Food Defense Vulnerability Assessment

Conducting a Food Defense Vulnerability Assessment

KAT versus Three Elements
In part one of our five part series we interpreted the requirements of the new FSMA Food Defense Rule. In today’s post, part two, we discuss two methods for conducting a food defense vulnerability assessment against acts of intentional adulteration. The two methods we will discuss are the Key Activity Type, or KAT method, and the Three Element Method.
Food Defense Vulnerability Assessment

Why Perform Vulnerability Assessments at All?

As per 21 CFR 121.126, a food defense vulnerability assessment must be conducted for each type of food manufactured, processed, packed, or held at your facility. These vulnerability assessments must also be written. The KAT method and the Three Element Method are the two methods that have been developed through FSPCA (Food Safety Preventive Controls Alliance) and are recognized as adequate assessment methods by FDA.

Preliminary Steps for Every Vulnerability Assessment

It is recommended that before you begin your food defense vulnerability assessment, you perform some preliminary steps. Similar to preliminary steps when developing a food safety plan, the recommended food defense preliminary steps are explained below. You may already have some of these steps in place.
  • Step 1: Assemble a food defense team

    Assembling a multi-disciplinary team of individuals with various backgrounds and experiences will help identify vulnerabilities within your facility. A team approach also helps with employee buy-in of the program.

  • Step 2: Describe the product under evaluation

    Product descriptions can include things like product names, ingredients, intended use, intended consumers, serving sizes, storage and distribution, etc.

  • Step 3: Develop a flow diagram

    These diagrams should include all steps in your facility that are part of the food manufacturing operation. Processes that are not part of food manufacturing, such as utilities, human resources, etc. need not be part of the flow diagram.

  • Step 4: Describe the process steps under evaluation

    Process step description should contain details about what happens at each of the process steps being evaluated. Important details to include would be the number of employees involved at each step, amount of product (weight/volume) associated with the step, speed of equipment, nature of the product (liquid/powder), etc.

The Key Activity Type (KAT) Method

What are Key Activity Types?
As FDA and other industry partners conducted vulnerability assessments of products in the food and agriculture sector, there were four processes that repeatedly revealed a higher risk on a food defense vulnerability assessment score. These processes were the following:
  • Coating/Mixing/Grinding/Rework

    Examples would be batter and breading of products, homogeneously mixing a powder, dough or liquid ingredient, grinding of food products into finer particles, and reworking previous batches of product into new or other batches.

  • Ingredient Staging/Prep/Addition

    Processing steps where ingredients are manipulated prior to or during addition by human contact. Automated/machine manipulated is not included. Examples might include staging of ingredients, measuring, weighing and other batching steps and physically adding ingredients directly into a product stream.

  • Liquid Receiving/Loading

    Processing steps where bulk liquids are being received or unloaded where transport vehicles are opened, vented and where pumping equipment may be attached.

  • Liquid Storage/Holding/Surge Tanks

    Processing steps where liquid ingredients are stored in bulk, such as in silos and large tanks, including surge tanks.

The above 4 categories became known as key activity types and represent common high-risk processes within a food facility.

The KAT food defense vulnerability assessment method

The Key Activity Type (KAT) method is the simpler of the two methods that FSPCA has introduced.  Conducting a food defense vulnerability Assessment using the KAT method can be summed up in 3 simple steps:

1. Identify Each Step

Start by identifying each food processing step in your facility. Having an updated and verified process flow diagram is likely the simplest tool to use and you probably already have this documented from your food safety plan.

2. Evaluate Each Step

Evaluate each food processing step to determine if any of the steps would be considered a key activity type (KAT) as defined in the section above.

3. Identify Any Actionable Process Steps

If any steps are identified as key activity types, then you would consider each of those steps actionable process steps.   These actionable process steps are considered significant vulnerabilities in your process.

For each actionable process step identified, the team will need to think about what type of mitigation strategy would significantly reduce the probability of a successful inside attack. We will talk more about mitigation strategies in Part 3 of our Food Defense Series.

The Three Element Method

Using the three element method is a little more complex than the KAT method. However, using this method will allow you to take a deeper dive into your risk assessment for each process under evaluation. This gives you more flexibility than the KAT method to decide whether or not the process step under evaluation truly has a significant vulnerability. Using this method can oftentimes result in less actionable process steps that your facility will need to monitor as part of your food defense plan. 

The food defense team would still start by using the process flow diagram as a guide for the vulnerability assessment. But instead of needing to identify if any of the process steps are key activity types, the team will need to assess the vulnerability by evaluating the following three elements for each step:

1. The public health impact

The public health impact refers to how the consumer would be affected when eating a food product that has been intentionally adulterated. This can be estimated by calculating the serving size implications at each step under evaluation or by otherwise estimating the number of consumers that would be affected if an inside attacker would be successful in introducing a contaminant that would cause acute illnesses or death when consumed. There are three different calculations that can be used to determine the public health impact. They include:

A. Volume of food at risk

The volume of food at risk is calculated by estimating the batch size of each step being evaluated then dividing that volume by the amount of product in the final serving.

