Food protection is the integration of food quality, food safety and food defense concerns into a single unified strategic and operational action plan.[1] It keeps businesses and their customers safe from contamination of food products. The Hazard Analysis and Critical Control Points (HACCP) system is a prevention-based safety program that identifies and monitors hazards associated with food production before they happen. It is the cornerstone of many businesses’ food safety plans. An overview of the history of HACCP has recently been published in this magazine.[2]

Food defense planning has received increased attention in the U.S. since the events of 9/11. The melamine contamination problem in China, as well as the Salmonella contamination at Peanut Corporation of America, although not strictly intentional contaminations, have revealed to the world the nature and extent of our mutual vulnerabilities to intentional contamination of our food supplies.

If firms are to address both unintentional and intentional contamination of their food products, it makes sense to do this in the most efficient manner. Building on and extending the existing HACCP system is the most efficient way to provide comprehensive food protection.

HACCDP, Hazard Analysis Critical Control and Defense Points, is proposed as an extension of HACCP and an efficient step toward a more comprehensive approach to food protection. The general concept of HACCDP is presented in Figure 1.

Food manufacturers and processors around the world have embraced the HACCP process as an essential part of their food safety strategy. The scientific basis of the HACCP system has had beneficial effects on food quality as well. Figure 1 shows HACCP as an important part of a firm’s food safety and quality strategy. Less common, but growing in importance, is a food defense plan. A vulnerability assessment is an important part of a food defense plan.

The lower part of Figure 1 shows that a HACCDP system simply combines the vulnerability assessment and the HACCP plan. This article proposes a simple modification of the HACCP process that expands it to include food defense by building on a proven successful approach to food safety.

HACCP and Small Businesses
The HACCP process has been proven effective as a food safety measure.[3] It is a systematic approach designed to prevent the unintentional contamination of food. The same approach can be taken to analyze a process from the point of view of intentional contamination. Rather than having separate plans for food safety and for food defense, one plan that addresses the CCPs for both safety and defense issues is easier to manage and implement. This is illustrated in the example provided below.

The University of California at Davis Sea Grant Extension Service has developed a number of HACCP examples.[4] A process flow diagram for making a tuna sandwich is presented to illustrate the basic ideas of the proposed HACCDP process (Figure 2). Steps 4 and 5 were identified as CCPs for food safety.

Food Defense Planning Tasks
The basic tasks in developing a food defense plan are summarized below. Online courses providing detailed support to small businesses for performing these tasks will be made available by the University of Maryland Food Defense Grant Team in 2010 (details can be found at The aspects of the plan of particular interest to the HACCDP concept include the process vulnerability assessment and facility security.

Appoint Food Defense Coordinator
The coordinator will lead the team in developing, implementing and maintaining the plan.

Develop the Plan
Your plan should include the following elements:

• Process vulnerability
• Facility security
• Supply chain integrity

• Emergency response
– Recall
– Disposal
– Recovery
– Communication

The heart of your food defense plan is a thorough and honest assessment of your vulnerabilities. The purpose of the assessment is for you to do the following:
• Look for and identify vulnerable points at your establishment and in the way you do business;

• Determine the nature of the risk at each point;
• Develop defense measures at each point you identify as high risk;
• Create a written plan to implement and maintain defense measures.

Defense measures are actions taken to prevent intentional product contamination or adulteration. The defense measures can be physical barriers, such as locks, fences and cameras, or changes in procedures, such as limited access, escorting visitors or supervising contract employees.

Implement the Plan
Your plan is implemented when the defense measures identified are in place and being used as intended. Implementation steps will include all required approvals of the defense measures, budgeting for the measures, installing the measures and training personnel in the proper use and execution of the measures.

Test the Plan
Plans can be tested in different ways. Simulations, drills, tabletop exercises, mock incidents and recalls, post-event evaluation and lessons learned, evacuation procedures and continuity of operations plans may be used. Monitoring the plan’s effectiveness may be accomplished by the following:
• Making unannounced entrances at various perimeter checkpoints;

• Checking plant employee ID badges;

• Checking locks on doors, gates, windows, storerooms or water and ice facilities, roof openings, vent openings, trailer (truck) bodies, tanker truck hatches, railcars, bulk storage tanks/silos;

• Testing lab or storeroom inventory procedures and the like.

Assess the Plan
Your plan must be kept up to date. To do that, you must assess it on a regular basis. Employee turnover or changes in suppliers, the production process, contracted services and production lines may require you to review, update and revise your plan. Occasionally, new defense measures may be added to the food defense plan.

Maintain the Plan
You maintain your plan by ensuring that your defense measures continue to be effective. Maintenance activities may include purchasing new or replacement materials or equipment designed for food defense, making repairs or (re)training employees.

