Navigating FSMA's supplier management requirements
So, your auditor comes in and asks for your supply chain program. You ask, “What is that?”
Welcome to the world of the USDA Food Safety Modernization Act (FSMA) and/or Global Food Safety Initiative (GFSI). Both require you to have a supplier management program. We will examine some of the requirements based on FSMA, but please realize if you are being audited by the Safe Quality Food Institute (SQF), the British Retail Consortium (BRC), etc., auditors may ask for additional items in your program. Remember, if you are a dual-jurisdiction facility, you may fall under FSMA. If so, your regulatory burden just got a lot bigger.
What is the purpose of the supply chain program? The intent is for the manufacturer to analyze all ingredients it uses for potential risk, then determine where those risks are being controlled in the supply chain. Once you know where they are being controlled, you are required to verify those controls are being done and that they are effective in greatly minimizing or preventing the hazard.
For example: You use dried spices as an ingredient in your product. We know there have been Salmonella outbreaks associated with dried spices. How does your spice supplier address that risk? Maybe it irradiates, heat treats, pressure pasteurizes, etc., but you must verify your supplier is doing it and that its system is adequate to address the hazard by significantly minimizing it or preventing it. Another example is that you use a cure powder, and you say too much nitrite is a hazard. How does your supplier know it isn’t putting too much nitrite in the product? Again, you must verify it.
The supply chain is everything before you and everything after you. But you don’t have to physically verify all the way back to the ingredient’s origin. The company that supplies you verifies its supplier and you review its supply chain program to make sure it is verifying the requirements before it gets to them. But it’s not quite as simple as it sounds. The premise is that each step in the supply chain makes sure the one before it is doing everything it needs to in order to significantly minimize or prevent food safety hazards. But if they aren’t, you have to.
When do you not need to have a program? The answer is straightforward, if you control the hazards in your facility or at a subsequent processing facility (which provides verification).
Example 1: You are a cooking facility that has identified E. coli O157:H7 as a hazard on your risk analysis of incoming product, but you cook these products to lethality — you would not need a program.
Example 2: You produce a raw pork sausage product and have identified Salmonella as a potential hazard on the raw pork you receive. You produce and package the product and ship it to a high-pressure pasteurization company which subsequently labels the product and sends you a confirmation certificate of the validated pasteurization process.
So, what are the basic requirements of the written program? The U.S. Food and Drug Administration (FDA) created a bit of a monster with rule 21 CFR 117.410, where you can find the general requirements. The basics that must be included in your written plan include:
- Stating that you are using approved suppliers.
- How you verify your suppliers are following the requirements.
- How you document your verification
- How you verify supplier-applied controls at establishments other than the supplier or your establishment, and how you verify it.
- How the supplier chain identifies how any hazard controlled in the supply chain has been significantly minimized or prevented.
- You must also have written procedures for receiving raw materials and other ingredients and they must include how you verify that you only receive products from approved suppliers.
- The plan must be written.
You have a lot of options concerning implementation of your program. The rule is designed to rely heavily on audits. An entire auditing industry was born out of the rule. For small and mid-size processors relying on suppliers, third-party audits may be the only way to go.
If you haven’t gone over these requirements in the regulation, I strongly suggest you do so. If you are required to have a program under the FSMA, it is a law — one you don’t want to get sideways of.
To access it online, click here. NP