B. Representative contaminant

Representative contamination is calculated similarly to the volume of food at risk method above, but also factors in a mortality rate of 50% and representative contaminant dose of 40mg/serving.

C. Contaminant-specific analysis

Contaminant-specific analysis is calculated by using data from actual contaminants that could be used to adulterate food.  This method is not recommended due to the amount of data and research that would have to be compiled in order to provide a thorough analysis of the many different adulterants that could possibly be used to contaminate a food product, as well as their respective lethal doses.
Once the estimated public health impact is calculated, FSPCA has provided a scoring chart to use in order to determine the overall risk. The chart ranges from 1 to 10.  A score of 10 represents over 10,000 acute illnesses or deaths and a score of 1 represents no potential public health impact.

2. The degree of physical access to the product

This element focuses on determining if an inside attacker could actually access or touch the product at the step under evaluation. A different scoring chart is provided for this element. If a product is “easily accessible” for instance, that would provide the highest risk and be issued a score of 10. But if the product is considered “hardly accessible”, then a score of only a 3 would be issued.

This element also considers a new concept called “inherent characteristics.” Inherent characteristics are those activities, practices, conditions, etc. that are integral to the operation and make intentional adulteration difficult.  For instance, if a step in the process was completely enclosed, this would be an inherent characteristic that would make the step low risk due to it being inaccessible during operations.

3. The ability of an attacker to successfully contaminate the product

This element focuses on determining if an inside attacker would be able to successfully contaminate the product if they had the opportunity. The food defense team would need to consider factors such as: 

  • Would the attacker have enough time to contaminate the food without being observed?
  • Would the attacker have to engage in suspicious activity and likely be noticed by other employees in order to successfully contaminate the product?
  • Would the attacker be able to add enough of a contaminate to have a sufficient quantity to cause acute illness or death if consumed.
  • Would the contaminate, if added successfully, be homogeneously mixed throughout the food?

Like the previous two elements, this element also has its own scoring chart. A high score of 10 has the highest ease of successful contamination where there may be few workers in the area, a sufficient volume of contaminate could be added and that contaminate would be evenly distributed throughout the food.


Identification of Actionable Process Steps

Once all process steps have been given a score for each of the three elements, those scores are added together to get a sum score. Based on the total sum score, the food defense team then needs to determine if any steps are actionable process steps. Those steps that have been given a low sum score, such as lower than 13, are commonly considered low-risk and are not considered actionable process steps. Those that score much higher, such as a sum score of 26 or higher, are commonly considered high-risk.  Sum scores between 13-26 would need further discussion and risk determination to decide whether or not those steps are considered actionable process steps or not.

The Hybrid Approach

The hybrid approach utilizes both the KAT and three element methods. First, the food defense team evaluates each of the process steps for those that can be identified as key activity types. Once those KAT’s have been identified, then the team can choose to use the three element approach to conduct a more in-depth evaluation of some or all of those identified steps. For instance, if the team feels that there are some inherent characteristics that may significantly reduce the risk at a step that was identified as a KAT, then the team may choose to further evaluate that step using the three element method to see if those inherent characteristics are enough to determine that the step is not an actionable process step. This would then eliminate that step from the food defense plan.


Like performing a hazard analysis for a food safety plan, conducting a food defense vulnerability assessment for your food defense plan should be where you spend a large portion of your time as you develop your program. Understanding the potential vulnerabilities throughout your facility and being able to properly risk-assess those vulnerabilities using the methods we have discussed today are critical first steps in determining which areas are significantly vulnerable. 

In our next installment of our 5 part series, we will be discussing how to effectively justify and explain decisions made in your vulnerability assessments. We will also discuss how to determine appropriate mitigation strategies for each actionable process step identified.

Reserve Your In-Person or On-Line Seat Today!

Our Intentional Adulteration - Conducting Vulnerability Assessments course provides training on how to conduct a food defense vulnerability assessment against acts of intentional adulteration using the 3 fundamental elements approach. Register for one of our upcoming classes or contact us today to schedule your in-house training. We are approved for both virtual and in-person training!

About the author

Food Safety Specialist Lance Roberie

Lance Roberie

Food Safety Consultant and Trainer

Lance Roberie has over 20 years of quality assurance and food safety experience within the food industry. Mr. Roberie holds the following certifications:

Lance and the Food Safety & Quality Services’ training curriculum will advance your team's food safety knowledge through certified training, consulting, and “real life” industry scenarios.

Need a Food Safety Specialist?

Free 15 Minute Consultation.
Schedule Consultation

Learn how we helped Abita Brewing Company pass their first food safety audit with an A grade.

Abita Brewery

Abita Brewery - Audits

Abita Brewery

Abita Brewery - Audits