HACCP/TACCP/VACCP – Know the Difference!
HACCP / TACCP / VACCP When dealing with food manufacturing and food safety, you hear various terms and acronyms thrown around. Many of these terms sound si
HACCP / TACCP / VACCP
HACCP controls unintentional food safety hazards. VACCP targets economically motivated food fraud across your supply chain. TACCP addresses malicious, deliberate threats to food integrity. BRCGS Issue 9 and FSSC 22000 Version 6 now treat all three as distinct, auditable pillars — not optional appendices to your HACCP plan.
When dealing with food manufacturing and food safety, you hear various terms and acronyms thrown around constantly. Many sound similar; some are used interchangeably, but conflating them is a compliance risk. Whether you're preparing for a BRCGS Issue 9 audit, implementing FSSC 22000 Version 6, or simply trying to build a robust food safety management system (FSMS), understanding exactly what HACCP, TACCP, and VACCP each demands of you is non-negotiable.
This guide unpacks all three frameworks, explains how they interact, and gives FSQA managers the practical context needed to implement and defend each one under audit conditions.
| Framework | Full Name | Threat Type | Motivation | Key Standard Clause |
|---|---|---|---|---|
| HACCP | Hazard Analysis Critical Control Points | Unintentional/accidental | No intent — natural/process risk | BRCGS 2.7 / Codex Alimentarius |
|
VACCP
|
Vulnerability Assessment Critical Control Points | Intentional — supply chain fraud | Economic gain (EMA) | BRCGS 5.4.2 / FSSC 22000 AR 2.5.4 |
| TACCP | Threat Assessment Critical Control Points | Intentional — malicious act | Harm, ideology, sabotage | BRCGS 5.4.1 / FSSC 22000 AR 2.5.3 |
Hazard Analysis Critical Control Points
HACCP was originally developed in the late 1950s and 1960s as a collaboration between NASA, the Pillsbury Company, and the U.S. Army Natick Laboratories to prevent astronauts from contracting foodborne illness in space — an environment where falling ill was simply not an option. The Codex Alimentarius Commission has since codified it and forms the regulatory backbone of both the EU Food Hygiene Regulations and the U.S. Food Safety Modernization Act (FSMA).
HACCP is a systematic, linear approach to food safety designed to prevent or minimise the risk of unintentional contamination. Your HACCP team walks the entire production process — from raw material intake through to packaging and despatch — identifying any point where the product could be subject to biological, chemical, physical or allergen hazards.
Where a hazard is identified as a Critical Control Point (CCP), documented monitoring and corrective action procedures must be in place. Common examples include metal detection, pasteurisation temperature controls, and environmental pathogen testing programmes.
BRCGS Issue 9 Update (Clause 2.7.1): The latest version of the standard now explicitly requires HACCP teams to consider fraud and malicious contamination within their hazard analysis — with VACCP and TACCP cross-referenced as the appropriate vehicles for addressing those specific threat types. This means HACCP, VACCP, and TACCP must be aligned, but they must remain distinct documents with distinct methodologies.
Importantly, HACCP operates within the realm of known, foreseeable risk — it is not designed to address deliberate acts of contamination. This is a critical limitation that TACCP and VACCP were specifically developed to fill.
"HACCP is a linear process designed to manage known risks. Intentional acts of contamination represent vulnerabilities, not risks — and they require an entirely different way of thinking."
Steven Sklare, Food Safety Academy — Quality Assurance & Food Safety Magazine
Threat Assessment Critical Control Points
TACCP — Threat Assessment Critical Control Points is your food defence framework. It was developed in reaction to growing concerns about deliberate interference with food supply chains, and is formally defined in PAS 96:2017, the British Standards Institution's guide to defending food and drink from deliberate attack.
Where HACCP asks "what could go wrong by accident?", TACCP asks "who might want to cause harm, and how could they do it?" The motivation here is not financial — it is ideological, behavioral, or personal. Think disgruntled employees, extortion attempts, or, in extreme scenarios, food terrorism.
