Primer on HACCP, TACCP, & VACCP (Three Separate Assessments)

It’s been five years since the GFSI Food Fraud Technical Document was published, and there is still confusion about HACCP, TACCP, & VACCP. GFSI requires three separate assessments that converge in an overall food safety management system. Separating the assessments is actually easier than doing them together.

GFSI and the VACCP Term

The first time the food fraud Vulnerability Assessment and Critical Control Point (VACCP) plan was published was by the ‘GFSI Food Fraud Think Tank.’ In 2012, led by project sponsors Yves Rey (formerly Danone) and Frank Yiannas (formerly Walmart and FDA), the GFSI Board of Directors asked ‘what’ is food fraud? The focus shifted to ‘how’ food fraud should be addressed. Then, the horsemeat in the beef incident occurred in July 2012, and the project focus shifted to what should be required in the following updated GFSI benchmarking document. The GFSI Board of Directors published the GFSI Food Fraud Position Paper in 2014 in advance of the 2017 benchmarking document update (long title: GFSI Position Paper on Mitigating the Public Health Risk of Food Fraud, July 2014). To note, the food fraud requirements and scope should not have been a surprise to anyone since GFSI gave three years’ notice before the requirements were active. From the GFSI Food Fraud Position Paper:

“The GFSI Board recognizes that the driver of a food fraud incident might be economic gain, but if a public health threat arises from the effects of an adulterated product, this will lead to a food safety incident.”

“The GFSI Board has decided to follow the recommendations of the Food Fraud Think Tank and proposes to incorporate the two food fraud mitigation steps in the form of two new key elements in the GFSI Guidance Document to:

1. Require a company to perform a food fraud vulnerability assessment

2. Have a control plan in place.”

The GSFI Board of Directors concluded that a food safety management system is a quality management system focusing on public health threats from food. A quality management system focuses on understanding and managing the root cause of problems. Food fraud is a potential root cause of food safety incidents. Thus, conducting an assessment and including a management process for addressing food fraud is a required part of a food safety management system.

Any food fraud act, from any type of fraud act and at any point in the supply chain, can cause a food safety incident. Thus, the GFSI scope covers all types of products, including raw materials and incoming goods, work in progress or manufacturing, and all the way to finished goods at retail in the marketplace.

VACCP Defined

VACCP is the food fraud-related Vulnerability Assessment and Critical Control Point (VACCP) plan. The foundation of food safety management is the Hazard Analysis and Critical Control Point (HACCP) plan. HACCP is nearly universally adopted, and there is a common understanding of the formal policy and management activities, including rigorous and documented processes. The UK Publicly Available Standard 96 (PAS 96) use the Threat Assessment and Critical Control Point (TACCP) plan concept to address food defense (later, PAS 96 expanded their intentional adulteration definition to include some – but not all – food fraud). So, HACCP and TACCP were concepts that were already in use.

Food fraud was a different type of problem since, although it was an intentional act addressed by food defense, the fraudster’s goal was NOT to create harm and NOT to get found out. The motivation of the fraudster was to actively seek to AVOID detection. The root cause for food fraud was fundamentally different both in terms of the assessment and countermeasures or control systems.

Note: Around that time, the US Food Safety Modernization Act (FSMA) rules took a similar approach. Between January 2011 and February 2014, the FSMA guidance documents shifted food fraud from the Intentional Adulteration (Food Defense) Final Rule to the Preventive Controls rule. The FSMA thinking was that food fraud could more efficiently be addressed by preventive controls such as vulnerability reduction.

GFSI Food Fraud Technical Document

A key reference to understanding the definition and scope of the VACCP requirement is the ‘GFSI Food Fraud Technical Document’ (long title: Tackling Food Fraud Through Food Safety Management Systems, May 2018) (LINK). The GFSI Board of Directors published this guidance in May 2018, five months after addressing the food fraud requirement. GFSI created this document to respond to industry-specific questions and adoption challenges directly. From the GFSI Food Fraud Technical Document (emphasis added):

  • “This implies that any plans and activities to mitigate, prevent or even understand the risks associated with food fraud should consider an entire company’s activities, including some that may not be within the traditional food safety or even HACCP scope, applying methods closer to criminal investigation.”
  • “The requirements refer to the “The Organization”: While the traditional HACCP-type food safety approach is applied at manufacturing facilities, these operate within the overall organization. The food fraud vulnerabilities are company-wide and thus the food fraud scope is company-wide.”

To clarify, ‘company-wide’ includes activities beyond just supplier quality assurance or monitoring of raw materials, manufacturing and work in process, distribution and warehousing, logistics and transportation, retailing, and even monitoring of products outside the legitimate supply chain, such as by a corporate security group.

To note, two additional resources were provided in the GFSI Food Fraud Technical Document:

Food Fraud Covering All Products from Incoming Goods to Finished Goods

The GFSI Food Fraud Technical Document includes an appendix that lists all types of fraud that are within the scope: Adulterant-Substances (Dilution, Substitution, Concealment), Unapproved Enhancements, Mislabeling/ Misbranding, Grey Market/ Theft/ Diversion, and Counterfeiting (intellectual property rights). Also, the types of products include raw materials and incoming goods, work in progress or manufacturing, and all the way to finished goods at retail in the marketplace.

The GFSI scope is broad since the root cause of a food safety incident could occur anywhere along the supply chain and not just from incoming raw materials. Your customers need all your products to be safe. Your company needs all your products to be safe. While the audits or assessments are usually ‘site inspections’ (at a manufacturing plant), the focus includes company-wide policies. The site might be asked about a policy or procedure that is managed at the corporate level. The GFSI Food Fraud Technical Document addressed this directly:

  • “While a Food Fraud Manager is “accountable” for the full compliance, they may not be “responsible” for each of the individual tasks. For example, managing and monitoring stolen goods may already be conducted by a supply chain logistics or corporate security staff.”

Takeaway Points

  • For GFSI compliance – and general risk assessment efficiency – there is a requirement for three separate assessments for HACCP, TACCP, & VACCP.
  • Conducting a separate food fraud VACCP is efficient since it only considers the one motivation of ‘intentional deception for economic gain.’
  • If this commentary is new or confusing, fortunately, there are a lot of resources, such as the links provided by GFSI (above). Also, see for free training, plus background or primer documents (start here.)
Scroll to Top