key resources required are also likely to be similar, primarily being key
people and time, both of which can be in great demand in many food businesses.
Without genuine management commitment, the error vulnerability assessment is in danger of being a
purely paper exercise to satisfy requirements with little or no impact on risk reduction. As with HACCP, gaining full
attendance at regular meetings can be a challenge. However, the need for multi-disciplinary input and expertise
when carrying out an error vulnerability assessment is just as vital, and exposes the system to the same potential
flaws if not achieved.
Along with the resources of people and time, the study may also highlight the need for capital expenditure such as
increasing storage space to allow for improved segregation or the purchase of sole use equipment to reduce the risk
of cross-contamination, if identified as necessary. Any capital expenditure will also clearly need the budget holders to
understand the rationale and be willing to release the required spend.
A product integrity management system cannot function with just management commitment alone. For successful
risk reduction the workforce also need to be on board. In fact, many of the key controls rely on personnel to control
the steps where product integrity could be compromised.
As with HACCP, the findings, results and failures of the product integrity management system should be
communicated back to senior management and other interested parties, to ensure that they remain aware of the
effectiveness of the system. A member of the senior management team may well be part of the product integrity
assessment team.
Ongoing resources will also be required to ensure the system remains effective. This may include refresher training for
the team, resource of time or spend for updating activities or the implementation of additional protection measures.
It will be the responsibility of senior management to regularly review and maintain the risk register, which will contain
known potential product integrity errors currently beyond the control of the organisation. Discussion of product
integrity errors on the risk register should become part of the regular dialogue of the business and incorporated
into established meetings and communication channels. This has been the case for many years for topics such as
health and safety. It has taken most of the industry some time to achieve the same for food safety so raising product
integrity issues to the same level may pose another challenge.
Key points
• Management commitment is vital in ensuring that the system is taken seriously within the business
and the required resources are released
• The main resources required will be people and their time, training, access to information
and perhaps an increased spend on areas such as segregation techniques, where necessary
• The workforce must also be engaged and committed as they will be vital in the effectiveness of the
protection measures
• The commitment of both the management team and workforce must be maintained over time to
allow the system to remain valid and supported
• Management will need to take responsibility for the regular review of the risk register, where
potential integrity errors which cannot currently be controlled are managed
Define the Scope of the Study
Agreeing and defining the scope and terms of reference of the study requires
careful consideration, as a product integrity assessment needs to encompass a wider
scope than typically defined within a HACCP system, i.e. it is broader than solely the
manufacturing process.
The scope and terms of reference of a product integrity assessment can potentially be very broad. Whichever way the
business decides to define the scope of their assessment, the important point is to ensure that the scope is agreed,
documented and followed.
The scope and terms of reference may include, but is not limited to the following:
1 Defining the start and end points of the study
2 Defining the processes covered
3 Defining the asset
4 Types of claims made within the current product range
5 Categorisation of claims
6 Describing the product
7 Reference documentation, guidance and legislation
1 Structure and start and end points
As with HACCP, the structure of the system should also be agreed and documented. A linear approach is simplest
and helps to ensure that the system is viewed and considered in its entirety. A modular approach may be useful for
larger companies with more complex business systems. Processes such as new product development or artwork
generation could be classed as individual modules.
The start and end points of the study also require careful consideration. This will again differ from the HACCP
approach where generally only steps under the direct control of the business are included with typical start and end
points of intake and dispatch. As many of the errors considered within an error vulnerability assessment may come
from the processes such as new product development or procurement, so the starting point clearly needs to be
much further back than intake. The final stage to be considered could be defined as the point in which the product
is packed or labelled, as at this point the product integrity is complete.
2 Processes covered
From the outset, the team must be clear about which business processes will be covered by the study. There is much
flexibility here and different businesses will take their own approach to suit their specific needs. Currently many of
the recent changes in industry standards, such as the BRC Global Standard Food Safety, have focused their attention
predominantly, or exclusively, on the cross-contamination or loss of identity from the manufacturing process,
however customer standards may expect a wider scope.
The team may decide to:
• Include all stages in the internal product flow, inputs such as new product development, procurement,
artwork generation and follow the entire process through to the point in which it is packed or labelled
• Consider the integrity errors of just the product flow, from raw material intake up to the point at which the
product is packed or labelled
• Only consider the cross-contamination or loss of identity errors at specific points in the manufacturing process in
isolation, as currently required by the BRC Global Standard for Food Safety
Differing processes may need considering separately, for example:
• If the nature of the process affects the potential vulnerability. For example a process involving lots
of manual checks versus a process which is automated, such as a bar code reader
• Where the production process is the same but the type of equipment is different, meaning that the cross
contamination risks are different
In addition to the examples given above, potentially there will be a broad spectrum of differences when assessing
the use of raw materials, manufacturing and packing processes.
Potentially many business processes can be included within the scope, this being clearly wider than just the intake,
manufacturing and storage elements as considered within a typical HACCP study. The scope of an error vulnerability
assessment can also include business processes such as artwork generation and raw material sourcing. The following
list provides some suggestions for inclusion. This is not an exhaustive list and all or many areas may not be applicable
to or required by, all businesses.
• The sourcing, purchase and supply of raw materials including packaging
• The innovation, development and implementation of new and existing products
• Activities such as specification and pack copy generation, artwork sign off and first print run approvals
• The storage, preparation and manufacturing processes taking place on site
• The management of utilities/services and facilities
• The management of cleaning activities
• Any activities such as contract packing carried out by third parties
• The introduction and management of machinery and equipment
A multi-site business may carry out a study which covers various production sites; however it must be remembered
that local differences, such as the management of PRPs or equipment specifics, must be taken into account at a local
level.
3 Defining the asset
Before progressing, the team must first be very clear about exactly which asset they are trying to protect. A system
to assess product integrity errors clearly has the product as its focus and objective. Therefore the scope and terms of
reference can be initially defined as errors that could impact the integrity of product claims. It must be remembered
that the fundamental asset we are trying to protect is the consumer. A food integrity system clearly needs to have
the product at its centre, however, ultimately this is in order to protect the consumer from harm, upset or repulsion/
disgust.
The impact on the consumer must be a key consideration as any loss or harm to the business is generally due to the
effect that it has on the consumer. As the team are considering compromises to product integrity it is valid to assume
that any false or dubious claims which reach the market place will have an impact on the consumer in some form,
ranging from upset to potential death. It is generally the level of impact on the consumer that drives the level of loss
for the business.
4 Types of claims
There is a diverse range of on-pack claims, potentially all of which could make the product illegal and affect the
product integrity. Before beginning the assessment the team need to be very clear about what on pack claims are
currently made within their existing product range.
Types of claim include but are not limited to:
• Legal names
• Country of region or origin
• Farming/ sourcing standards such as - wild, free range, barn eggs, farming standards, sustainability claims
(palm oil, fish catching), fishing standards, catching methods
•
Certification standards - LEAF, Red Tractor, Fairtrade, Rainforest Alliance, Freedom Foods, Marine Stewardship
Council
• Religious claims - Halal, Kosher
• Vegetarian, vegan
• Nutritional claims - enriched, low fat, reduced calorie, low sugar, diabetic, low salt, 10% less, vitamins and
minerals
• Compositional claims - % alcohol, QUID, caffeine content
• Legal requirements for composition - % fat in milk and cream, meat content, % water
• Health claims - reduce cholesterol, fish oils
• Ethics - GM free, palm oil (roundtable) RSPO certified
• Handmade, artisan, homemade, traditional, natural, pure
• Free from - preservatives, additives, artificial ingredients
• Allergens - as per the ingredient declaration, low gluten, gluten free
• Protected Geographical Indication (PGI), Protected Designation of Origin (PDO), Traditional Speciality
Guaranteed (TSG)
• Provenance - species of fruit
• Trademarks, licenses, brands
• Legal weights and measures, legal number
• Processing - such as maturation
5 Categorisation of claims
The claims listed previously which may affect integrity, can be categorised due to the their affect.
Most errors regarding on pack claims will render the product illegal by nature, substance or quality, due to their
non-compliance with the Food Safety Act 1990 or current labelling regulations.
Some may pose a food safety risk such as incorrect allergen information, due to cross packing or cross-contamination
of allergens.
The third category is due to the businesses moral obligation to the consumer, to do the right thing. These are not
direct non-compliances to the claims made on pack, but would cause the consumer upset, repulsion or disgust if
they were to know the truth about how the product was produced. This is a much more complex category as it
requires the business to produce the product in an ethical manner. The table below shows some examples of these
types of moral obligations, along with allergenic and illegal by nature, substance or quality examples..
Claims can be split into the following categories:
Type of integrity error Example
Allergenic/immune response • Contamination by allergens, caused by wrong product or pack
Nature, substance & quality Errors which compromise the product, so legally it is not of the
correct:
• Nature, e.g. the wrong species of meat
• Substance, e.g. incorrect nutritional value
• Quality, e.g. industrially manufactured product rather than

hand made
Moral obligation Errors which compromised the ethical nature of the product
• A vegan product made on a line that also handles meat
• Scottish plain loaf made in England
• Halal product made on a line where pork has been produced
• Welsh butter made using non-Welsh milk
6 Describing the product
It is important to describe the products that are being assessed and also to describe what errors the products may be
at risk from.
This can be done by detailing each of the products, the claims that are made on-pack for each product and then
listing the errors that may compromise the product.
This information can then be used as a guide when carrying out the assessment and assessing which errors need to
be included.
Product Organic Morello Cherry Yoghurt Blueberry Yoghurt
Claims on pack Organic British blueberries