There are no regulatory requirements for an establishment to develop a food defense plan. The Food Safety Inspection Service (FSIS) and the U.S. Food and Drug Administration strongly recommend that establishments develop and maintain a food defense plan. FSIS has provided materials to assist establishments in developing their own voluntary, functional, food defense plan. FSIS has made occasional surveys to learn how many establishments have voluntarily developed such a plan. Implicit in these initiatives is the option to make preparation of a food defense plan mandatory if sufficient voluntary progress is not made.

CARVER + Shock Software Vulnerability Assessment
A vulnerability assessment for the tuna sandwich deli prepared using the CARVER + Shock software[5] might look like Figure 3. Although the steps have slightly different names than those used in the HACCP flow diagram due to the structure of the software, the process used to identify the production process for a vulnerability assessment is identical to the HACCP process.

The CARVER process was originally developed by the Department of Defense as a target development and vulnerability tool. It was an offensive methodology adapted to defensive purposes and applied to the Nation’s food infrastructure and industries following 9/11.

CARVER is an acronym that relates six attributes that help define the risk of a food processing component to attack. The attributes are the following:

• Criticality - measure of public health and economic impacts of an attack

• Accessibility - ability to physically access and egress from target

• Recuperability - ability of system to recover from an attack

• Vulnerability - ease of accomplishing attack

• Effect - amount of direct loss from an attack as measured by loss in production

• Recognizability - ease of identifying target

“Shock” has been added to the original six attributes to assess the combined health, economic and psychological impacts of an attack within the food industry.

Using the process requires the business to identify the key steps in the production process. The process steps are then grouped into rooms, buildings and facilities in accordance with the layout of the facility. A series of questions are posed within the software that explores each component’s overall vulnerability to intentional contamination based on the above attributes.

The vulnerability assessment, when completed, ranks the steps in the production process from most to least risky. Each attribute is scored from a 1 (low) to a 10 (high), and the attribute scores are summed to obtain a total score. Hypothetical scores for the example are shown in Figure 4. Note that steps 2 and 5 in the HACCP plan received the highest scores, identifying them as critical defense points (CDPs).

Simplified Vulnerability Assessment for Small Business and HACCDP
Although the CARVER software is an extremely useful vulnerability assessment tool, it is not likely to be as useful for small businesses as it may be for larger ones. An alternative method for small businesses that is compatible with and builds on HACCP is proposed here by the authors. It begins with the HACCP flow diagram and requires someone familiar with that process to assess the vulnerability, accessibility and consequence of contamination at each step of the HACCP process. This simplified assessment is conducted for each step in the HACCP flow diagram. The elements of the assessment are described below.

Example ratings follow. It is not so important to use these definitions as it is to establish definitions that are meaningful for your establishment. Any rating system used should be documented in writing. These definitions simply suggest the kinds of things one may think about regarding each of the three attributes.

1. Accessibility
Is this step in your process accessible? Could a person intent on contamination or adulteration of your product gain access to the location, station, equipment or process step depicted in the diagram? Rate their access as high, moderate, low or none.

High = Easily Accessible (e.g., target is outside the building and there is no perimeter fence; limited physical or human barriers or observation; attacker has relatively unlimited access to the target; attack can be carried out using medium or large volumes of contaminant without undue concern of detection; multiple sources of information concerning the facility and the target are easily available).

Moderate = Partially Accessible (e.g. inside the building in a relatively unsecured, but busy, part of the facility; under constant possible human observation; some physical barriers may be present; contaminant must be disguised, and time limitations to introduce contaminant are significant; only general, non-specific information is available on the facility and the target).

Low = Hardly Accessible (e.g., inside the building in a secured part of facility; human observation and physical barriers with an established means of detection; access generally restricted to operators or authorized persons; contaminant must be disguised, and time limitations are extreme; limited general information available on the facility and the target).

None = Not Accessible (e.g., unauthorized personnel cannot access the target; no access due to physical barriers, alarms and human observation; there are defined means of intervention in place and no useful publicly available information concerning the target).

2. Vulnerability
Is this step in your process vulnerable? If a person gained access to this process step, could they successfully complete an attack? How easy would it be for an attacker to introduce a chemical, pathogen or other attack agent in sufficient quantities to achieve their goal once the target has been reached? Rate the vulnerability as high, moderate, low or none.

High = Target characteristics allow for easy introduction of sufficient agents to achieve aim.

Moderate = Target characteristics allow reasonably high probability that sufficient agents can be added to achieve aim.

Low = Target characteristics allow low probability (e.g., < 10%) that sufficient agents can be added to achieve aim.

None = There is no possibility of introducing sufficient agents at this location even if it is accessed.

3. Consequence
Would the consequences of a successful contamination at this step be severe? If an attack is successfully completed at this step, would the health or economic effects be critical? Could you recover from the attack? Rate the consequences as high, moderate, low or none.

High = Loss of life is possible. Monetary losses are larger than you can readily recover from, and greater than 50% of the system’s production is impacted. It would take more than a year to recuperate at this level.

