FSMA Supply Chain Preventive Controls: Key Terms and When They Apply
Supply chain preventive controls are one of the most misunderstood sections of the FSMA Preventive Controls for Human Food rule. The terminology is dense, the relationships between terms are not always obvious, and the consequences of getting it wrong show up in your Food Safety Plan as documented gaps.
If your facility receives ingredients or raw materials where a hazard has been identified but is not controlled at your site, you are in supply chain preventive control territory. Understanding the terminology is not an academic exercise. It determines what your Food Safety Plan must contain and what your suppliers are required to do.
What Is a Supply Chain Preventive Control?
Under 21 CFR Part 117, a supply chain preventive control (SCPC) is a specific type of preventive control applied when a hazard in a raw material or ingredient is controlled by your supplier rather than by your facility.
This applies when your Hazard Analysis identifies a known or reasonably foreseeable hazard in an incoming material and concludes that the hazard requires a preventive control, but that control occurs before the material reaches you. Your job is not to eliminate the hazard directly. Your job is to verify that your supplier is doing so effectively.
Three conditions must be true for an SCPC to apply: the hazard is present in the raw material or ingredient, it is not controlled at your facility, and you have determined that supplier control is appropriate.
The Core Supply Chain Preventive Controls Terminology You Need to Know
Receiving facility. This is you. The receiving facility is the entity that receives raw materials or ingredients from a supplier and is subject to the SCPC requirements under 21 CFR Part 117 Subpart G.
Supplier. The supplier is the entity that provides the raw material or ingredient to the receiving facility. Importantly, the supplier is responsible for controlling the hazard. They may be a grower, processor, manufacturer, or distributor depending on the supply chain structure.
Approved supplier. Before you can use a supplier for materials where an SCPC applies, that supplier must be approved.
Approval is based on an evaluation of the supplier’s performance and the risk associated with the ingredient and hazard. Your Food Safety Plan must document the criteria you use to approve suppliers and the approval status of each.
Supplier verification activity. This is the mechanism you use to confirm that your approved supplier is controlling the hazard as required. The regulation identifies four examples: onsite audits, sampling and testing of the raw material or ingredient, review of the supplier’s relevant food safety records, and other appropriate supplier verification activities based on the risk.
Onsite audit. An onsite audit is a visit to your supplier’s facility to evaluate whether they are controlling the identified hazard.
Under 21 CFR 117.430, an onsite audit is required as the initial verification activity when the hazard being controlled is one that could cause serious adverse health consequences or death (a Class I or equivalent hazard) unless sampling and testing provides an adequate alternative. The audit must be conducted by a qualified auditor.
Qualified auditor. A qualified auditor is a person who has the technical expertise obtained through education, training, or experience (or a combination) necessary to perform a food safety audit of the supplier. This is not the same as a PCQI.
A PCQI oversees the Food Safety Plan. A qualified auditor conducts supplier audits. One person can hold both roles if they meet both sets of requirements.
PCQI. The Preventive Controls Qualified Individual is the person responsible for preparing the Food Safety Plan, overseeing preventive controls, and conducting the reanalysis.
For supply chain purposes, the PCQI must review the supplier verification activities and approve the supplier program. PCQI status is typically obtained through completion of a standardized curriculum such as the FSPCA Preventive Controls for Human Food training.
FSPCA. The Food Safety Preventive Controls Alliance is the organization that developed the standardized curriculum recognized by FDA for PCQI training. Completing the FSPCA PCHF course is the most common pathway to becoming a PCQI.
When a Supply Chain Preventive Control Is Not Required?
Not every incoming ingredient requires an SCPC. The requirement applies only when your Hazard Analysis identifies a hazard that requires a preventive control and that control is applied by your supplier.
If you control the hazard yourself at a later step in your process (a kill step, for example), an SCPC is not required for that ingredient. If the hazard is controlled by a customer further down the supply chain and you disclose this in writing, the requirement may shift to that customer. If no hazard requiring a preventive control is identified for that ingredient, no SCPC applies.
This is an important point that many facilities miss. Not all incoming materials fall under the SCPC requirements. The trigger is always the Hazard Analysis outcome, not the ingredient category or the supplier type.
What Your Food Safety Plan Must Include?
If your Hazard Analysis determines that an SCPC applies, your Food Safety Plan must document:
The written SCPC procedure, the criteria used to approve suppliers, the list of approved suppliers, the supplier verification activities for each supplier and each hazard, the frequency of those activities, and the documentation of results. Corrective action procedures must also be in place for situations where verification results indicate a supplier is not controlling the hazard as required.
Many facilities have supplier approval forms and vendor questionnaires but have not connected these to their Food Safety Plan in a way that satisfies 21 CFR Subpart G. A questionnaire alone does not constitute a supplier verification activity. The Food Safety Plan must specify what activity is being used, why it is appropriate given the hazard and risk level, and what the results have been.
What Most Facilities Get Wrong?
The most common gap is treating supplier approval as an administrative step rather than a risk-based decision. Approving a supplier based on a completed questionnaire and a certificate of analysis, without evaluating the hazard type and risk level, does not meet the standard for hazards that require an onsite audit.
The second gap is failing to document the rationale for the verification activity selected. When the hazard is serious, FDA expects to see a documented justification for why the chosen activity is sufficient. “We send a questionnaire every year” is not a justification. A written risk assessment that explains why the activity is proportionate to the hazard is.
There is more complexity in how the SCPC requirements interact with your overall Hazard Analysis, particularly when multiple hazards are present in a single ingredient or when your supply chain has more than two tiers. These scenarios require a structured approach to get right.
If your team manages supplier verification and you want them working from a consistent, regulation-aligned framework, book a private PCHF Version 2 training with us or an internal audit with us.
Start by booking a call https://tidycal.com/sfpmconsulting/strategy-call