Morello cherries British yoghurt
British yoghurt Allergen contains list
Allergen contains list Average weight
Average weight
Warning - may contain cherry stones
Pertinent errors Non organic on same line Non British blueberries used on site
Use of non-Morello cherries Incorrect average weight
Incorrect average weight Wrong product, wrong pack
Wrong product, wrong pack
7 Reference documentation, guidance and legislation
There are many guides, books and pieces of legislation that can be used as guidance when assessing food integrity.
The Food Standards Agency website is a good source of information which provides links to the pertinent pieces of
legislation, and also guidance documents which help to interpret the legislation.
Key points
• The scope and terms of reference must be clearly defined, documented and followed
• The scope of an error vulnerability assessment can potentially be very broad and is certainly not as
consistent as within most HACCP systems
• The scope may be limited to errors in the manufacturing process or broadened to include other
business processes such as the new product development or procurement
•
The start and end points of the study may differ from HACCP, with the inclusion of other business
processes
• A modular approach may be useful where additional and potentially complex business processes are
defined within the scope
• The asset being protected must be clearly defined
• The claims on-pack must be documented and categorised
•
The products to be assessed must be described, including details of the errors that they may be at risk
from
Select the Team
Carrying out an error vulnerability assessment can require specialist expertise and
is unlikely to be exactly the same as that required for HACCP. A multi-disciplinary
approach covering the key functions of the business is required to ensure a robust
system is designed. The team should also include an inter-hierarchical dimension,
including junior management or operatives, as and when appropriate.
The specific constitution of the team will be driven by the defined scope and terms of reference of the
study. However, a typical team for an error vulnerability assessment may include:
• Procurement - with knowledge of sourcing of raw materials, to ensure that claims such as provenance or
composition are met
• Technical - including those with responsibility for organising site approval of certification standards and
knowledge of the requirements
• Production and operations staff - with a detailed understanding of production methods, the production
environment and staffing requirements. This team member may also be responsible for the goods in process
•
Process technologist - with an understanding of the product characteristics and existing process control
measures
• Engineer - with knowledge of the equipment and processes used on site including specialist knowledge of
processing and packing equipment
• Distribution or logistics - with knowledge of the storage and distribution processes and requirements,
including those carried out by third parties
• New product development - with responsibility for the development of new or existing products
• Specifications technologist - with knowledge of the specifications systems and pack copy generation. This
team member may also manage the artwork approval process
• Packaging technologist - with knowledge of the supplier print process, responsible for approving first print run
of packaging
As with HACCP, the details of the team should be documented including:
• Name of each member
• Job role or title
• Identification of the team leader
• Individual experience, relevant knowledge and qualifications
• Date of joining and leaving the team
Larger companies may choose to establish a core error vulnerability assessment team and support this with
additional members who can be called upon to provide specialist knowledge when required or to stand in for absent
core members. Within smaller operations, multiple roles may be covered by one individual thereby reducing the size
of the team.
Ensuring the team have undergone training in how to carry out an error vulnerability assessment is vital to ensure
success and prevent wasted effort and confusion. The team should also have an identified leader who can drive
progress and provide feedback to senior management.
It is recommended that the team include a representative from senior management. As with any system, certain
resources, particularly time and key people, will be required and senior management support will need to be in place
to enable the on-going release of these resources.
To ensure the study and system can continue to function effectively, each member of the team should have a
suitably experienced stand-in to cover their absence. As with HACCP, continued absence of individual members
should not be tolerated due to the impact this may have on the validity of the plan.
The error vulnerability team have certain responsibilities which include:
• Ensuring the correct mix of expertise is available to the team
• Carrying out the error vulnerability study accurately and consistently
• Validating or justifying the protection measures relied upon within the study
• Implementing the protection measure deemed necessary within the study
• Ensuring the workforce is aware of the importance of the system and trained in the necessary protection
measures as they relate to their roles
• Verifying that the protection measures are effective in reducing or detecting the identified significant risks and
vulnerable error points
• Reviewing the system in response to change, such as new information from legislation or standards to ensure it
remains valid
• Maintaining the system and the elements that support it such as the team membership, ongoing training and
on-site awareness
As with HACCP, it is good practice to retain minutes from the team meetings and to also include information from the
error vulnerability assessment into the management review process.
Key points
• The use of a suitably experienced and knowledgeable team is essential for the creation of a robust
and valid system
• Team members should be carefully selected and their details recorded
• The composition of the team will differ from that of a typical HACCP team
• The team must draw information and expertise from a broad range of sources and take a
global viewpoint
• The team must be made aware of their responsibilities
• The team must be maintained to ensure the longevity of the system
Construct the Process
Flow Diagram
As with HACCP, the risk assessment element of the error vulnerability assessment is
easier to complete if driven by a clear and accurate flow diagram of the process(es) as
defined within the scope of the study. The purpose of the flow diagram is to provide
a detailed illustration of the processes being considered. This is especially important
for processes which may be less commonly understood across the site such as
procurement or new product development.
The following points could be included in the flow diagram, where applicable as defined in the scope, this is
not an exhaustive list:
• Sequence and interaction of all steps and business processes being considered
• Inputs including raw materials, packaging, processing aids, utilities/services where applicable (water, steam, gas,
air, coolants), equipment
• Outputs such as finished product, intermediate products, by-products, rework, waste and recycling
• Outsourced processes and subcontracted work
• Additional flow diagrams to show further detail of specific activities should be produced where necessary
• Equipment specifics which effect the risks, such as separate or segregated equipment
The flow diagram for an error vulnerability assessment may become quite complex. Ideally all the diagram should be
visible on one page with a linear approach taken. However, it may be necessary to create more detailed sub flows for
complex areas and processes. It may be possible to combine the requirements of the error vulnerability process flow
with the current HACCP process flow, to reduce the repetition of documentation.
Unlike a HACCP process flow, which ideally should focus on the process that the product goes through, rather than
the types of equipment, an error process flow needs to take into account the actual equipment as well. Where
equipment is segregated for particular products such as allergens for example, this will effect the risks involved.
Therefore where multiple pieces of equipment can be used to carry out a production process, each piece of
equipment needs to be assessed individually.
It is good practice to give each step a unique identification by the use of a numbering system. Arrows are essential
to show the direction of flow. Colour coding can aid clarity on complex flow diagrams and it is useful to define any
colours or symbols used in the process flow diagram in a key. Where the HACCP and the error vulnerability flow
diagrams have been combined, ensure that the key used makes all the pertinent elements of the process steps clear
for both studies.
On the following page is a basic example process flow diagram for the development of a new product.
Key
Optional step
1. New product brief
Process step
2. Capability study
3. Recipe development
4a. Kitchen sample rejected 4. Kitchen approval process
5. Factory trial
6. Transit trials
7. Factory sample approval

7a. Factory sample rejected
process
8. Specification & pack copy

generation
9. Artwork approval process
10. Packaging delivery
11. Launch
Flow diagrams should be produced for all processes defined within the scope of the study, which
may include:
• The sourcing, purchase and supply of raw materials including packaging
• The storage, preparation and manufacturing processes taking place on site (this should already be in place for
the existing HACCP system)
• The new product development process, including artwork generation
• Any activities carried out by third parties such as contract production and, or packing
Key points
• A clear and accurate flow diagram is essential to ensure the process being considered is understood
by the team
• The flow diagram should include detail such as the sequence and interaction of all steps, inputs,
outputs and subcontracted activities
• Sub-flows or modules may be useful for complex flows or where the scope includes multiple
business processes
• Where multiple pieces of equipment are used for one process, each must be shown as a process step
to ensure they are assessed individually
On-site Confirmation of Process
Flow Diagram
Once completed it is vital that the flow diagram is confirmed as being accurate by
the team members, including additional expertise where required. Omissions or
mistakes may result in pertinent error vulnerabilities being missed, leaving the business
potentially exposed. It is useful to document the confirmation process as evidence of
its completion. As within HACCP, variations across shift patterns, seasons, etc. should
be taken into account.
It is good practice to ensure that the confirmed final version of the flow diagram is signed off by the team and kept
up to date.
Key points
• A thorough on-site confirmation of the flow diagram is essential to ensure its accuracy
• Inaccuracies may lead to error vulnerabilities being missed or the inaccurate assignment
of protection measures
• The flow diagram should be confirmed and signed off by the team
Describe the Process
Once the process flow diagram has been confirmed, describing the process and
equipment at each step will help to focus the assessment. It is also a really useful tool
during audits to explain the processes that occur at each step.
On completion of the process flow, each step can be listed and then explained. This helps the team to clarify the
actions taking place at each step which are pertinent to product integrity.
HACCP teams will be familiar with how to describe the processes involved in production, however, additional
business processes such as development and procurement processes may also need describing (if included within
the scope). The purpose of the process description is to provide clear information about the key parameters which
are pertinent to, or influence, the level of vulnerability around the business process under consideration. Where
multiple pieces of equipment are used for one process and these have therefore been shown on the process flow as
individual process steps, the equipment and the differences between the equipment should be described.
Within HACCP systems, there is a clear requirement to describe the product in a detailed and structured way. If the
process flow diagrams have been combined for HACCP and error vulnerability, the information which is important for
integrity can added to the existing HACCP descriptions.
When compiling a description of the production process the following factors could be included:
• Where ingredients, work in process materials, rework, finished product and waste are segregated
• How ingredients, work in progress materials, rework, finished product and waste are labelled
• Where PRP integrity checks take place during manufacture or packing
• How approvals in the process take place, such as artwork approval
• Where equipment is the same or where it is segregated for specific products
• The point at which the product integrity is complete
Once completed the process description should be documented and kept up to date. An example of how to
document the process description is shown within the case study, in Chapter 4 (page 84).
Key points
• The content of the process description will be driven by the defined scope
• All processes included at each step in the process should be described
• The information within the process description should include key parameters which are pertinent to,
or influence product integrity
• The process description should be documented and kept up to date
Prerequisite Programmes
The concept and purpose of prerequisite programmes (PRPs) is now well understood
by the food industry. Exactly what is classed as a prerequisite continues to differ
between businesses, depending on the circumstances and level of development, but a
typical list will generally contain many well recognised topics.
The concept that PRPs control general, often site-wide, hazards which are not specific to a particular process step
is well accepted. Other controls such as those around critical control points (CCPs) or operational prerequisite
programmes (OPRPs) are designed to control significant food safety hazards at specific steps in the process.
For the purposes of an error vulnerability study, a PRP can be defined as a set of generic protection measures which
are not specific to a process step.
Typical PRPs for an error vulnerability study may include the following, noting that not all of these will be
relevant to all businesses and additional ones may be required:
• Process control
• Product control
• Change management
• Specifications
• Supervision and management
• Chemical control
• Foreign body control
• Product packaging
• Procurement
• Traceability
• Supplier approval and monitoring
• Hygiene
• Personal hygiene
• Storage
• Segregation
• Labelling
• New product development
• Crisis and incident management
There will be elements of many existing prerequisite programmes that could be relevant within an error vulnerability
study. There may also be the need to add new prerequisite programmes or add new elements to the existing
programmes.
Key points
• Prerequisite programmes play an important role in reducing the level of vulnerability
• The type and nature of the prerequisites required for an error vulnerability management may differ
in parts from those typically relied upon for food safety
• Additional prerequisites that provide specific detail of elements which are key to ensuring on pack
claims are met may be required, such as segregation
Protection Measures
Historically the principles of HACCP, as defined by Codex Alimentarius 2003, have
defined a control measure as an action or activity which is used to prevent, eliminate or
reduce a hazard to an acceptable level.
Therefore monitoring activities cannot be included as a true control measure as defined by HACCP. However, it is
known that this is not always achievable and at times the only way of ensuring that the product is safe is to apply a
monitor, such as a test or a check. If, at this stage, it was to be found to be unsafe, there are procedures that would be
put in place to either correct the problem or stop the product from being released.
An example is the hazard of glass or brittle hard plastic directly above open product. There is no control for this
hazard, as there is currently no reasonably practicable technology that would stop a breakage of glass or brittle
plastic above open product occurring. The only way to ensure that the finished product is safe is to apply a check
to these items at a frequency which will ensure that any breakages are highlighted while the product is still within
the control of the manufacturer. Thereby allowing any possibly affected product to be quarantined, ensuring unsafe
product is not released to the customer or consumer.
Currently the only way of managing this restriction in HACCP is to word the monitor as a control. For example rather
than stating ‘glass and brittle hard plastic checks’ the wording of ‘glass and brittle hard plastic procedures’ would
be used.
Ultimately it is understood that the two above statements mean the same thing, but it does cause restrictions within
the HACCP system that are not reflective of the contemporary food manufacturing industry. In addition, there is no
reason to look upon the application of monitoring systems negatively in situations where no control measures can
be applied, it is just a different type of management, one of reaction rather than prevention. By facing the fact
that a reactive monitor is required, it actually highlights the issue and enables the application of stricter controls
where necessary.
For this reason the system of assessing vulnerabilities for food integrity requires a more pragmatic approach, which
allows both controls and monitoring systems to be applied. To overcome this conflict the term ‘protection measures’
has been chosen.
Therefore the original HACCP definition of control (Codex Alimentarius 2003) which is:
‘An action or activity to prevent, eliminate or reduce a hazard to an acceptable level’
Is amended for the term protection measure so it becomes:
‘An action, activity or monitoring technique designed to prevent, detect or reduce an error to an acceptable level’
Note that the word ‘eliminate’ has been removed as it would be too strong to state that an error could be eliminated,
as it is an unintentional act.
The word ‘detection’ also appears in the amended definition, as it is not always possible to ‘control’ an error, it may at
times be necessary to put protection measure in place to detect if the error has occurred.
As with controls in HACCP many protection measures are managed through a prerequisite programme, as discussed
in the previous prerequisite section.
Key points
• Protection measures are the equivalent of control measures within HACCP
• The definition of ‘protection measure’ allows for the inclusion of monitoring and detection methods
• The reference to elimination has been removed as it would be very difficult to claim or prove that a
protection measure could totally eliminate an error
• Many of the protection measures will sit within prerequisites, either existing or highlighted as
necessary by the study
CHAPTER 2
ASSESSMENT STAGES OF AN
Assessing Error Vulnerability
The following section details how the error vulnerability assessment should be
carried out.
This process involves the following stages:
• Establishing and defining the errors
• Assessing the errors for impact and then vulnerability
• Using the impact and vulnerability scores to calculate the risk rating to determine significant risks
• Establishing the protection measures and prerequisites for each error
• Putting each protection measure for each significant risk through the decision tree to identify the required
management techniques, which could be:
• Risk register
• Prerequisite programme
• Current CCPs
• Vulnerable error point (VEP)
Each of the following sections detail the requirements and process for completing each element of the error
vulnerability assessment.
Establish the Errors
An error is something that can compromise the integrity of the product. The pertinent
errors at each process step should be listed, in line with the error categories stated in
the scope.
The errors to be considered are centred on ensuring that the claims on-pack are not compromised and that the
product does not contain anything which is not detailed on the pack.
The team must ensure that all of the claims on-pack which are defined in the scope are considered within the
assessment.
When establishing the errors, the team must ensure that all of the events that potentially could cause an error are
considered.
Using the process flow diagram as a guide, the team must assess each process step, identify and record the relevant
errors at each step.
Thinking about the potential errors that could occur is vital in order to establish effective protection measures and
implement these in the areas of greatest vulnerability.
The following list of possible errors can be used as a thought prompter to aid discussion with the team:
Specification
• Incorrect specification agreed with supplier – e.g. characteristic relating to on-pack claim not specified or
incorrectly specified
• Supplier not able to supply according to specification
Packaging details
•
Incorrect pack design – either via lack of awareness of legislation or errors in calculation e.g. QUID
declarations
• Errors at packing printer such as selection of incorrect proof
Incorrect packaging used
• Incorrect packaging selected and issued to packing line
• Failure to remove packing from previous production run
Cross-contamination
• Incorrect storage and labelling during storage
• Inadequate segregation – during storage, debox/debag, weigh up, prep/mixing, assembly, packing, finished
product
• Inadequate cleaning of equipment
• Inadequate hygiene and segregation of personnel
• Spillages - inadequate management of spillage
Use of incorrect ingredient
• Lack of or incorrect labelling – from supplier or on ingredient bins
• Loss of label – inadequately attached, assumptions made when relabelling
• Illegible labelling
• WIP not labelled – part used bags of ingredients
• Rework not labelled
• Visually similar ingredients used in error
Incorrect recipe controls
• Wrong quantity
• Inaccuracy of load cells or scales
• Software failure in automated systems
• Errors of bulk filling of silos/tanks etc.
Lack of process controls
• Inadequate times for maturation claims
• Inadequate control of methods e.g. dry cure
• Incorrect set up of weighing equipment – parameters and reject mechanisms
• Weighing equipment not calibrated
• Inadequate feedback of finished weight / count information back to production line
• Incorrect count settings (automated or human error)
NPD processes
• Inadequate validation of nutritional content
• Inadequate validation of health benefits / claims
• Inadequate recipe validation – incorrect QUID, nutritional
• Inadequate validation of ingredients – e.g. low gluten etc.
Lack of control around certification standards
• Expiry of supplier certification standard
• Loss of certification to claim standard due to failing audit (at supplier or on-site)
Define the Errors
Documenting the error
In order to achieve a consistent result, it is beneficial to establish a defined and repeatable way of describing the error.
This will help to ensure an objective result rather than a subjective or emotive one.
In order to ensure that the error is outlined consistently the following method can be used:
How the asset is
due to the error caused by the event
affected
For illustrative purposes, an example of organic contamination with a non-organic ingredient is built up below.
How the asset is affected
As defined in the scope, the asset ultimately being protected is the consumer and the subsequent effect that the
consumer has on the business. In this example, the effect on the consumer is one of upset from eating a product
which is not entirely organic.
The error could be defined as follows:
Upset to the
consumer
The error
This should provide a description of the error which may occur, which causes the claim on-pack to be compromised.
The error could be defined as follows:

