Product Family


One of the most notable new mandates of the Food Safety Modernization Act (FSMA) preventive controls rule is the requirement for a supply-chain program, the purpose of which is to “provide assurance that a hazard requiring a supply-chain-applied control has been significantly minimized or prevented.” (A “supply-chain-applied control” is further defined as “a preventive control for a hazard in a raw material or other ingredient when the hazard in the raw material or other ingredient is controlled before its receipt.”)

The FSMA statute specifically identifies supplier verification activities as a preventive control, but the U.S. Food and Drug Administration (FDA) didn’t see it as just as “have to do,” rather the Agency states right in the rule that it believes it to be important that this program be mandated by the rule to ensure the safety of food where hazards are controlled in raw materials and other ingredients before receipt by a receiving facility. Additionally, a supply-chain program would be a fairly standard measure implemented by any food-safety expert to minimize or prevent hazards in incoming supplies.

While the proposed rule did include the requirement for this program, FDA made a few general updates, including a wording change from “supplier program” to “supply-chain program” and its designation in a newly established subpart G with eight sections of regulatory text. The subpart was established to improve clarity and readability. The verbiage change to reflect its applicability to non-suppliers in a new requirement – that is, a supply-chain control can be applied and/or verified by a non-supplier (e.g., distributor, broker, aggregator). But, in that case, the receiving facility must verify the supply-chain-applied control itself; or obtain documentation of the verification activity, review and assess the documentation, and document that review and assessment. In addition to these general updates, the rule includes some revisions from the proposed program.

Does your current program comply with the new rules? If not, what will you need to do to bring it in line? Following is a description of the supply-chain program and its requirements, including changes from the proposed rule.

The Supply-Chain Program

The rule requires a supply-chain program when the receiving facility has identified, through its hazard analysis, that there is a hazard requiring a supply-chain-applied control. The program should address hazards requiring a preventive control that may be intentionally introduced for purposes of economic gain, as well as those unintentionally introduced.

Although FDA is continuing to specify the basic content of a supply-chain program, and it allows for some flexibility, the rule mandates that the supply-chain program must include:

  1. Written procedures for receiving raw materials and other ingredients.
  2. Preventive control management components that include corrective actions and corrections (taking into account the nature of any supplier non-conformance), review of records, and reanalysis.
  3. Supplier approval, and use of only approved suppliers. (However, FDA is considering the issuance of guidance for use of unapproved suppliers on a temporary basis.)
  4. Determining appropriate supplier verification activities (including frequency of each).
  5. Conducting supplier verification activities.
  6. Documenting supplier verification activities, which are to include:   
    1. Onsite audits
    2. Sampling and testing of the raw material or ingredient (by the supplier or receiving facility)
    3. Receiving facility review of the supplier’s relevant food safety records
    4. Other appropriate supplier verification activities based on the risk associated with supplier performance and the raw material or other ingredient

In supplier approval and determination of supplier verification activities, the receiving facility must consider:

  1. The hazard analysis, including the nature of the hazard, applicable to the raw material and ingredients.
  2. Where the preventive controls for those hazards are applied (e.g., supplier, supplier’s supplier, etc.).
  3. The supplier’s procedures, processes, and practices related to the safety of the raw material and ingredients.
  4. Applicable FDA food safety regulations and information and the supplier’s compliance with those (including receipt of any FDA warning letter or import alert).
  5. The supplier’s food safety performance history relevant to the applicable raw materials or, including results from testing for hazards, food-safety audit results, and corrective action.
  6. Any other relevant factors, such as storage and transportation practices

In addition to these requirements, a few other key points of the rule are:

  1. There must not be any financial conflicts of interests that influence the results of the verification activities and payment must not be related to results
  2. Domestic inspection by representatives of other federal agencies (such as USDA), or by representatives of state, local, tribal, or territorial agencies may substitute for an audit.
  3. The definition of “supplier” has been revised so that the grower remains the supplier when the harvester is under separate management. Specifically, the “supplier” is the establishment that “grows” food rather than that which “harvests” food. Doing so focuses the requirements on the entity that produces the food, rather than that which removes the food from the growing area.
  4. Foreign suppliers may provide documentation, when applicable, of a written assurance that the supplier is producing the raw material or other ingredient in compliance with relevant laws and regulations of a country whose food safety system FDA has officially recognized as comparable or has determined to be equivalent to that of the United States
  5. The provisions for supplier verification in the FSVP rule have been aligned with the provisions for a supply-chain program, so importers and receiving facilities can consider compliance with both the supplier-chain-program rule and the forthcoming FSVP regulations, so verification activities do not have to be duplicated.
  6. If the receiving facility is an importer, is in compliance with the forthcoming FSVP requirements, and has documentation of verification activities under FSVP, a supply-chain program is not required even if the receiving facility’s hazard analysis determines that a supply-chain-applied control is required.

As discussed in our blog, What Do the Final PC Rules Mean to You? And When Do You Need to Comply?, different compliance dates were established for the supply-chain program, then for the rule as a whole. This is to align compliance with the dates of FSVP rule to provide greater consistency across this aspect of the programs. It also serves to address comment concerns that a receiving facility would be required to comply with the supply-chain program provisions of before its supplier is required to comply with applicable new FSMA food safety regulations, causing potential revision of the program at that time.


About the Author . . .

Dr. David Acheson  is the Founder and CEO of The Acheson Group.  Dr. Acheson brings more than 30 years of medical and food safety research and experience to the firm.  Prior to forming The Acheson Group, he served as the Chief Medical Officer at the USDA Food Safety and Inspection Service and then in 2002 joined the U.S. Food and Drug Administration as the Chief Medical Officer at the FDA Center for Food Safety and Applied Nutrition (CFSAN).

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.