Module 3, Lesson 2:

Protection measures

Lesson Guide

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

What we’ll learn

In this lesson, we’re going to cover:

• How to apply protection measures

• Management techniques

• Risk register

• VTPs

Apply protection measures

In HACCP, we apply controls to hazards.

We don’t apply controls for threats, in our vulnerability assessment, because the term control doesn’t fit with this system. There is an important reason for this. Here is the definition for control, from Code Alimentarius:

“A control is an action or activity to prevent, eliminate or reduce a hazard to an acceptable level.”

Note that a control prevents, eliminates or reduces.

That means monitoring activities are not a control; because monitoring doesn’t prevent, eliminate or reduce the hazard from happening. Monitoring merely highlights that the hazard has occurred.

For threats; we can’t state that we can control a threat, because we can’t always prevent it from occurring. For this reason, we have to use monitoring as a form of protection. Therefore; we cannot apply controls to threats in the purest term, as we have to use monitoring.

For threats, we use the term ‘protection measures’ instead of controls. The definition for protection measure is slightly amended from the control definition:

“A protection measure is an action, activity or monitoring technique to prevent, detect or reduce a threat to an acceptable level. “

Note; that ‘monitoring technique’ has been added to the definition, as monitoring is an acceptable way of protecting ourselves from threats.

Prevent, eliminate or reduce has also been changed to, prevent, detect or reduce because, we can’t eliminate a threat. Therefore; we’ve removed the term ‘eliminate’ and replaced it with ‘detect’, because we can detect, through monitoring.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

Example threats – addition of protection measures

Here are our example threats, on our vulnerability assessment template. Protection measures have been applied to each. Egg has been greyed out, as this threat is not significant.

Confidence in protection measures

When applying protection measures, we need to be confident that they will actually provide adequate protection.

To do this, we must ask:

Will this protection measure really protect us?

Does it add value?

Would we feel comfortable in court defending this?

Imagine the threat has actually happened and one of your customer’s brands was implicated in it. If you were sitting in a meeting room with that customer, would you feel comfortable being able to explain why you felt this protection measure was sufficient?

Management techniques

Once the protection measures have been applied, they need to be assessed, to establish what technique is needed to manage them.

Decision tree

To work out which management technique we should be using, we use a decision tree. The decision tree on the next page is based on HACCP principles, to make it familiar.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

The decision tree determines which of the four following management techniques should be used to manage the protection measure:

• The risk register

• As an existing CCP

• Supplier management procedures

• As a VTP (vulnerable threat point)

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

Let’s go through each question, step-by-step. To be clear here; we’re not putting the threat through the decision, we’re putting the protection measure for the threat through the decision tree.

Question 1: Can the threat be eliminated?

We must always ask ourselves if the overall threat that the protection measure is for, can be eliminated. For example; can we reduce the length and complexity of the supply-chain, if the threat is a supply-chain threat?

If we can; we follow the ‘yes’ arrow, which says that we should implement the necessary changes to eliminate the threat. If we can’t eliminate the threat, we follow the ‘no’ arrow and go to question 2.

Question 2: Is there a protection measure in place?

If we say ‘no’, we go to question 2a.

Question 2a: Can an immediate protection measure be added?

Note, here, that is says ‘immediate’. If you know the protection measure you need to put in place, but you can’t implement it immediately, then you would have to say ‘no’ to this question.

For example, if you needed to change suppliers, to reduce the length or complexity of a supply-chain, but this couldn’t be done immediately, you would need to say ‘no’ to this question.

If you say ‘no’ this takes you to the risk register management technique. We’ll go through the risk register in more detail, later in this lesson.

If you say ‘yes’ to question 2a, the decision tree asks you to implement a protection measure and then re-assess it.

So, we’re back up to question 2. If we say ‘yes’ to question 2, that yes, there is a protection measure in place, the decision tree takes us to question 3.

Question 3: Is this protection measure specifically designed to protect against this specific threat?

Note here, ‘specifically designed’. What this is asking is:

• Is this protection measure in place, for other reasons as well? • Is the protection measure, already in use for other purposes? • Is it generic, or is it ‘specific’ to this threat?

If you say ‘no’ it’s not specifically designed to protect us against this threat, then it says that we should manage the protection measure through supplier management procedures.