contamination from a
Food Upset
poisoning
to the
due to non-organic ingredi-
of the consumer
consumer
ent
The event
The final part of the error detail is to define the event that caused the error to occur. The event should detail where in
the process the event occurred, if possible.
For the examples given above, this may look as follows:

contamination from a lack of labelling of
Food Upset
poisoning
to the caused by
due to non-organic ingredient weigh up
of the consumer
consumer
ingredient tubs
Further examples
The following examples provide detail on how the error should be defined, for events which occur not only during
the manufacturing process, but also in process steps which occur prior to production - such as recipe development
and artwork generation and approval.
The error of not meeting average weights could be defined as follows:
insufficient
Food Upset
poisoning
to the caused by
due to underweight product monitoring of average
of the consumer
consumer
pack weights
The error of not developing the recipe with nutritional requirements in mind could be defined as follows:
FoodDisgust
poisoning
to the inaccurate nutritional caused by incorrect recipe
due to
of the consumer
consumer information development
The error of not ensuring that allergen labelling is correct on the artwork could be defined as follows:
FoodDeath
poisoning
to the inaccurate allergen caused by lack of artwork
due to
of the consumer
consumer information approval and sign off
Key points
• The error needs to be carefully and accurately defined to enable the rest of the study to be precise
• The methodology for detailing the error should be defined, documented and consistently applied
• Sufficient detail should be included in the event description to ensure that the error is thoroughly
understood and an appropriate protection measure can be applied
• Providing sufficient detail will provide transparency and clarity during audits and assist understanding
when personnel in the team change
Error Assessment
The aim of the error assessment is to:
• Establish and score what impact the error would have
• Establish and score the level of vulnerability to the error occurring
• Establish if there is a significant risk, by calculating the overall risk score
• Determine how significant errors should be managed
A benefit of a cumulative scoring system over the 2-dimensional model of severity and likelihood commonly used in
HACCP is that it allows for mitigation where protection measures can be applied, and the event or the error can be
detected. Thereby meaning that the product will not reach the consumer.
This assessment methodology takes into account the impact on the consumer and the subsequent impact on the
business, providing a system for grading and scoring the overall impact.
It then progresses to consider the vulnerability of the business to that error. This is decided upon by considering both
the vulnerability of:
• The event occurring
• The error occurring
In both cases it is essential that the ability to detect the error is considered.
An event could occur, but if there were protection measures in place which ensured that the event would be
detected, the error would be addressed ensuring that compromised product would not be allowed to reach the
consumer.
For example, if the event of insufficient cleaning occurred on a pork meat depositor, this could be detected by
carrying out a rapid swab of the filler. If pork meat was detected, it could be re-cleaned, meaning that the product
which was produced next would not be compromised.
In the same way, if the error was to occur, and there were protection measures in place to detect the error, the error
would be addressed, again ensuring that corrective actions are put in place, so that he compromised product would
not reach the consumer.
If either the event or the error is detected and this causes the issue to be resolved, then there is no risk to the
consumer.
For this reason, the event score and the error score are multiplied together. The impact score and the vulnerability
score are then also multiplied together.
This would mean that even if a high impact score was achieved, if the vulnerability score was low, the overall risk
score would be low - as the consumer and so the business, are not vulnerable to the error.
Once the overall risk score has been calculated the methodology provides a technique which defines which risks are
significant.
Once significant risks have been established the system provides a decision tree which can be used to identify how
each of the protective measures should be managed.
There are four possible management techniques resulting from the use of the decision tree:
1 The error is managed through a risk register
2 The error is managed through the application of current prerequisites, through the amendment of a current
prerequisite or introduction of a new prerequisite
3 The error is managed through current CCPs
4 The error is managed through the application of a vulnerable error point (VEP)
The following sections provide further detail on each management technique, explaining how they are applied.
The latter sections explain how the information generated by the study could be documented.
Assessing the Impact
The first aspect to assess is the impact that the identified error could have on the asset,
i.e. its impact on the consumer, and the subsequent impact on the business which is
driven by the affect on the consumer.
To do this objectively and consistently a scoring system for each impact is required. The following example
illustrates how this may look:
Consumer Business
Definition Score Definition Score
Death 9 Closure 4
Hospitalisation 8 Major financial loss 3
Minor harm 7 Minor financial loss 2
Repulsion/Disgust 6 Disruption 1
Upset 5 None 0
None 0
It must be noted that the scoring system is higher for the consumer than for the business, this is because the
consumer is the primary concern. Any loss or harm to the business is generally a consequence of the affect that the
error has on the consumer, resulting in loss of sales or financial impact due to fines, recalls etc.
Unlike HACCP, repulsion/disgust and upset have been included in the impact on the consumer. Food integrity is not
restricted to food safety and therefore repulsion/disgust and upset of the consumer must be included.
Adding upset and repulsion/disgust allows consumer impact to be assessed for errors such as vegetarian products
being contaminated with meat substances, or organic products being contaminated with non-organic ingredients.
Within this system, the scores for consumer impact and business impact are added together. The addition of the
numbers ensures that the impact to the consumer has a greater weighting as this is the ultimate asset to protect.
Key points
• The potential impact is the first aspect to be assessed and scored
• The impact on both the consumer and the consequential impact on the business must be considered
• The impact on the consumer is given a higher weighting as the consumer is the ultimate asset
to protect
• The levels of impact are not limited to food safety but also include upset and repulsion/disgust
Assessing the Vulnerability
Vulnerability is how exposed the business is to an error having an impact on the
consumer. An error can exist but, if there is no weakness to that error, then there is no
vulnerability. Therefore vulnerability measures how susceptible the business is to the
error having an impact.
Once the overall impact has been assessed, the team must progress to assess how vulnerable the business is to the
identified error having the defined impact.
As with impact, a scoring system for each vulnerability is required. The following illustrates how this may
look:
Vulnerability
Event Error
The event has occurred before and would be 3 The error would be undetectable and would 2
undetectable compromise the product
The event has not occurred before and would 2 The error would be detectable and would 1
be undetectable compromise the product
The event has occurred before and would be 1 The error would not compromise the product 0
detectable
The event has not occurred before and would 0

