HACCP asks what could go wrong by accident. TACCP and VACCP ask something harder: what if someone meant it? One covers deliberate attacks on your food, the other covers fraud in your supply chain. Both are now expected by the standards, and both are far more manageable than the acronyms suggest.
Three questions, three assessments
It's easiest to hold the three apart by the question each one answers:
- HACCP — what could harm the consumer by accident? Microbial, chemical, physical and allergen hazards in the process.
- TACCP — Threat Assessment Critical Control Point. What could harm the consumer or the business through a deliberate attack? This is food defence.
- VACCP — Vulnerability Assessment Critical Control Point. Where is your supply chain open to food fraud — adulteration, substitution, mislabelling — usually for money?
They share a method: identify what you're protecting, list the ways it could be attacked, score each one, and put controls against the ones that matter. If you can do a HACCP study, you can do these.
Protects against deliberate harm: tampering, contamination, sabotage. The motive is usually to cause damage — a disgruntled insider, an intruder, an activist, extortion.
Protects against fraud for profit: diluting, substituting a cheaper material, faking origin or paperwork. The motive is money, and the harm is often a hidden allergen or false claim.
TACCP: thinking like an attacker
A TACCP study walks your site as a would-be attacker would. You list the assets worth protecting — the goods-in bay, the ingredient store, an open water or bulk-intake point, the production area, finished-goods and despatch, and increasingly the IT and control systems that run the line. Against each, you name the credible threats: a disgruntled or financially motivated insider, an intruder or trespasser, malicious tampering or extortion, protest action, or a cyber-physical attack on utilities and controls.
Each threat gets scored on likelihood (from “no history, hard to achieve” up to “known history at this type of site”) and impact (from minor disruption up to a serious public-health or business event). The two multiply into a risk score, and the significant ones get controls — access control, CCTV, visitor and contractor management, staff vetting and right-to-work checks, tamper-evident seals, cyber-security measures, and a personnel culture where people report the things that feel off.
VACCP: thinking like a fraudster
A VACCP assessment turns to the supply chain and asks where the economic incentive to cheat is highest. For each raw material you consider the recognised fraud types: dilution and adulteration, substitution, mislabelling and species fraud, counterfeiting, grey-market diversion, origin and provenance fraud, and document fraud on certificates and CoAs.
Vulnerability is highest where the price is volatile, the material is high-value, the chain is long or opaque, or there's a history of trouble in that ingredient or region. Scoring again runs on likelihood and impact — and here impact climbs fast, because a substituted ingredient can smuggle in an undeclared allergen or a false claim. Controls lean on supplier approval, specification testing, mass-balance and traceability checks, and horizon scanning of sources like FSA food alerts and RASFF so an emerging scam reaches you before the adulterated pallet does.
If you already run a Food Fraud Vulnerability Assessment (FFVA) per raw material for SALSA s.1.6.4, that's VACCP thinking applied ingredient by ingredient. A full VACCP study is the wider view across your whole material base — the two line up rather than compete.
Why the standards now expect them
Food defence and food fraud mitigation are explicit clauses in the major standards — for example BRCGS covers both, and SALSA calls for a food fraud vulnerability assessment on every raw material. On a certification audit, “we've never really thought about it” is a finding. The good news is that a proportionate TACCP and VACCP for a small manufacturer is a short, honest document, not a corporate security dossier — the standards ask for something appropriate to your size and risk, reviewed at least annually and whenever something changes.
Getting started without over-thinking it
You don't need a security consultant to make a start. A proportionate first pass looks like this:
- List the assets and access points worth protecting, and the raw materials most exposed to fraud.
- Against each, name the credible threats and fraud types — use the built-in examples as prompts.
- Score every one on likelihood and impact, and let the significant ones surface.
- Put a proportionate control against each significant risk, with an owner and a review date.
- Lean on supplier approval and specification testing as your main food-fraud defence.
- Add horizon scanning — FSA alerts and RASFF — so emerging fraud reaches you early.
- Review both studies annually, and whenever the site, a supplier or the threat picture changes.
The bottom line
TACCP and VACCP aren't a new burden so much as the two questions HACCP was never designed to ask: what if the harm is deliberate, and what if it's for profit? Answer them proportionately, keep the studies alongside your HACCP plan, and review them when things change — and you turn two intimidating acronyms into a genuine layer of protection for your product and your customers.
HACCP, TACCP and VACCP in one place.
See how Prodara keeps all three studies audit-ready side by side.
