Building on our FSMA tip of the week series, let’s take a look at the supply chain program (SCP) requirements. A supply chain is made up of suppliers, receiving facilities, and customers, and each of these roles are defined. The supplier or supplier to the supplier can be the manufacturer, processor, or entity who raises or grows the food. The receiving facility can be the manufacturer or processor. The customer can be a manufacturer, processor, or preparer of the food. Your hazard analysis will identify hazards that require a supply chain program. Your primary question to answer is: who in the supply chain lineup will control hazards requiring a preventive control?
Once a supply chain control is identified, the general requirements for an SCP include the use of approved suppliers, determining what supplier verification activities need to be performed and conducting those activities, documenting the outcome of supplier evaluation and where applicable, verifying that a supply chain applied control by an entity other than your supplier is effective.
If a hazard is considered to be significant, i.e. identified as a severe adverse health consequence or death to humans or animals (SAHCODHA), then the supply chain must evaluate these verification activities:
- On-site audits
- Sampling and testing of raw materials for the identified hazard
- Review of supplier food safety records
- Supplier and/or supplier’s supplier performance history
- Supplier and/or supplier’s supplier regulatory history
- Audit results, corrective actions taken, product testing, COAs, etc.
- Documented review and follow-up on food safety complaints
An SCP will not be required if no hazards requiring a preventive control are identified from your hazard analysis, if the receiving facility will control the hazard, or if a customer or downstream entity provides written assurances that they will control the hazard. There can also be supply chain exclusions when an importer is in compliance with the Foreign Supplier Verification Program (FSVP) or when the food supplied is going to be used for research or quality evaluation and will not be available to the public.
There are a few other circumstances in which supply chain entities are not required to implement a preventive control. In these instances, it must be communicated that the hazard was not controlled and assurances documented that it will be controlled further downstream in the supply chain. The following processes should be in place and documented:
- Customer shipping documents must include the statement “not processed to control (identified hazard)”
- Annual written assurance of the process or food safety requirements that your customer will use to control the identified hazard as well as annual written assurance that your customer’s shipping documents will state “not processed to control (identified hazard)”
- Annual statements of qualification from qualified supplier facilities
- Biannual descriptions from qualified facilities of preventive controls for the identified hazards and a statement of compliance to applicable food safety regulations recognized as equivalent to the FDA
With regard to FSMA timelines, large companies need to have implemented supply chain requirements one year after the rules were published, small companies within two years, and very small companies within three years.
This has been an overview of a very complex regulation. We await FDA guidance documents that will further define the expectations and applications of domestic and import supply chain program preventive controls. Contact us any time with questions or requests for further training on implementation of an SPC.
Next week we will review requirements for records that must be established and maintained to document FSMA compliance.