Co-packer vulnerability assessment

We are a co-packer for dry candy and snack foods that has a quasi food defense plan written. We were hit for not having a vulnerability assessment. 

All of the bulk food and packaging is supplier by our customers and we just pack into retail packages. 

I did a vulnerability assessment using KATs. I only had once actionable process step where we add seasoning to a cracker. 

I don't think the auditor is going to accept this. 

Is there another approach I should take seeing we don't manufacture any food but only package it? 

Something to think about would be the risk of handling your suppliers' products and putting into your packaging since you are opening the product in the form that they give it to you. Assessment would need to include the risk of open containers which are accessible to contamination/adulteration. Ours is under KAT - Secondary Ingredient Handling.

Something to think about would be the risk of handling your suppliers' products and putting into your packaging since you are opening the product in the form that they give it to you. Assessment would need to include the risk of open containers which are accessible to contamination/adulteration. Ours is under KAT - Secondary Ingredient Handling.

Yeah, I didn't know if packing would apply to Secondary Ingredient Handling based on the definition in the FDA guidance. I see how it could fit into their definition. 

I've ended up going with a hybrid assessment. I used the Element method for receiving, dumping, weighing and pouching. Then for the rest of the process steps (storage, shipment, lot coding, checkweighing, xray) I gave an explanation that it doesn't fit within any of the KATs. 

I am second guessing using the Element method for receiving since our customers supply the materials.

Yeah, I didn't know if packing would apply to Secondary Ingredient Handling based on the definition in the FDA guidance. I see how it could fit into their definition. 

 

I've ended up going with a hybrid assessment. I used the Element method for receiving, dumping, weighing and pouching. Then for the rest of the process steps (storage, shipment, lot coding, checkweighing, xray) I gave an explanation that it doesn't fit within any of the KATs. 

 

I am second guessing using the Element method for receiving since our customers supply the materials.

It sounds like you performed the vulnerability assessment correctly- but I think you are over thinking the receiving a bit. It doesn't matter where the supply of materials comes from, it just matters how they are received into your facility. You can use the hybrid method like you mentioned and determine whether there is opportunity for an inside attacker to contaminate the incoming materials and have it cause wide scale public health harm.