be detectable
‘The event’ is the event that causes the error to occur, such as mislabelling leading to non-organic contamination
or poor cleaning resulting in species cross-contamination. For the event, the scoring system describes if the event
is detectable or not. In order for the event to be detectable, there needs to be a positive confirmation (protection
measure) in place that confirms that the event has or has not occurred, such as a check. For the example of poor
cleaning resulting in species contamination, a positive confirmation of the event would need to be a check such as
ATP of the cleaning.
The scoring system, then determines if the error (caused by the event) would contaminate the product and if the
error itself would be detectable through the application of protection measures. Again, in order for the error to be
detectable there needs to be a positive confirmation in place that confirms that the error has or has not occurred. For
the example of poor cleaning resulting in species contamination, a positive confirmation of the error would require
something like testing of the product produced for species contamination.
The scoring system allows for mitigation of the event and the error, to reduce the vulnerability. If protection
measures are in place to ensure that the event and, or the error is detected, this reduces the vulnerability score. For
this reason the event and error scores are multiplied together.
If the event has not occurred before and there are protection measures in place to ensure that it would be detected if
it was to occur, the score would be 0. Therefore when this is multiplied by the error score an overall score of 0 would
be achieved, because if this error could not occur, the product would not be compromised, because the event is
detectable.
The error assessment also takes into account if the error being assessed will compromise the product. If the error
does not compromise the product, a score of 0 is given, so that when the event and error scores are multiplied
together the result is 0.
Key points
• Vulnerability is the next aspect to consider once the overall impact has been assessed
• Vulnerability is made up of two separate elements, which are event and error
• For an error to reach the consumer both the event and the error need to occur without detection
• For an error to have an impact on the consumer it must compromise the product
Risk Rating & Significance
Once the overall scores for impact and vulnerability have been calculated, these two
numbers are then multiplied together to give the risk score for that error.
The reason for multiplying these figures is to allow situations where the vulnerability score is deemed to be zero, to
mitigate the impact score, giving a result of zero. This is because no matter how high the impact of the error, if there
is no vulnerability to it, then there is no risk.
Impact
Consumer Business
Death 9 Closure 4
Upset 5 None 0
None 0
Consumer impact + business impact = impact score
Vulnerability
Event Error
detectable

be detectable
Event x error = vulnerability score

Impact score x vulnerability score = risk score
Impact Vulnerability
Vulnerability Score
Impact Score
Consumer
Business
Error Risk Score
Event
Error
Upset to the consumer due to contamination from a 5 2 7 3 2 6 42
non-organic ingredient caused by lack of labelling of
ingredient weigh up tubs.
Upset to the consumer due to underweight product 5 2 7 1 1 1 7

caused by insufficient monitoring of average weight
packs
Disgust to the consumer due to inaccurate nutritional 6 2 8 3 1 3 24

information caused by incorrect recipe development
Death to the consumer due to inaccurate allergen 9 4 12 1 1 1 12

information caused by lack of artwork approval and
sign off
The above scoring shows and example of the scoring, based on a medium sized business.
You will notice that the allergen issue on the last example above comes out as a low score, even though it could
cause death to the consumer. This is because there are a number of protection measures in place which detect both
the event and the error, therefore this reduces the vulnerability to the error occurring.
Significance
A significant error is an error which would be totally unacceptable to the consumer and subsequently, one which the
business is unacceptably vulnerable to.
The methodology described in this publication uses a cut-off point for a significant error as any score of 24 or more.
The rationale for this is described below. However, it may be necessary for the business to reassess or amend this
score depending on the current circumstances or business requirements.
The cut-off score of 24 has been defined by taking a minimum score for what would be deemed as an unacceptable
impact on the consumer and the business, and similarly for the event and the error, as described below.
The horsemeat scandal showed us the impact that upset to the consumer can cause on the industry, the brand and
the businesses involved. Therefore the score that would need to be applied as unacceptable would be upset to the
consumer, so the score which would cause a significant impact is 5 and above.
Because the impact on the consumer drives the impact on the business, given that upset to the consumer is
significant, any disruption would need to be considered as significant, providing a score of 1.
The total significant impact score is 5 + 1 = 6.
The greatest risk from an event is where it has cannot be detected, therefore a score of 2 or more would be
unacceptable.
As with the event, the greatest risk is where the error cannot be detected, therefore this also provides a score of 2.
The total significant vulnerability score is 2 x 2 = 4.
These scores have then been multiplied together to give the significance score.
Therefore the overall significance score is 6 x 4 = 24. Therefore a score of 24 or more is deemed to be significant.
Summary of scoring methodology
Consumer impact + business impact = impact score
Event x error = vulnerability score
Impact score x vulnerability score = risk score
Key points
• The risk rating is calculated by multiplying the overall score for impact with the overall score
for vulnerability
• The multiplication of the event and error scores allows for a zero rated vulnerability score where
the event has not occurred before and would be detectable, or where the error would not
compromise the product
• The multiplication of the impact and vulnerability score allows for a zero rated overall vulnerability
score to cancel out an impact score, where the business has no vulnerability to the error
• Within this guidance the boundary for significance has been identified as 24, based on deeming what
would be unacceptable for the consumer impact, business impact, event and error
Establishing Protection Measures
& Prerequisites
Protection measures should be identified for each error. Protection measures are
required for both significant and non-significant risks.
As determined previously the protection measures applied can be controls or monitoring activities. The aim of the
protection measure is to prevent, detect or reduce the error to an acceptable level.
The protection measure(s) assigned to each error may already be in place, or the errors may necessitate the
identification and implementation of new protection measures, which may or may not be known.
It may be necessary to consult with internal resources such as research centres or head office specialists or where
additional assistance is required, external private resource centres, trade associations or government sources.
Protection measures which prevent the error should clearly be the first focus, however if these are not available,
options for detection and then reduction should be considered. Any protection measures that are in place to
positively confirm that the event or error has or has not occurred must be listed.
Generally, the more protection measures that can be assigned to the error the better, as this obviously reduces the
vulnerability but will also give the business more flexibility with regard to cost of frequency of application of each
protection measure.
Each protection measure should be assigned to a prerequisite programme, where applicable. In doing so it may
become apparent that additional prerequisite programmes are required, which specifically manage errors. It may
also be necessary to add protection measures to existing prerequisites which originally were outside the scope of the
typical HACCP prerequisites.
Establishing Error Management
Techniques - Decision Tree
All significant errors should be put through the decision tree to establish how each of
the protection measures should be managed.
It is likely that a higher number of errors and associated protection measures will be put through the decision
tree than would be expected within a HACCP study. This is because the standard CCP decision tree only has two
outputs - to be managed through the prerequisite programmes or as a CCP. However, within the error vulnerability
methodology the decision tree allows for a number of outputs, each of which provide effective and appropriate
management techniques.
Each protection measure should be considered individually to establish the appropriate management technique.
The decision tree can be found on the following page.
Implement changes to
Question 1: Can the error be eliminated? Yes eliminate the error
No
Question 2: Is there a protection measure in place?
No
Yes Add protection measure

Question 2a: Can an
Yes & reassess
immediate protection
measure be added?
No Add to Risk Register
Question 3: Is the protection measure a generic

measure managed by an existing PRP?
Yes Manage as a PRP
No
Question 4: Is this protection measure at this process

step designed to protect against this specific error?
Yes
Question 5: Is this protection Continue to manage

No measure managed by an Yes through CCP
existing CCP?
No
Add to existing PRP

VEP
or generate new PRP
The following section explains each of the questions within the decision tree and how they should be applied. Each
protection measure for each error should be put through the decision tree individually. The result of each question
should be recorded.
Question 1: Can the error be eliminated?
It is important to not just accept all errors that have been identified and manage them as such. Prior to accepting the
error it should be reviewed to ensure that it cannot be eliminated and where it can, it should be.
Where errors have been identified and can be eliminated, record ‘yes’ to question 1. It is advisable to document the
actions applied to eliminate the error.
If the error cannot be eliminated answer ‘no’ and proceed to question 2.
Question 2: Is there a protection measure in place?
It is not always possible to apply a protection measure to every error and therefore it is key to highlight where the
consumer and the business are exposed to an error, due to the lack of protection measures.
If a protection measure can be applied, record ‘yes’ and move to question 3.
Where a protection measure is not currently in place, record ‘no’ for question 2 and move on to question 2a.
Question 2a: Can an immediate protection measure be added?
Review whether an immediate protection measure can be applied. Where, following a review, a protection measure
can be applied, document the protection measure along with any relevant prerequisites, record ‘yes’ for question 2a
and reassess.
Where, following a review, an immediate protection measure cannot be applied, record ‘no’ for question 2a and add
the error to the risk register. For further details on the risk register, see the following error management section (page
51).
Question 3: Is the protection measure a generic measure managed by a PRP?
If the protection measure is generic and is managed through an existing prerequisite, then no additional
management is required, record ‘yes’ to question 3.
If the protection measure is not managed by an existing prerequisite or it is not a generic protection measure then
additional management is required. If this is the case, record ‘no’ and move to question 4.
Question 4: Is this protection measure at this process step designed to protect against
this specific?
When answering this question it is important to remember that the question applies only to the particular process
step that is being assessed. If the protection measure is not specific to that process step it is considered a generic
protection measure and therefore it should be managed through the prerequisites. Therefore document ‘no’ to
question 4.
However, if the protection measure has been designed to manage the error at this particular process step, answer
‘yes’ to question 4 and move on to question 5.
Question 5: Is this protection measure managed by an existing CCP?
If the protection measure has been designed to specifically control the error at the process step being assessed
it is possible that it may already be managed through HACCP for food safety purposes, as a critical control point.
Therefore, if this is the case, no further management is required, as the CCP should always take precedence. If so,
document ‘yes’.
If the protection measure is not managed through HACCP as a critical control point, record ‘no’ to question 5. If this is
the case it must be controlled as a vulnerable error point (VEP). For more information on managing vulnerable error
points, see the following management section (page 55).
For each protection measure that is put through the decision tree, document the error management system which
will be either via a PRP, Risk Register, CCP or VEP.
It must be remembered that there may be more than one protection measure for each error and each of
these protection measures may be managed in different ways.
Key points
• The decision tree provides an objective and repeatable way of identifying the management technique
required for each error
• Each protection measure must be considered individually through the decision tree as their
management may differ
• The results of the decision tree will be to manage the error either via a risk register, through
prerequisites (current or additional), through current CCPs or via a vulnerable error point (VEP)
Implementing Techniques for Error
Management
Once each of the protection measures has been put through the decision tree, one of
the four following management techniques will have been selected:
1 The protection measure is managed through a risk register
2 The protection measure is managed through the application of current prerequisites, through the amendment of
the current prerequisite or the introduction of a new prerequisite
3 The protection measure is managed through current CCPs
4 The protection measure is managed through the application of a vulnerable error point (VEP)
Each of these management techniques is explained in the following sections.
Management of Errors
- Risk Register
In the event that a significant error identified does not have a protection measure,
it is essential that the business is aware of it, so that it can be regularly reviewed for
improvement and action taken to ensure that the vulnerability to the error is reduced
to an acceptable level.
It may be that there are currently no protection measures available, but future developments in the industry
may mean that they become available at a later date. Regular review of the risk register will ensure that these
developments are included and they should be recorded.
In addition, the risk register must be reviewed following errors in the industry or on site.
The risk register should retain details of the original assessment, as well as the revised scores as the register is
reviewed and amended regularly to reflect progress in reducing the vulnerabilities. The rationale for including an
error on the risk register, rather than implementing immediate protection measures, must be robust and clearly
documented.
The register should include where applicable short, medium and long term actions for how protection measures will
be implemented. Once these protection measures are available, they should be assessed again through the scoring
and the decision tree system.
The frequency of review and the triggers for unscheduled reviews should be defined. The minutes from reviews and
actions, with close out, should be recorded within the risk register documentation.
In the event of an error which is detailed on the risk register occurring, it is expected that this would be managed
through the implementation of the crisis management system. The crisis management system must be reviewed to
ensure that it provides the required processes for the errors identified on the risk register. Where there are specific
requirements for the management of these errors through the crisis management system, these should be clearly
detailed on the risk register. In addition, crisis management tests should include the challenge of the errors identified.
- Prerequisites
The management of quality, legality and food safety hazards is generally accepted
and well-established within the food industry. However, it is possible when assessing
error vulnerabilities for food integrity that not all necessary protection measures will be
already included in the current set of prerequisites. It is likely that new prerequisites,
such as product segregation, which is not generally defined as its own prerequisite
within HACCP plans, will be required to manage food integrity errors.
Therefore it is likely that when carrying out an error vulnerability assessment for the first time there may be changes
required to the current prerequisite programmes and new topics may be created.
The decision tree assists in defining when a protection measure should be managed through the current defined
prerequisite or added to the prerequisite suite, whether that is as an existing prerequisite or as a new topic.
Where the protection measure is to be managed through an existing prerequisite, the documentation for this
prerequisite should be reviewed and amended. The documentation should clearly show how the protection
measure is managed and that this element of the prerequisite is managing a significant risk for food integrity.
Where the decision tree defines that the protection measure should be added to the prerequisite suite, it should be
first established if a new prerequisite topic is required. If this is the case, the topic documentation should be written,
establishing the criteria for how the protection measure is to be managed. Again, the prerequisite documentation
should clearly show that the protection measure is managing a significant risk for food integrity.
The PRP procedure below is shown as an example of how the documentation could be laid out, but does
not include all the required detail.
5.4.2 Product Segregation