Critically, TACCP requires a much broader operational lens than HACCP. Effective threat assessment must encompass:
- Physical site security — access control, perimeter monitoring, CCTV coverage
- Personnel vetting — background checks, contractor management, visitor protocols
- IT and systems security — preventing digital interference with process controls
- Transportation and logistics security — cold chain integrity and tamper-evident packaging
- Insider threat modelling — assessing where unsupervised access creates exposure
- Staff training — food defence awareness for all site personnel, not just the safety team
Under FSSC 22000 Version 6 (AR 2.5.3) and BRCGS Issue 9 (Clause 5.4.1), auditors expect a documented threat assessment methodology, a cross-functional TACCP team with demonstrable food defence competencies, and clear evidence of regular review — not a static document filed annually. The standard specifically requires teams to consider both internal and external threat scenarios.
A practical TACCP mental model: imagine a facility access map. Every entry point, every unsupervised corridor, every moment of handover between personnel is a potential vector. TACCP asks you to think like a bad actor and then design your controls to make interference difficult, detectable, and traceable.
Vulnerability Assessment Critical Control Points
VACCP — Vulnerability Assessment Critical Control Points is your food fraud prevention framework. It was developed to address Economically Motivated Adulteration (EMA): the substitution, dilution, mislabelling, or counterfeiting of food ingredients for financial gain.
The 2013 horsemeat scandal, in which beef products across Europe were found to contain undeclared horse DNA, remains the most prominent example, but food fraud takes many forms. Inferior olive oils passed off as extra virgin, farmed fish labelled as wild, spices bulked with cheaper fillers, and allergens concealed behind misleading labelling are all real, documented instances.
Where TACCP focuses on who might cause harm and how they could access your product, VACCP focuses upstream on where your supply chain is vulnerable to dishonest conduct before the product even reaches your facility. Your risk does not begin at your factory door; it begins at the origin of every raw material, through importers, brokers, and processing intermediaries.
Under BRCGS Issue 9 (Clause 5.4.2) and FSSC 22000 V6 (AR 2.5.4), VACCP risk ratings must carry documented justification — not simply a traffic-light assessment with no evidence base. Controls must be proportionate to risk level. High-risk materials require authenticity testing on a defined sampling plan, annual supplier audits, and independent laboratory verification. Medium-risk requires COA review and periodic testing. Low-risk requires basic approved supplier status. Supplier approval alone is a control, not a vulnerability assessment.
VACCP is also notably broader in scope than the FSMA's Intentional Adulteration (IA) Rule in the United States, which focuses only on EMA with a likely public health impact. VACCP applies to all economically motivated adulteration — including fraud that may not present an immediate safety risk but compromises product integrity, brand trust, and legal compliance.
How HACCP, TACCP & VACCP Work Together
The Global Food Safety Initiative (GFSI) defines HACCP, TACCP, and VACCP as three separate, equal pillars within a comprehensive Food Safety Management System. They are not interchangeable, and they should not be collapsed into a single document, but they must be aligned.
The most common failure mode FSQA managers encounter in audit is treating VACCP and TACCP as extensions of their HACCP plan. Auditors under both BRCGS Issue 9 and FSSC 22000 Version 6 are now explicitly trained to distinguish between these frameworks. They are not looking for volume; they are looking for coherence and credibility; evidence that your team has applied a genuinely different way of thinking to each risk type.
The three questions your FSMS must be able to answer:
→ HACCP: Is your food safe if everything in production goes to plan?→ VACCP: Is your supply chain protected against fraud if a supplier decides to cut corners?
→ TACCP: Is your operation protected if someone with access decides to cause deliberate harm?
What Auditors Expect in 2025
Under BRCGS Issue 9 , which has been in force since February 2023 and FSSC 22000 Version 6, the bar for VACCP and TACCP has risen considerably. Both frameworks are now standalone audit focus areas, not background requirements reviewable with a cursory glance at a completed template.