A good example of this would be where a supplier audit is applied as a protection measure. A supplier audit is a generic measure, which is applied for other reasons, such as supplier assurance. It’s not specifically designed to protect us against a threat. Therefore, you would answer ‘no’ to this question.

However; if you were applying a protection measure of a mass balance for a particular claim, such as organic- you would answer ‘yes’ to this question. This is because an organic mass balance is a very specific protection measure for that specific threat, it’s not something you do for everything. Unless of course, you’re an organic only site, which would be different.

If you answer ‘yes’ to question 3, because the protection measure is specifically designed, to protect us against that specific threat, it takes you to question 4.

Question 4: Is this protection measure managed by an existing CCP?

Food safety and therefore HACCP, must always take precedence, so this question is designed to ensure that it does.

If the protection measure is already managed by a CCP, you would answer ‘yes’ to this question. You can see that, the decision tree tells you to continue managing the protection measure through the existing CCP.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

However; if the protection measure is not managed by an existing CCP, then we would say ‘no’ to question 4 and that would lead you to the VTP management technique.

VTP stands for vulnerable threat point. A VTP is a threat equivalent to a CCP in HACCP.

Management techniques

Protection measures are managed by one of four management techniques:

1. Risk register

2. CCP

3. Supplier management procedures

4. VTP

The risk register is used, where we cannot apply an immediate protection measure.

If the protection measure is already managed using an existing CCP, HACCP takes precedence and we continue managing it as a CCP. It is advisable to make a note on your CCP summary in your HACCP plan, that this CCP also manages a protection measure for your vulnerability assessment.

There are also protection measures that are managed using our supplier management procedures. For these, review the relevant procedure and make sure it covers all the requirements to effectively manage the threat.

A VTP (vulnerable threat point) is the threat equivalent of the CCP.

Example threats – assessment through the decision tree

Here are our example threats, that have been assessed through the decision tree. You can see how this can be documented on the vulnerability assessment template.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

Risk register

A template has been provided, which shows how a protection measure that needs to be managed through the risk register can be handled.

The risk register template looks like this:

The template encourages the right level of detail to be documented about the threat, and why a protection measure cannot be immediately applied.

The rationale section is an explanation of the current situation and why there is no immediate risk to the product.

Then, the mitigation sections should provide details of what the short, medium and long term plans are, to either remove the threat, or to apply a protection measure.

Example threats – risk register

Here is the example threat for spices, which needs to be managed through the risk register.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

VTPs

A template has been provided, which shows how a protection measure that needs to be managed as a VTP can be handled.

The VTP summary is based on a CCP summary and should provide all the detail, as to how the protection measure is going to managed. It should detail the procedure, the critical limits or criteria, the frequency of the monitoring and corrective action.

Note, that either critical limits or criteria should be applied. For protection measures, critical limits – of a clear pass or fail cannot always be applied. In some cases, a more subjective set of criteria has to be applied.

Example threats - VTPs

Here is an example VTP summary completed for our examples.

Copyright © 2017 Techni-K Training Academy

Module 3, Lesson 2: Protection measures

What we’ve learnt

• A protection measure is an action, activity or monitoring technique to prevent, detect or reduce a threat to

an acceptable level

• We only apply protection measure to significant threats

• A protection measure must add value and we must feel comfortable that it will protect us

• We use a decision tree to determine how each protection measure should be managed:

o Risk register

o CCP

o Supplier management procedures

o VTP

• A risk register is used to manage a threat where an immediate protection measure cannot be applied

• A VTP – vulnerable threat point

• A VTP is a threat equivalent of a CCP

It’s now your turn to complete your protection measures for your significant threats.

And then, work out how each one should be managed.

Once you’ve constructed your protection measures and completed the necessary documentation, the protection measures then need implementing.

You’ll see that there’s a quiz at the bottom of this lesson. If you successfully complete this quiz you’ll be rewarded with a certificate for this course.

Techni-K Consulting Ltd | The Old Booking Hall, 2a Station Road, Clowne, Derbyshire, S43 4RW Tel: 01246 589609 | Email: info@techni-k.co.uk | Web: www.techni-k.co.uk

Food fraud and vulnerability

Quiz