1.0 Purpose
Product segregation has been defined as a prerequisite within the quality management system. The aim of
this prerequisite is to ensure that raw materials, in-process product and finished products are protected
from cross-contamination, to ultimately ensure that the claims on-pack are met.
2.0 Responsibilities
It is the responsibility of the site management team to ensure that the requirements laid out in this
document are implemented and effectively enforced.
3.0 Food Integrity - Error Management

Product segregation has been identified through the error vulnerability assessment as a key protection
measure, to manage:
3.1 Dedicated and segregated storage of raw materials must be in place during storage. Ingredients
which are similar in nature must be clearly labelled to ensure that errors are not made in picking
of ingredients.
4.0 Food Safety Management
4.1 Raw ingredients must be segregated from ready-to-eat or drink ingredients during storage to
ensure that pathogenic cross-contamination is minimised.
- CCP
Where a protection measure has been defined as being managed through an existing
CCP, it should be recorded within the error vulnerability assessment, but no further
additional management is required as HACCP takes precedence.
The HACCP plan should be updated to include, in the CCP summary, that the CCP is not only managing a food safety
hazard, but has also been identified as managing an integrity error. Failures of the CCPs and the corrective actions
implemented should be fed into the error vulnerability reviews.
Process Hazard Control Critical Monitoring Correction Verification

step measure limit & Corrective
Action
Cooking Pathogenic outgrowth Alcohol ≥5.2 % Test sample at Mix for a fur- Alcohol
in the finished addition aqueous start, hourly and ther 3 minutes record sheets
product due to alcohol end of run. and re-sample. checked and
insufficient alcohol If the re-test signed off by
addition Responsibility: does not meet supervisor
Production the critical
This CCP has also operative limit. Inform Complaints
been identified as supervisor, data
managing a food Record: Ref 5.49 to request
integrity error: Alcohol Record approval to Routine
Upset to the Sheet add additional pathogen
consumer due to alcohol. surveillance
inaccurate QUID Responsibility: on finished
caused by inaccurate Production product
alcohol addition operative
CCP audits
Record: Ref
6.12 Non-
conforming
product form
Investigation
into reason for
test failure
- Vulnerable Error Point (VEP)
The main difference between CCPs and VEPs is that a CCP must be controlled to ensure
that every product that is released to the consumer is safe to eat. Therefore critical
limits, monitoring and frequency and must be effective at all times.
Errors could include food safety issues such as ensuring that the allergens listed on pack are correct. They could
also include errors where the weight of the product does not meet the legal requirements. Therefore the a degree
of pragmatism is required around the how the VEP is validated. The validation of the protection measures does
not always, as with CCPs, require evidence that the system is effective at all times, but can also include a degree of
justification for the frequency at which the protection measure is applied.
The aim is to ensure that the VEP reduces the vulnerability of the error to an acceptable level. The ‘acceptable level’
therefore must be justified if it does not provide 100% protection.
There may be more than one protection measure for an identified error managed as a VEP which reduces the
vulnerability to the error. Where this is the case, this should be taken into account when determining the frequency
at which each of the protection measures are applied.
Where a critical limit can be applied to a protection measure it should be validated to prove that it is effective. The
frequency at which the protection measure is applied should be justified (if it doesn’t confirm that the whole batch
each time it is produced, is correct).
Where a critical limit cannot be applied, criteria are required and they must be justified.
In order to ensure that the vulnerable error points are managed as effectively as possible, they should be structured
in a similar way to CCPs within the HACCP system.
Therefore the following should be established, implemented and recorded on a VEP summary:
• Protection measure critical limits or criteria
• Monitoring procedures and frequency
• Corrective actions
• Internal auditing (verification)
The VEP summary should also be backed up with validation and justification documentation, for the critical limits,
criteria and frequencies applied.
Protection measures - critical limits & criteria
For each protection measure either critical limits or criteria should be applied.
A critical limit is an objective measure, one that can be determined through validation, by proving that the limits
provide the results that are required within the process specified. For example, a critical limit could be applied to
nutritional testing, as the test would have limits for pass and fail.
A criterion is a subjective measure, one that cannot be validated, but can be justified. For example checking a piece
of printed packing for print legibility is a subjective task and so criteria would be applied, in the form of picture
standards. Therefore the criteria for the pass or fail of a check would need to be justified.
Protection measures procedures & frequency
For each VEP protection measure there must be a procedure which defines who is responsible, how it should be
managed, when the measure should be applied and at what frequency, the critical limits or criteria and how the
result should be recorded.
Protection measure corrective actions
The procedure must include what corrective action is required in the event of the measure not meeting the set
criteria or critical limits, who is responsible for applying it and when it should occur.
Corrective action should be considered for the three main types of failure:
• Where an error has occurred without detection (such as when a complaint is received)
• Where an error has occurred and has been detected
• Where an error has not occurred, but the protection has been found to have failed (this may be discovered by an
internal audit or supervision)
Where an error has occurred and has not been detected, the crisis management system must be implemented if it
is suspected that the error is not confined to an isolated product. Additional actions may also be required, these may
include additional protection measures or increased frequency of protection measures, while there is a risk of the
error reoccurring. The root cause of the error should be investigated and corrective actions implemented to ensure
that the risk of the error reoccurring is minimised.
Where an error has occurred but has been detected, the protection measure has been successful in preventing
the error from affecting the asset, (the consumer and subsequently the business) the action required will be based
around removing the root cause of the error.
Where an error has not occurred and the set protection measure criteria or critical limits have been found to have not
been met (through supervision or internal auditing), the corrective action should be based around the prevention of
a failure of the protection measure in the future. This should include investigation and root cause analysis as to why
the protection measure was not effective.
In all cases the corrective action applied should consider where possible:
• Correction of the current error
• Action to prevent the vulnerability to the error reoccurring
• Investigation as to how the vulnerability occurred and corrective action, using root cause analysis to
prevent re-occurrence
Internal auditing (verification)
Verification is defined here specifically as internal auditing. Within HACCP systems there is a range of verification
activities, such as end product testing or confirmation micro testing. However, within the error vulnerability
assessment, typical verification activities such as checks and tests are now classed as valid protection measures.
Therefore the only true verification activity is internal auditing.
This makes internal auditing an essential control and therefore it is important to define the specific elements of the
internal audit which will verify that the protection measure is effective.
For example, when defining the key internal audit elements for the protection measure of nutritional
testing to meet legal fat percentage in milk,
• Observing the operator carrying out the fat test against the procedure
• Challenging the competency of the operator
• Ensuring that the operator is trained to the current version of the fat test procedure
• Ensuring that the testing machine is calibrated
• Reviewing sampling techniques
• Reviewing the previous test results for compliance
• Reviewing the reaction to failures and any relevant corrective actions
It is vital to ensure that the activity is well managed, through the use of trained and experienced auditors. This
may require shadowing of auditors and also calibration to ensure that the results are consistent and to the required
standard. Any non-conformances arising from the audits must be managed effectively and closed out in a timely
manner to root cause. The results of the audits should also be trended and analysed in management meetings and
error vulnerability reviews.
Validation & justification
It is essential that validation and justification is documented for all protection measure(s) managed as a VEP.
As detailed previously unlike HACCP, validation may include a level of justification. The first aspect to consider when
working through the VEP, is whether the protection measure requires validation or justification.
Where critical limits are applied to a protection measure they will require validation.
Where criteria are applied to a protection measure they will require justification.
The frequency of application of the protection measure in both cases will require a clear justification.
All validations and justifications should be documented. The level of detail should be sufficient to explain the theory
and methods used, this should allow other trained individuals to be able to follow, understand and, where necessary,
replicate the data.
To do this, the following should be used as a guide when creating the document:
• Background - explain the error and how it effects the asset
• Legislation - detail any legislation that may be applicable and explain how it impacts on the validation
or justification
• List of protection measure(s) that manage the error. For each protection measure it should be explained why
each is either objective; and therefore requires critical limits and validation, or subjective; and therefore requires
criteria and justification
• Where equipment is used as part of the protection measure procedure, the specification should be included.
The functionality of the equipment should be explained and any limitations highlighted. Where there are
limitations that will affect the consistency or effectiveness of the equipment these should be challenged, to
show how they will be controlled or monitored
• Establish critical limits - if critical limits are applied, they should be challenged and the results of these challenges
recorded. Where possible, trials should be carried out and for the worst case scenario i.e., at the extremes of the
critical limits, to prove that they work
• Where protection measure criteria are to be applied rather than critical limits, the justification should
be documented
• Challenge the process - for protection measures which have critical limits or criteria, the process should be
challenged, either in theory or in practice. What could happen to cause the protection measure to be
ineffective? Is there a part of the process that, if not controlled, may have an effect on the critical limits? Where
these are identified they should be documented and validated or justified.
• Review - the frequency of review for validation or justification and what the review should include
Key points
• The required error management techniques should be identified using the decision tree
• A risk register is used for errors which currently have no feasible protection measure. Errors on the
risk register must be regularly reviewed
• Many of the required PRPs may already be in place, others may need expanding or amending to
include the required protection measure. PRP documentation should show a clear link to how the
significant error is managed within the PRP
• Where existing CCPs have been identified as also controlling error vulnerability, this should be stated
on the CCP summary. Failures in CCPs should be fed back into the error vulnerability assessment
review
• VEPs are a new concept and have many parallels with food safety CCPs
• Limits around VEPs are not as absolute as those around CCPs. VEP critical limits and criteria need
careful consideration
• VEP critical limits require validation, whereas protection measure criteria require justification. Both of
these should be robust and documented
• Verification within an error vulnerability study mainly comprises of internal auditing activities
Documenting the Assessment
This section provides an example of how the error vulnerability assessment could
be documented.
For the purpose of this guidance, it is presumed that prior to documenting the assessment, the team will have already
documented their assessment methodology. The introductory information including, the team, the scope, the terms
of reference, process description and confirmed flow diagram for the process(es) under consideration should also
have been documented by the team.
This section provides guidance on how to document the following elements:
• Table of the error impacts
• Error vulnerability assessment table:
The errors
The protection measures and PRPs
Impact assessment
Vulnerability assessment
Overall risk scoring
The decision tree assessment, including the result
• Risk register
• VEP summary
Table of the error impacts
Prior to detailing the errors at each process step, it is recommended that standardised error impacts are defined. This
helps to ensure that the way in which the errors are evaluated is consistent, to both the consumer and the business.
Like severity within a HACCP assessment, the impact of the error is less variable and has an element of repetition.
Therefore work through all the errors that could occur and work out what the standardised consumer impact would
be. For example, an allergenic error would always be assessed as death to the consumer in the worst case. An error
which may effect celiacs may be assessed as hospitalisation. An intolerance error may be always assessed as minor
harm. Each standardised consumer impact can then be considered for its potential impact on the business. These
impact scores can then be set for the rest of the assessment.
The vulnerability to the error is more variable, as with the likelihood within HACCP. This depends on many factors,
such as which process step is being evaluated, the current protection measures in place and how effective they are.
Using the following as an example:
‘Upset to the consumer due to contamination from a non-organic ingredient caused by lack of labelling of
ingredient weigh up tubs.’
Documenting the errors
As previously discussed the should be laid out clearly and describe:
How the asset is