Moderate = No loss of life is likely but a significant number of illnesses is possible. There would be significant but not crippling monetary losses with 10–50% of the system’s production impacted. It would take 3 to 6 months to recuperate at this level.

Low = Relatively few illnesses likely. Monetary losses are limited, and under 10% of the system’s production is impacted. It would take less than 3 months to recuperate at this level.

None = A successful attack at this point would yield no adverse health or economic impacts.

Each step in your HACCP process would receive a risk rating for these three characteristics. The possible ratings and example overall risk ratings are shown in Figure 5.

Any step that has an element rated an N, for none, presents no risk. Any other situation will have some level of risk or vulnerability. Resources should ordinarily be allocated to manage the most severe risks first. All unacceptable risks should be addressed immediately, and high risks should be managed as soon after as possible. Moderate to minimum risks should be managed next as resources allow.

At this point, you will have completed your HACCP plan, which identified steps 4 and 5 as CCPs, and your vulnerability assessment, which identified steps 2 and 5 as CDPs, ideally as part of a food protection plan. Now it is time to integrate the two. The tuna sandwich HACCP plan is combined with the vulnerability assessment of the tuna sandwich process, based on the CARVER example. The resulting plan is shown in Figure 6, which identifies the CCPs and CDPs in the tuna sandwich process. Step 2 in brown is identified as a CDP. Step 4 in amber is a CCP. Step 5 in red is critical to both food safety and food defense, called a CCDP.

The simple notion behind HACCDP is to combine the CCP and CDP information in a way that enables managers to see the food safety and food defense vulnerabilities in their production process.

HACCDP is the synthesis of a HACCP plan and the vulnerability assessment aspects of a food protection plan. Its steps are described as follows:
1. HACCP preliminary step 1: Assemble the HACCP team.
2. HACCP preliminary step 2: Describe the product.
3. HACCP preliminary step 3: Identify intended use.
4. HACCP preliminary step 4: Construct a flow diagram.
5. HACCP preliminary step 5: Conduct and on-site review of the flow diagram.
6. HACCP principle 1: Conduct a hazard analysis.
7. HACCP principle 2: Determine the CCPs.
8. HACCP principle 3: Establish critical limits.
9. HACCP principle 4: Establish monitoring procedures.
10. HACCP principle 5: Establish corrective actions.
11. HACCP principle 6: Establish verification procedures.
12. HACCP principle 7: Establish record-keeping and documentation procedures.
13. Food Defense Plan: Determine CDPs in your process.
14. Food Defense Plan: Devise food defense mitigations.
15. Food Defense Plan: Implement, test, assess and maintain the defense mitigations.

HACCDP is offered as a common sense way to enable businesses to expand their food protection concerns to include food defense.

At the time of this writing, both houses of the U.S. Congress are considering major legislation that would change the way food safety is administered in the US. Senate Bill S. 3385 section 104 would effectively require every food processor to develop a HACCP plan. Although the bill scrupulously avoids using HACCP terminology, the description of the bill’s intent is clear: “Each owner, operator, or agent in charge of a facility” would be required to develop a HACCP-like plan. Language elsewhere in the bill and in House Bill H.R. 7143, leave room to require facilities to prepare a food defense plan in addition to the food safety plan.

There is no way to know what legislation will ultimately be enacted or what it will include, but it is clear that Congress is concerned, and change is coming. Whether required or not, the time has come to recognize that it makes good sense for every food facility to address both food safety and food defense jointly and in an intentional way.

A simple extension of the HACCP system using CARVER + Shock software or the simplified vulnerability assessment of the HACCP steps presented here provides an opportunity to build on the success of the HACCP system to develop and use a HACCDP plan.

Charles Yoe, Ph.D., is a Professor of Economics at the College of Notre Dame of Maryland and an adjunct professor in the Department of Nutrition and Food Sciences at the University of Maryland. Food safety risk analysis, food defense and risks of engineering systems are his current areas of primary research, and he has developed courses in risk assessment and risk management for several agencies of the U.S. Federal Government and private industry.

Jurgen G. Schwarz, Ph.D., is the Director of the Food Science and Technology Ph.D. Program at the University of Maryland Eastern Shore. His research and teaching activities focus on food processing, food safety and food defense. He has worked on product and process development for one of the major food companies and worked as a consultant on processing certification issues.

1. Yoe, C., M. Parish, D. Eddy, D.K.Y. Lei, B. Paleg and J.G. Schwarz. 2008. Risk management. The value of the food defense plan. Food Safety Magazine April/May 2008.
2. Sperber, W.H. and R.F. Stier. 2009. Happy 50th birthday to HACCP. Food Safety Magazine December 2009/January 2010.
3. Surak, John G. 2009. The evolution of HACCP. A perspective on today’s most effective food safety system. Food Quality Magazine February/March 2009.
4. haccpalliance.html.
5. CARVER/default.htm.