Key expectations for FSQA teams preparing for certification audits:
→ VACCP and TACCP must be standalone documents — not embedded within your HACCP plan
→ Both assessments must be conducted by a cross-functional team with demonstrable training in food fraud and food defence principles (BRCGS Issue 9 Clause 13 / FSSC 22000 AR 2.5)
→ Risk ratings must include documented justification — market vulnerability, detection difficulty, historical fraud data, and supply chain complexity should all inform scoring
→ VACCP scope must cover all raw materials, including packaging and processing aids — not just primary ingredients
→ TACCP must include facility access mapping, personnel threat scenarios, and supervision gap analysis
→ Both plans must evidence regular review — frequency proportionate to supply chain changes and emerging intelligence
→ Food safety culture requirements (mandatory under BRCGS Issue 9) mean that food defence awareness training must extend to all staff, not just the FSQA team
Frequently Asked Questions
Do I need separate teams for HACCP, TACCP and VACCP?
Not necessarily separate teams, but distinct competencies. BRCGS Issue 9 requires that VACCP and TACCP team members demonstrate knowledge of food fraud and food defence principles specifically — which may differ from the skill set of your core HACCP team. Many organisations use a core cross-functional food safety team with subject-matter input from HR, security, procurement, and legal where relevant, particularly for TACCP.
Does FSMA in the US require VACCP and TACCP?
Not by name. The FDA's FSMA Intentional Adulteration (IA) Rule addresses deliberate contamination with a public health focus, but does not reference TACCP or VACCP explicitly. However, industry experts broadly agree that facilities meeting GFSI-benchmarked certification requirements (BRCGS, FSSC 22000) will simultaneously satisfy FSMA's food defence and fraud mitigation expectations — with VACCP and TACCP providing a more comprehensive framework than the regulations alone require.
What is the difference between VACCP and TACCP in practical terms?
VACCP asks: where in my supply chain could someone substitute, dilute, or mislabel an ingredient for financial gain — and how vulnerable are those points? TACCP asks: who might deliberately interfere with my product or facility to cause harm — and what controls prevent them? VACCP focuses on supply chain economics and ingredient integrity. TACCP focuses on people, access, and behavioural motivation. The controls for each are entirely different.
How often should VACCP and TACCP assessments be reviewed?
Both standards require review at defined intervals and following any significant change — including new supplier approvals, supply chain restructuring, changes in ingredient sourcing geography, facility layout changes, or following any food fraud or security incident affecting your category. Annual review is a minimum; higher-risk operations or those with complex international supply chains should consider more frequent assessment cycles.
Can technology help manage HACCP, TACCP and VACCP together?
Increasingly, yes. Digital food safety management platforms are evolving to allow integrated management of all three frameworks in a single system — with shared supplier data feeding into VACCP assessments, site access data informing TACCP controls, and process monitoring underpinning HACCP. The key principle remains that while the data may be integrated, the methodology and documentation for each framework must remain distinct and independently defensible under audit.
About This Article
This guide is intended for Food Safety and Quality Assurance professionals in food manufacturing and supply chain environments. It reflects the requirements of BRCGS Food Safety Issue 9 (in force from February 2023), FSSC 22000 Version 6, and PAS 96:2017. Regulatory requirements evolve — always verify against the current version of your applicable certification standard.
Sources & Further Reading
- BRCGS – Food Defence Guidance, 2025
- Quality Assurance & Food Safety Magazine – Employing TACCP and VACCP for Food Safety and Quality
- Global Food Safety Resource – TACCP and VACCP: What's the Difference?
- Entecom – VACCP & TACCP: What Your System Must Deliver in 2026
- Primority – HACCP vs TACCP vs VACCP: Key Differences Explained
- IQX – HACCP in 2025: What the Future Holds for Food Safety Plans
- BSI PAS 96:2017 – Guide to Protecting and Defending Food and Drink from Deliberate Attack
- Codex Alimentarius Commission – Hazard Analysis and Critical Control Point (HACCP) System and Guidelines for Its Application