due to the error caused by the event
affected
In order to show how and where information should be documented the text entry points on the subsequent tables
have been labelled with (step 1), (step 2) and so on.
Each error should be listed against each process step. To do this, document the process step and step reference (step
1), then number each error for that process step (step 2) as this will assist in referencing later. Finally, document each
of the errors (step 3), (using the structure shown in the diagram above ) as shown in the example below.
Process Step Error Reference Error
(Step 1) (Step 2) (Step 3)
Weigh up 1 Upset to the consumer due to contamination from a non-organic

ingredient caused by lack of labelling of ingredient weigh up
tubs
Documenting the impact assessment
Impact
Consumer Business
Death 9 Closure 4
Upset 5 None 0
None 0
Continuing with the organic error example, on assessing the impact to the consumer, the error would not cause the
consumer harm but they would be upset that they have purchased and consumed something that was not true to
the label. Therefore the consumer impact score would score 5.
The result of such an error on the business would depend on the size of the business, but could be standardised for
the business in question. For this example, presuming the business is a medium sized operation, the loss of sales
could cause minor financial loss. Therefore the business impact score would be 2.
In order to confirm why the score has been defined as 5 for the consumer and 2 for the business, it is advisable to
document the theory behind it. An example of what this may look like is shown in the table below.
Impact
Error Consumer Score Business Score Impact

Score
(Step 3) (Step 5) (Step 4) (Step 5) (Step 4) (Step 6)
Upset to the consumer due to Consuming a non-organic 5 The error may 2 7

contamination from a product would not cause cause minor
non-organic ingredient caused harm, but may cause the financial loss
by lack of labelling of ingredient consumer upset as the due to poor
weigh up tubs product was not true to the publicity and
claim loss of sales
Using the impact table assign the correct impact assessment to each error, ensuring that for each score (step 4) for
the consumer and for the business the reason behind the score is defined (step 5). Calculate the impact score by
adding the two scores together (step 6).
Documenting the vulnerability assessment
Vulnerability
Event Error
detectable

be detectable
Repeat the exercise for the vulnerability assessment, again ensuring that the scores (step 4) and the explanation of
the score (step 5) are included. Multiply the two scores together to give the overall vulnerability score (step 6).
Vulnerability
Error Event Score Error Score Vuln.

Score
(Step 3) (Step 5) (Step 4) (Step 5) (Step 4) (Step 6)
Upset to the consumer due to The event of lack of 3 If non-organic 2 6

contamination from a labelling of the ingredients were
non-organic ingredient caused ingredient tubs has used it would be
by lack of labelling of ingredient occurred before and undetectable and
weigh up tubs would not be detectable would compromise
the product
Documenting overall risk scoring
Document the overall risk scoring by multiplying the impact and vulnerability scores (step 7). Anything above the
significance score of 24 should be highlighted (shown in bold and underlined), to show that it should be taken
through the decision tree.
Consumer Score Business Score Impact Motivation Score Opportunity Score Vuln. Risk
Score Score Score
(Step 5) (Step 4) (Step 5) (Step 4) (Step 6) (Step 5) (Step 4) (Step 5) (Step 4) (Step 6) (Step 7)
Consuming a 5 The error 2 7 The event 3 If non- 2 6 42

non- may cause of lack of organic
organic minor labelling of ingredients
product financial the were used
would not loss due ingredient it would be
cause harm, to poor tubs has undetect-
but may cause publicity occurred able and
the and loss of before and would
consumer sales would not compro-
upset as the be mise the
product was detectable product
not true to the
claim
Documenting the protection measures & PRPs
Document a reference for each protection measure (step 8), then document the protection measure (step 9) and
which PRP, if applicable that the protection measure relates to (step 10).
The reason each protection measure is listed with its own reference is because each one has to be taken through the
decision tree individually. Giving each one its own row makes this easier and clearer to read.
It is recommended that a different referencing system, than that used to reference the errors is chosen. For example,
if errors have been referenced through a sequential number, sequential lettering could be used for protection
measures.
Protection Measures
Ref Protection Measures PRP
(Step 8) (Step 9) (Step 10)
A Labelling of ingredient tubs Product segregation
B Supervision Management commitment
Documenting the decision tree assessment, including the result
In order to ensure that the answers to the decision tree questions are captured it is advisable to document them.
To document, record the answer to each question as yes or no. Where the set of questions comes to an end also
record ‘stop’ and record the resulting error management result.
The table below shows example routes through the decision tree and how the resulting error management method
can be documented.
Risk Decision Tree
Q1 Q2 Q2a Q3 Q4 Q5 Error Management Result
(Step 11) (Step 12) (Step 13) (Step 14) (Step 15) (Step 16) (Step 17)
Yes, stop Error eliminated by implementing a

scanning system, so the ingredient
cannot be used if there is no label
to scan
No No Yes, reassess N/A - protection measure added

and this is to be reassessed
No No No, stop Risk Register
No Yes Yes, stop Manage as PRP
No Yes No No, stop Added to PRP (specify which PRP)
No Yes No Yes No, stop VEP
No Yes No Yes Yes, stop Manage as existing CCP
Process Error Rationale Mitigation Mitigation Mitigation
step - Short Term - Medium Term - Longer Term
Risk register
Mixing Replusion of the consumer Currently there is no Action: Monitor ATP Action: Carry out labora- Action: Implement rapid
due to meat cross evidence to suggest that results for cleaning, to en- tory swabbing of the line test for all meat species for
contamination of a cleaning is not effective sure that they are effective. to establish if cleaning is positive release of the line
vegetarian product caused to remove traces of meat, Responsibility: Hygiene effective in removing meat after a change over clean
by ineffective change over prior to vegetarian produc- Manager traces. Responsibility: Technical
cleaning tion. Timescale: Weekly Responsibility: QA Manager
Review: Monthly Manager Timescale: Within 12
Timescale: Within 3 months
months Review: 6 Monthly
© Techni-K Consulting Ltd & Adele Adams Associates Ltd

Review: 3 monthly
The following example is for illustrative purposes only.
Assessing Error Vulnerability for Food Integrity | 67

Process Error Protection Critical limit Procedure Corrective Action Internal
step measure /Criteria & Frequency Auditing (Verification)
Mixing Replusion of the Rapid pork Negative pork Swab sample Where the error has occurred Key audit aspects:
consumer due testing test result to be tested on without detection: investigate the
VEP summary
• Observing the operator carry out the

to pork meat completion of extent of the contamination and
clean against the procedure
cross cleaning prior to the root cause. Put on hold all
contamina- start up of next product within the business’s • Challenge the competency
tion of a halal product. control. Assess the scale of impact of the operator
product caused Swab locations and implement withdrawal or recall Ensuring that the operator is trained
by ineffective to be based on where necessary.
•
to the current version of the
68 | Assessing Error Vulnerability for Food Integrity

change over key inspection Where the error has occurred and procedure
cleaning points of the has been detected: do not release
equipment. the line for production and • Ensuring that the testing equipment is
re-clean. On completion of the calibrated
clean repeat the test and only • Review sampling techniques
The following example is for illustrative purposes only.
release the line if it meets the

• Reviewing the previous test results for
critical limits. Investigate the root
compliance
cause of the failure and apply
corrective action to reduce the risk • Reactions to failures and
of further failures. any relevant corrective actions
If protection measure i.e. post
cleaning test was not carried out.
Hold any potentially affected
product still within the business’s
control. Assess the scale of the im-
pact and implement withdrawal or
recall where necessary. Investigate
root cause of the failure and apply
corrective actions to reduce the risk
of further failures.
© Techni-K Consulting Ltd & Adele Adams Associates Ltd

Key points
• An error vulnerability assessment can be documented in various ways, this guidance provides
suggested examples
• Documentation must include enough detail to withstand interrogation of the system by

interested parties
• As with any system, documentation must be subject to robust methodology, which are adhered to at
all times
CHAPTER 3
CONTINUATION STAGES OF AN
Review
The team need to review the error vulnerability assessment on a routine basis, the
frequency of which should be defined.
The reviews should be documented and any actions arising from the review should be assigned and formally
closed out.
Routine reviews should include evaluation of:
• Risk register
• VEP protection measure results, including trends where possible
• Investigations of corrective actions from protection measure failures
• Investigations of corrective actions from positive detection of errors
• Complaints
• Product development reviews
• Internal audits relating to error protection measures
• Incident reviews
• Business plans which may affect future changes in procedures and processing
Routine challenge of the crisis management system should form part of the review. This should include tests of the
crisis process for the management of the specific errors within the risk register.
In addition to the routine review, additional reviews should take place when:
• Changes to the product or process occur, particularly when claims are added, removed or amended
• Changes to staffing or human resources policies occur, which may impact on the frequency of errors occurring
• When legislation changes
• When customer requirements or audit standards change
• New technologies or updates to protection measures occur
• Concerns are raised through audits
Continuous improvement
The review should include an evaluation of the integrity assessment itself, with the objective being one of continuous
improvement. Regular review of the assessment should ensure that any new protection measures that were added
in the last review, are assessed for their effectiveness. Where new protection measures that detect an event or error
are found to be effective, this may allow re-assessment and re-scoring. This should ensure that all current risks remain
the focus, as they are most likely managed as VEPs, and those that have been previously a risk, but are now under
control, move into the normal day to day excepted ways of working.
To explain how this may work, an example has been provided below - for cross-contamination of dairy in a dairy-free
product due to ineffective cleaning of a depositor. In the first instance, when this error is assessed there may not be
any protection measures in place to detect if the event of ineffective cleaning has occurred, or if the error of cross-
contamination of dairy has occurred. The assessment may look something like this:
Consumer Score Business Score Impact Motivation Score Opportunity Opp. Vuln. Risk
Score Score Score Score
Death to the 9 The impact 4 13 The event of 3 The error of 2 6 78

consumer due on the ineffective dairy cross-
to cross business cleaning has contamina-
contamina- due to occurred tion in the
tion of dairy financial before and is product
caused by loss may undetectable would be
ineffective cause undetectable
cleaning of closure and would
the depositor compromise
the product
Therefore the score achieved would be significant. Protection measure(s) would then need to be assigned, such as
rapid allergen swabbing of the equipment to prove it is clean. Product testing may also be introduced to prove that
the batch is dairy-free. When assessing these protection measures, this may be determined through the decision
tree as VEPs, if allergen techniques such as these are not a site wide measure which is managed by a PRP. The VEPs of
allergen swabbing and testing would then need to be implemented and adhered to.
When the integrity assessment is then reviewed 6 months, or a year later, the assessment of the error could be
revisited. At this time, the effectiveness of the protection measure of allergen swabbing and product testing could
be reviewed. If the protection measures have been effective in managing the event and the error, this would reduce
the scoring, as shown below:
Consumer Score Business Score Impact Motivation Score Opportunity Opp. Vuln. Risk
Score Score Score Score
Death to the 9 The impact 4 13 The event of 1 The error of 1 1 13

