Have we been getting critical control points all wrong? It’s time to rethink – like a coder!

CCP Coder Rethink Tile

Critical control points (CCPs) are at the heart of many contemporary product risk management frameworks including for drinking water, the WHO’s Water Safety Plans and for food and beverages, the FAO’s Codex Alimentarius (HACCP). In some countries, the concept of CCPs is not yet established with ‘multiple barriers’ being used instead. However, ‘multiple barriers’ refers to all controls that can be applied across the supply chain and does not single out important or critical barriers, for focussed attention. Further, the way we think about CCPs is flawed because we tend to think about ‘limits’ rather than ‘conditions’ and exceedance of limits when in fact, the important public health risk management aspect is whether a product non-conformity has been halted or not.

It is vital then that we improve understanding of what a CCP actually is to ensure wider uptake, ensure improved public health risk management and improve product governance overall.

What is a CCP?[1]

A CCP is defined variously in different guidance material however, in essence it means if you lose control at that point in a system, then you can no longer be confident of supplying fit for purpose product. The concept of CCPs generally applies to safety criteria, not quality criteria. Many people use the term QCP (quality control point) or OCP (operational control point) for points where control is still required, but not necessarily critical i.e. these points tend to support the correct operation of a CCP. CCPs are usually set up with three zones – as shown in Figure 1.

CCPs generally have ‘green’, ‘orange’ and ‘red’ zones. These zones are called different things in different jurisdictions. Regardless of terminology though, green is safe, orange is still safe but not as certain, and red is unsafe and to be avoided at all costs as this is the danger zone for product safety.

Ideally CCPs will have values for each of the zones, including timing (duration, delay, immediately), and other relevant process information. Each value should have a documented evidence base.

Generally speaking, critical limits will be based on accepted standards of care such as a filtration turbidity limit in national drinking water quality guidance. Target and alert or adjustment limits, will usually be based on history and operating knowledge of the process. We now document, in the CCP table, exactly where the limit comes from, as an historical record of the thinking for that CCP, at that time. This information is especially useful when it comes time for a CCP review or when you are undergoing an audit – there are no awkward moments when everyone is standing around scratching their heads as to why a certain limit was chosen!

Figure 1. Zones of operation, for a critical control point (Source: D2K Information).

What would a computer think?

Understanding whether a product has left a particular step in the manufacturing process is a key component in understanding the overall product safety and quality risk and CCP performance, relative to other steps in the process. It is imperative that CCPs are set up correctly and that the process logic incorporates and addresses all conditions for the relevant ‘zones’ of the CCP to be met. And this is where the ‘think like a coder’ bit comes in.

As humans, we can infer and interpret, but for a computer, the situation is black and white, the logic either works or it doesn’t. In setting up CCP tables in the past, we have not considered the coding and computer-thinking side of things, it was all very much human-based and workshop-consensus based thinking. It was only when we started to develop our D2K Information product, CCPWatch®, and we had to develop logic tables to automate CCP reporting, that it made us stop and go – seriously, that doesn’t work, what were we thinking?!

We found, among other things, gaps between ranges, lack of clarity in operating commands (i.e. > a value, vs >= a value) and lack of inclusion or lack of clarity in time functions. It took us several iterations within our product team (microbiologist, engineer, coder) and with our client and their regulator, before we had developed the logic to a state, where it could be coded. We’re now at a point where we can even code an inspection-based CCP (reservoir integrity), based on the significant understanding and evidence base we now have, from our re-thought coding perspective. We believe it is the first example of real time reporting for an inspection-based CCP.

We’re also increasingly finding CCP tables that are extremely complex – making them hard to understand from both a human and a machine perspective.

It is also now possible to apply algorithms to CCPs rather than just rely on individual parameters or combinations, and we have developed an in-house algorithm for real time calculation of chlorine disinfection efficacy (CT) from which are obtaining good results in the field. Artificial intelligence and machine learning are also coming down the line allowing much greater understanding and ‘water quality line of sight’ for failure prediction.

Lack of clarity in CCP logic creates a risk to achieving product safety (remembering that under ISO 31000, the definition of risk is the impact of uncertainty on [achieving] your objectives) and customer protection. It’s easy to jump to the next bright shiny thing but the value is in fundamentally understanding your CCP logic in the first place. ‘Thinking like a coder’ has not only helped us improve the way we develop CCPs, it has also helped improve our understanding on the appropriateness of monitoring and overall governance of CCPs – creating a much healthier and consistent drinking water product for the customer.

Our top ten tips for rethinking CCPs

CCPs are not static and should be reviewed based on triggers such as audits, change in operating context and change in process context. So, next time you are reviewing your CCPs and their logic, it’s worth thinking about the CCP ‘conditions’ and overall governance, rather than focussing solely on the limits – here are our top ten tips:

  1. Is there a documented evidence base for the limits chosen?
  2. Is the evidence base appropriate (e.g. national water quality guidelines, accepted industry standard, health regulator consensus, documented historical information on plant performance)?
  3. Has the location of the process step been considered in developing the CCP logic?
  4. Are all parameters required to assess CCP performance collected automatically and frequently enough to capture changes?
  5. Do flow rate, pump status or valve status need to be considered in the CCP Conditions?
  6. Do time delays need to be applied to any of the CCP conditions or should they trigger immediately (and what does ‘immediately’ actually mean, 5 seconds, 10 seconds…..?)?
  7. Do the conditions provide enough information on the safety of the product at that point in the process e.g. achievement of the appropriate contact time for disinfection?
  8. Do water quality parameters need to be considered together rather than as individual limits, to properly understand acceptability (e.g. free chlorine residual, pH and temperature)?
  9. Are there any gaps in the ranges between green, orange and red states?
  10. Have the appropriate mathematical operators been used in establishing the logic – would a computer understand what you are trying to achieve?

If you need help with CCP review or want to know more about automating CCP assessment, alerting and internal and external reporting – we’re here for you

Dr Annette Davison is the Australian Water Association’s 2021 Water Professional of the Year for her work on understanding and applying risk in the water industry. She has over 30 years’ experience in the water and environment industries and holds a Higher National Diploma and BSc(Hons) in Applied Biology (majoring in microbiology), a PhD in environmental microbiology and biochemistry, a Master’s degree in Environmental and Local Government Law, is a Graduate of the Australian Institute of Company Directors and Professional Member of the Australian Water Association.

Sarah Loder is a qualified engineer, specialising in strategic risk management and process improvement for the water industry, with a background in both engineering consulting and management consulting (audit and advisory). Sarah has 15 years’ experience in the water industry and has a Bachelor of Engineering (Mechanical) (Hons), a Master of Commerce (majoring in management accounting) and Is an IASSC Certified Green Belt™. She is a member of Engineers Australia and a Professional Member of the Australian Water Association.

James Lucas is a Software Engineer with a passion for applying technology to improve lives. James has 18 years experience in information systems, software architecture, sensor networks and infrastructure management. James founded Edge Telemetrics in 2019.


[1] Adapted from Davison, A. (2020). Application of ISO 31000 to Drinking Water Quality Management: A Practical Approach. First edition. Published by Risk Edge Pty Ltd. ISBN 978-0-9875560-0-4.


Dr Annette Davison, Director and Principal Risk Analyst, Risk Edge Pty Ltd; Co-founder and R&D Manager, D2K Information Pty Ltd, Australia

Sarah Loder, Senior Risk Analyst, Risk Edge Pty Ltd; Product Manager, D2K Information Pty Ltd

James Lucas, Software Engineer and Director, EdgeTelemetrics Pty Ltd

#riskcommunication #riskmanagement #evidencebaseddecisions #ISO31000