consumer due on the ineffective dairy cross-
to cross business cleaning has contamina-
contamina- due to occurred tion in the
tion of dairy financial before and product
caused by loss may is detectable would be
ineffective cause through detectable
cleaning of closure allergen through
the depositor swabbing testing and
post would com-
cleaning promise the
product
Therefore the scoring for the vulnerability to the error occurring is reduced, so that it is no longer significant. It would
therefore need to be included in the sites PRPs and controlled as standard day to day activity.
At the time of the review any new or emerging issues would be also be reviewed and added to the assessment. This
would include evaluation of any existing protection measures and PRPs which may not be effectively managing
errors. Re-assessment and re-scoring of these may mean that poorly performing protection measures become
significant and their management techniques may be heightened to VEPs.
Maintaining the System
Once implemented the system will require maintaining, which is an additional
activity to review. System maintenance activities include ensuring the maintenance of
elements that support the system such as, but are not limited to:
• The team - both in terms of members and knowledge/competency
• The information sources - updates to legislation, audit standards or customer requirements
• The documentation - typically through an existing document control system
• The gathering of data - in order to ensure that the system is constantly in a state of continuous development it
is essential that data is gathered which can be used during the review process, to establish where improvements
or changes are needed
Key points
• Review of the error vulnerability management system is vital to ensure its continued effectiveness
• Reviews should be scheduled and in response to change
• Reviews should provide a basis for continuous improvement
• The potential triggers for a review should be documented by the team
• Records of review activities should be maintained
• Maintenance of the supporting elements of the system (the team, the information sources and
documentation control) is essential
CHAPTER 4
CASE STUDY
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity || 77
© Techni-K Consulting Ltd & Adele Adams Associates Ltd Assessing Error Vulnerability for Food Integrity 77
Case Study
The Yoghurt House Ltd - Error Vulnerability Assessment
This case study has been created to give an example of how the methodology described in the guide can be applied
in practice.
The case study includes extracts of an error vulnerability assessment, not the study in its entirety. The flow
charts shown in this case study are for the manufacturing process and the product development process.
They are not intended to cover all possible steps, but are shown as an example.
This example is fictitious and for illustrative purposes only.
Site background information
The case study is based on The Yoghurt House Ltd who are a small, independent manufacturer. The Yoghurt House
Ltd produce organic and non-organic yoghurt products for a range of retailers. The case study focuses on the
development and production process and considers a selected number of steps through the scoring system.
The Yoghurt House Ltd -
Error Vulnerability Assessment
Scope & Terms of Reference
The aim of this study is to identify and manage the potential error vulnerabilities to the integrity of the product,
which could have an impact on the consumer and thereby a consequential impact on the business.
The study is split into modules of the manufacturing process, development process including specifications and
approval and also the procurement process. There are separate flow charts for the manufacturing process and
development flow and these are linear in structure. The flow chart of the manufacturing process is shared with the
HACCP plan.
Start and end points
Yoghurt Production
The study starts at receipt of raw materials and finishes at the process step of check weighing, which is after packing
into printed coded packaging. Errors associated with the raw materials from the supply chain are assessed at the
point of raw material intake.
Development
The study starts at the point of receipt of a brief from the customer or sales team for customer branded products, or
the on-site marketing team for own label products, through to the launch of the product in production.
Procurement
The study starts at the point of a new raw material or supplier, or a change to an existing raw material through to the
approval of the raw material and/or supplier, prior to supply.
Processes covered
This assessment is for yoghurt manufacture and covers the activities of:
• The storage, preparation and manufacturing processes taking place on site
• The sourcing and approval of raw materials
• The development process for new and existing product development
• Specification, pack copy generation and artwork approval
Defining the asset
The asset to be ultimately protected is the consumer. The Yoghurt House Ltd is a small business and therefore the
impact on the business due to the impact on the consumer, would be great. The impact on the business has been
assessed as follows:
• Upset, repulsion or disgust of the consumer would cause minor financial loss
• Minor harm or hospitalisation to the consumer would cause major financial loss
• Death of the consumer would cause closure to the business
The type of claims - categorised
This study considers the following categories of claims, this includes the list of claims currently made on pack:
Allergenic / immune response agents Illegal, due to not of the nature

Claims currently made on pack are: Claims currently made on pack are:
• Contained allergens in the ingredient declaration • Organic
(Milk is the only allergen on site)

• Produce species - morello cherries
• Country of origin - British blueberries, British yoghurt
• Warnings - may contain cherry stones
Moral obligation:
Claims currently made on pack are:
• British yoghurt - raw milk from UK
Describe the product

Product Organic Morello Cherry Yoghurt Blueberry Yoghurt
Claims on pack Organic British blueberries

Morello cherries British yoghurt
British yoghurt Allergen contains list
Allergen contains list Average weight
Average weight
Warning - may contain cherry stones
Pertinent risks Non-organic on same line Non-British blueberries used on site

Use of non-Morello cherries Incorrect average weight
Incorrect average weight Wrong product, wrong pack
Wrong product, wrong pack
Team
Name Job Role Number of years with the Joined Training Team Role
company/experience in team
the industry
Julia Brown Technical 3 years with company as Aug 2015 One day error Core member
Manager Technical Manager. 15 years vulnerability Team Leader
experience in technical course
management in food industry August 2015
David White Production 2 years with the company as Aug 2015 One day error Core member
Manager Production Manager. 12 years vulnerability
experience in a variety of course
manufacturing roles August 2015
Simon Green Engineering 10 years with the company. Aug 2015 One day error Core member
Manager 12 years experience in food vulnerability
engineering course
August 2015
Steve Smith Goods in 1 year with the company. Sept 2015 In-house briefing Core member
Supervisor 6 years experience in various from team leader
warehouse roles September 2015
Helen Davies Head Buyer 4 years with the company. 8 Aug 2015 One day error Core member
years experience in food vulnerability
procurement course
August 2015
Chris Blues Development 9 years with the company. 20 Sept 2015 One day error Core member
Manager years experience in production vulnerability
and 8 years in development course
August 2015
Melanie Specifications 2 years with the company. 3 Aug 2015 One day error Core member
Shaw technologist years experience in specifications vulnerability
and artwork approval course August
2015
Prerequisite programmes
The prerequisites that support this system include:
• Change management
• Human resources
• Training and competency of staff
• Supervision and management
• Internal auditing
• Segregation
• Development
• Hygiene
• Chemical control
• Process control
• Procurement
• Storage
• Foreign body control
• Packaging control
Further details of each prerequisite system can be found in the relevant Quality Management System documentation.
References
The following references have been used during the development of this error vulnerability study:
Regulation (EC) No 852/2004 on the hygiene of foodstuffs

Food Safety Act 1990 (C.16)
The Food Hygiene (England) Regulations 2006 (SI 2006/14)
The Food Hygiene (Wales) Regulations 2006 (SI 2006/31 W.5)
The Food Hygiene (Scotland) Regulations 2006 (SSI 2006/3)
Regulation (EU) No 1169/2011 on the provision of food information for consumers
Food Information Regulations 2013 (FIR 2013) & EU Food Information for Consumers Regulations (EU FIC)
Food Labelling (Declaration of Allergens) (England) Regulations 2008
Food Labelling (Declaration of Allergens) (Scotland) Regulations 2008
Food Labelling (Declaration of Allergens) (Wales) Regulations 2008
Process Flow - Manufacturing
1. Raw material intake
2. Chilled storage (≤5°C)
3. Pasteurisation & denaturation
4. Cooling
5. Incubation
1a. Debox & High care transfer 6. Chilled storage (≤5°C) 2a. Debox & High care transfer
1b. Debag 7. Pot filling 2b. Debag
8. Lidding
9. Sealing
Key
10. Coding
Process
Step
11. Check weighing CCP

CCP
12. Metal detection VEP
14. Dispatch 13. Chilled storage (≤5°C)
Process Flow Step Detail
1. Raw material intake The ingredients and packaging are bought in from approved suppliers
All delivery vehicles are checked for hygiene and temperature control
Printed packaging is checked for print quality and version
2. Chilled storage Ingredients are stored within a secure goods in warehouse at ≤5°C.
System is automated and alarms when the temperature rises above 8°C
3. Pasteurisation & Product is pasteurised and held at ≥85°C for at least 10 minutes to cause denaturation
denaturation
4. Cooling Product is cooled to 30°C
5. Incubation Chilled culture is added

Incubated for 18 hours
Must achieve critical limit of pH ≤4.8 within 18 hours
6. Chilled storage Product is chilled down to ≤5°C and held ready for filling
1a & 2a. Debox & high Raw materials are removed from their outer packaging (boxes)
care transfer Raw materials are passed through a sanitising tunnel into high care
Chemical strength is checked every 4 hours
1b & 2b. Debag Raw materials are debagged at the point of use and loaded onto the automatic feed
into the filler
7. Pot filling Pots are automatically fed onto the line

The fruit compote and the yoghurt are filled into the pots
There are 2 filling lines - line A & line B
Line A runs organic and non-organic product
Line B runs non-organic only
8. Lidding Lids are automatically placed on the top of the pot
9. Sealing The lids are sealed using a heat seal
10. Coding Use by and Julian coding is applied
11. Check weighing All product passes through an in line check weigher
12. Metal detection All product passes through an in line metal detector
Detector is checked at the start of the run, hourly and at the end using 3mm SS,
2.5mm NF and 2mm F
13. Chilled Storage Product is held at ≤5°C ready for dispatch
14. Dispatch Product is dispatched through 3rd party transport

All vehicles are checked for hygiene and temperature control prior to loading
Error Vulnerability Assessment - Manufacturing
Impact assessment
Process Step Error Consumer Score Business Score Impact

Score
1. Raw Upset to the The consumer 5 The impact of upset 2 5+2=7

material consumer due to would be upset if to the consumer
intake inaccurate organic they purchased an may cause minor
or provenance organic product financial loss
information caused that contained
by delivery error of non-organic
the wrong ingredients or a
printed version of product with
the artwork provenance that did
not contain
ingredients with
provenance
2. Chilled Upset to the The consumer 5 The impact of upset 2 5+2=7

storage consumer due to would be upset if to the consumer
inaccurate organic they purchased an may cause minor
or provenance organic product financial loss
information caused that contained
by poor non-organic
segregation of fruit ingredients or a
during storage product with
provenance that did
not contain
ingredients with
provenance
3. Pasteur- Upset to the The consumer 5 The impact of upset 2 5+2=7

isation and consumer due to would be upset if to the consumer
denaturation inaccurate organic they purchased an may cause minor
information caused organic product financial loss
by lack of CIP at that
change over contained
non -organic
ingredients
2b. Debag Upset to the The consumer 5 The impact of upset 2 5+2=7
consumer due to would be upset if to the consumer
inaccurate they purchased a may cause minor
provenance product that did not financial loss
information caused contain British
by non-British blueberries, as
blueberries being labelled
loaded onto the
filler
Error Vulnerability Assessment - Manufacturing
Step Error Event Score Error Score Vuln.

Score
1. Raw Upset to the The event has not 0 The error of the 2 0x2=0
material consumer due to occurred before wrong printed
intake inaccurate organic and the event of the packaging would
or provenance wrong packaging be undetectable
information caused being delivered is and would
by delivery error of detectable as compromise the
the wrong packaging is product
printed version of checked on arrival
the artwork to ensure it is the
correct version
2. Chilled Upset to the The event of 3 The error of using 2 3x2=6

storage consumer due to poor segregation the wrong
inaccurate organic during storage has ingredients would
or provenance occurred before be undetectable
information caused and would not be and would
by poor detectable as the compromise the
segregation of fruit raw materials are product
during storage scanned on issue to
production
3. Pasteur- Upset to the The event of lack of 1 The error of 2 1x2=2

isation and consumer due to CIP at change over cross-contamination
denaturation inaccurate organic prior to organic of non organic in
information caused production has organic would not
by lack of CIP at occurred but would be detectable and
change over be detectable as CIP would compromise
checks are in place the product
2b. Debag Upset to the The event of the 3 The error of the 2 3x2=6
consumer due to wrong blueberries use of the wrong
inaccurate being used at the compote would not
provenance filler has occurred be detectable and
information caused before and would would compromise
by non-British be undetectable the product
blueberries being
loaded onto the
filler
Overall risk score
Step Error Consumer Business Impact Event Error Vuln. Risk

Score Score Score
1. Raw Upset to the 5 2 5+2=7 0 2 0x2=0 7x0=0

material consumer due to
intake inaccurate organic
or provenance
information caused
by delivery error of
the wrong
printed version of
the artwork
2. Chilled Upset to the 5 2 5+2=7 3 2 3x2=6 7x6=42

storage consumer due to
inaccurate organic
or provenance
information caused
by poor
segregation of fruit
during storage
3. Pasteur- Upset to the 5 2 5+2=7 1 2 1x2=2 7x2=14

isation and consumer due to
denatura- inaccurate organic
tion information caused
by lack of CIP at
change over
2b. Debag Upset to the 5 2 5+2=7 3 2 3x2=6 7x6=42

consumer due to
inaccurate
provenance
information caused
by non-British
blueberries being
loaded onto the
filler
Protection measures and PRPs
Step Error Protection Measures PRP
1. Raw Upset to the consumer due to Intake printed packaging checks Packaging control
material inaccurate organic or provenance
intake information caused by delivery error
of the wrong printed version of the
artwork
2. Chilled Upset to the consumer due to Storage segregation and labelling Storage
storage inaccurate organic or provenance Scanning of raw materials on issue
information caused by poor
segregation of fruit during storage
3. Pasteur- Upset to the consumer due to CIP checks Hygiene

isation and inaccurate organic information
denaturation caused by lack of CIP at change over
2b. Debag Upset to the consumer due to Line clear procedure at change over Segregation
inaccurate provenance information Blueberry loading checks
caused by non-British blueberries
being loaded onto the filler
As an example, the protection measures for the step of debag (2b) have been put through the decision tree.
Decision tree
Remember each of the protection measures for the error need to be put through the decision tree separately.
Step Protection Q1 Q2 Q2a Q3 Q4 Q5 Management

Measure Result
2b. Debag Line clear N Y n/a Y, stop PRP - Segregation

procedure
2b. Debag Blueberry N Y n/a N Y N VEP - Blueberry

loading loading checks
checks
Risk register
None for this extract example.
VEP summary
Process Error Protec- Critical limit/ Procedure & Corrective Action Internal
step tion Criteria Frequency Auditing
measure (Verification)
2b. Upset to the Blueberry Product label Prior to Where blueberries Supervisor to
Debag consumer due loading to be checked starting are found to be in- carry out daily
to inaccurate checks prior to production correct, put on hold check
provenance loading into and each time and obtain
information filler and a new bag is replacement. Ensure that the
caused by verified by a added procedure is clear
non-British second team Investigate the
blueberries member Record: reason for failure Assess training
being loaded Process Record of procedure and and question
onto the filler Sheet implement action. relevant
personnel against
Resp: Where the protec- understanding of
Production tion measure has procedure
operative failed and product
has been Assess
compromised, understanding of
affected product corrective actions
must be put on
hold. Assess records for
compliance
Process Flow - Development
1. Product brief
2. Scoping 2a. Source new raw materials
3. Recipe development
4. Kitchen sample approval
5. HACCP assessment
6. Factory trial
7b. Shelf life verification 7. Factory sample approval 7a. Nutritional verification
8. Specification, pack copy &

QAS generation
9. Artwork approval
Key
10. Launch
Process
Step
CCP
CCP
VEP
Process flow step Detail
1. Product brief Product brief is received from the customer, marketing or procurement
2. Scoping The project is scoped out
2a. Source new New raw materials - ingredients and packaging formats sourced
raw materials New raw material and/or supplier process instigated
3. Recipe Recipe developed in the kitchen

development
4. Kitchen sample Product assessment and approval with the customer or project lead
approval Samples kept for assessment against factory trial samples
5. HACCP HACCP assessment including allergen assessment of any new raw materials
assessment
6. Factory trial Factory trial(s) under normal processing conditions

Data is compiled for specification and QAS
7. Factory sample Product assessment and approval with the customer or project lead
approval Product assessed against kitchen sample
Photographs and eating quality agreed for QAS
7a. Nutritional Product from factory trial is sent off for nutritional assessment
verification Products with a claim are assessed over three separate runs
7b. Shelf life Product from factory trial is sent off for microbiological assessment
verification Organoleptic assessment is completed over life
8. Specification, Completion of specification and pack copy for artwork generation

pack copy & QAS QAS compiled from factory data
generation
9. Artwork Artwork is generated from pack copy and cutter guides

approval
10. Launch Product launch into new packaging
Risk assessment - Development
Impact assessment
Step Error Consumer Score Business Score Impact

Score
2a. Source Upset to the The consumer 5 The impact of upset 2 5+2=7
new raw consumer due to would be upset to the consumer may
materials inaccurate if they purchased cause minor financial
provenance a product that loss
information caused by did no contain
sourcing error of the ingredients with
wrong type of fruit provenance, as
labelled
Step Error Event Score Error Score Vuln.

Score
2a. Source Upset to the The event of 1 The error would be 2 1x2=2
new raw consumer due to sourcing the detectable and would
materials inaccurate wrong type of compromise the
provenance fruit has occurred product
information caused by before but would
sourcing error of the be detectable
wrong type of fruit during the
specification ap-
proval process
The overall risk score
Step Error Consumer Business Impact Event Error Vuln. Risk

Score Score Score
2a. Source Upset to the consumer 5 2 5+2=7 1 2 1x2=2 7x2=

new raw due to inaccurate 14
materials provenance
information caused by
sourcing error of the
wrong type of fruit
Protection measures and PRPs
Step Error Protection Measures PRP
2a. Source Upset to the consumer due to New/change raw material request Procurement
new raw inaccurate provenance form
materials information caused by Raw material specification check Development
sourcing error of the wrong type of
fruit
Decision tree
Step Q1 Q2 Q2a Q3 Q4 Q5 Management Result
2a. Source new N Y n/a Y, stop PRP

raw materials -
new/change raw
material request
form
2a. Source new N Y n/a Y, stop PRP

raw materials
- raw material
specification
check
Risk register
VEP summary
References
British Retail Consortium (2015) Global Standard Food Safety Issue 7
Codex Alimenatrius Commission (2003) Hazard Analysis and Critical Control Point (HACCP) System and Guidelines for its
Application, Annex to CAC/RCP 1-1969 Rev - 4
Food Standards Agency Website
About the Authors
Adele Adams Kassy Marsh
After gaining a degree in Food Science from Kassy started her career in the food manufacturing
Nottingham University in 1993, Adele started her industry in 1998 and has an exceptional ability to
career in technical management within the meat implement simple and practical solutions, which
industry. She then moved into consultancy and can be effectively implemented into the factory
training and began to specialise in HACCP and food environment. With a background of NPD, process and
safety management, achieving the role of Managing quality control, compliance, auditing and technical
Director of a consultancy firm in 2000. As a Senior management, she has a wealth of experience in
Lecturer at the University of Salford Adele helped meeting the required standards effectively. During
to establish their MSc in Food Safety Management. her time within compliance she became well known
In 2003, Adele set up her own company to provide for her pioneering risk assessments which Marks &
practical training and advice on how to get the best Spencer used as examples of best practice. Since
out of the HACCP principles. Adele regularly delivers starting her own consultancy business in 2012 she
a wide range of HACCP and food safety programmes, now specialises in the practical application of HACCP
specialising in higher-level courses, to help teams and validation techniques.
become competent in HACCP techniques. She has
also helped many large companies to remodel their
HACCP systems in line with best practice, as well as
being involved with several projects for the Food
Standards Agency. With over 20 years of HACCP
experience, Adele is well known for her engaging
training and practical approach.
The issue of food integrity is one of legal and moral obligation to the consumer
and is becoming increasingly important to brand protection within the food
industry. As a consequence, the need for a systematic approach to the task of
identification, assessment and management of the errors that compromise the
integrity of the product is required.

This book takes the pioneering methodology from the previous publication
“Assessing Threats & Vulnerabilities for Food Defence” and builds on it, to provide an
approach to assessing the errors that may occur during the manufacturing process,
which may compromise the integrity of the product.

Assessing Error Vulnerability For Food Integrity Ebook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Assessing Error Vulnerability For Food Integrity Ebook

Uploaded by

Copyright:

Available Formats

ASSESSING ERROR

Published by Techni-K Consulting Ltd & Adele Adams Associates Ltd

Copyright © 2015 Kassy Marsh & Adele Adams

G5 Cavendish House, Welbeck, Nottingham, S80 3LL, UK

www.techni-k.co.uk & www.adeleadamsassociates.co.uk

Kassy Marsh Adele Adams

CHAPTER 2: ASSESSMENT STAGES OF AN ERROR VULNERABILITY STUDY 29

CHAPTER 3: CONTINUATION STAGES OF AN ERROR VULNERABILITY STUDY 71

CHAPTER 4: CASE STUDY 77

Cumulative scoring system for risk assessment

Vulnerable error points (VEPs)

Differentiation of critical limits and protection measure criteria

Validation and justification

Compromise Where the product does not meet the objectives

Contaminant Harmful or objectionable matter

Error An unintentional act that compromises the product

Justification Subjective rationale for the effectiveness of the protection

Morals A set of values, with the intention to do the right thing

Protection measure An action, activity or monitoring technique designed to prevent,

Protection measure - criteria Criteria which contribute to a reduction in vulnerability which

Risk register A register of identified significant errors where a protection

Validation Objective evidence that the protection measure is capable of

• Clarity of scope and terms of reference are paramount to both approaches

Preparatory Stages Assessment Stages Continuation Stages

Obtain senior Establish & define

Define the scope

Select the team Assess the vulnerability

Construct process Calculate risk score

Use decision tree to establish

1 Structure and start and end points

The team may decide to:

Differing processes may need considering separately, for example:

• The sourcing, purchase and supply of raw materials including packaging

• The innovation, development and implementation of new and existing products

• The storage, preparation and manufacturing processes taking place on site

• The management of utilities/services and facilities

• The management of cleaning activities

• Any activities such as contract packing carried out by third parties

• The introduction and management of machinery and equipment

3 Defining the asset

Types of claim include but are not limited to:

• Country of region or origin

• Religious claims - Halal, Kosher

• Compositional claims - % alcohol, QUID, caffeine content

• Health claims - reduce cholesterol, fish oils

• Ethics - GM free, palm oil (roundtable) RSPO certified

• Handmade, artisan, homemade, traditional, natural, pure

• Free from - preservatives, additives, artificial ingredients

• Allergens - as per the ingredient declaration, low gluten, gluten free

• Provenance - species of fruit

• Trademarks, licenses, brands

• Legal weights and measures, legal number

• Processing - such as maturation

Claims can be split into the following categories:

Type of integrity error Example

Allergenic/immune response • Contamination by allergens, caused by wrong product or pack

• Nature, e.g. the wrong species of meat

• Substance, e.g. incorrect nutritional value

• Quality, e.g. industrially manufactured product rather than

• A vegan product made on a line that also handles meat

• Scottish plain loaf made in England

• Halal product made on a line where pork has been produced

• Welsh butter made using non-Welsh milk