A supplier approval program is the standing system a food company uses to decide which suppliers it is allowed to buy from: qualifying each supplier before the first purchase order, requiring the right documents, and monitoring performance so approval is maintained or withdrawn over time. It is the gate every ingredient and packaging supplier passes through, and the reason a buyer cannot simply order from whoever is cheapest.
Most food safety problems are bought, not made. The contaminated spice, the mislabeled allergen, the packaging that fails migration limits, they arrive at your dock from a supplier, and no amount of in-house control fully compensates for a supplier you never should have approved. A supplier approval program is how you manage that risk at the source. This post covers how to risk-rank suppliers, which documents approval requires, how ongoing monitoring works, and how the program relates to the narrower regulatory requirement of supply-chain preventive controls.
What is a supplier approval program?
A supplier approval program is a documented process for evaluating, approving, and re-evaluating the suppliers who provide your ingredients, packaging, and outsourced processing. It answers one question continuously: is this supplier fit to supply this material, and do we have the evidence to prove it? Approval is a status, not a one-time event, it is granted on evidence, maintained by monitoring, and revoked when performance or trust breaks down.
Every GFSI-benchmarked scheme requires one. Whether you certify to SQF BRCGS, or FSSC 22000, the code expects a documented program for approving suppliers and for the ongoing verification that they continue to meet your requirements. Auditors treat a missing or paper-thin approval program as a serious finding, because it is the control standing between your process and every hazard your suppliers could introduce. Our GFSI certification guide covers how the schemes frame it.
It helps to draw a clean line up front, because two related things get confused:
- The supplier approval program is the broad operational engine. It governs every supplier and material, using risk to decide how much scrutiny each gets. This post is about that program.
- Supply-chain preventive controls are a narrower regulatory requirement under FSMA that apply only when your hazard analysis identifies a hazard controlled by the supplier rather than by you. They live inside the approval program but do not replace it. That is the subject of the companion guide.
How do you risk-rank suppliers?
You risk-rank suppliers by the hazard the material carries and the confidence you have in the supplier, then let that ranking set how much evidence approval requires. A high-risk material from an unproven supplier earns an audit and lot testing; a low-risk material from a certified, long-trusted supplier earns a specification and a certificate. Matching effort to risk is what keeps the program both credible and affordable.
Two inputs drive the rank. First, the intrinsic risk of the material: does it carry a pathogen, an allergen, a mycotoxin, a chemical hazard, or a fraud incentive, and does your process include a step that controls that hazard downstream? A raw spice added to a ready-to-eat product is high risk; a corrugated shipper is low. Second, the confidence in the supplier: their food safety certification status, their history with you, their process maturity. Plot the two and the tier falls out.
What documents does supplier approval require?
Supplier approval runs on a defined document set, and the tier decides which documents are mandatory. The point is not to collect paper for its own sake, each document answers a specific question about whether the supplier is fit to supply.
| Document | What it proves | Typical requirement |
|---|---|---|
| Specification | What you are actually buying: the agreed limits for the material, including food safety parameters | Required for every material, signed by both parties |
| Food safety certification | That the supplier runs a benchmarked food safety system audited by a third party | GFSI certificate for higher-risk materials; verify it is current and covers the right scope |
| Certificate of analysis (COA) | That a specific lot meets the specification on the parameters that matter | Per lot for higher-risk materials; periodic for lower-risk |
| Supplier questionnaire / self-assessment | The supplier's own programs where no third-party audit exists | Common for low-to-medium risk in place of an audit |
| Audit report | That an independent party verified the supplier's system on site | Second- or third-party audit for high-risk suppliers and hazards |
| Allergen and regulatory statements | Allergen status, country of origin, and applicable regulatory declarations | Required where allergens or regulatory claims are in play |
The single most common weakness is treating a certificate as a filed artifact rather than a verified fact. A GFSI certificate in your folder means nothing if it expired last quarter, covers a different facility, or excludes the product you buy. Approval means someone checked, and set a reminder to check again before it lapses. The specification is the other frequent gap: buying to a purchase-order description rather than a signed specification leaves you with no agreed standard to hold the supplier to when a lot goes wrong. This is the same discipline your broader supplier quality management program applies across all purchased materials.
How do you approve and monitor suppliers?
You approve a supplier by gathering the tier-appropriate evidence and having a qualified person sign off, then you monitor performance so approval stays earned. Approval is the beginning of the relationship, not the end of the work, a supplier who was fit two years ago may not be fit today. Here is the program in seven steps.
- Define the material and its hazards. Before you can approve a supplier you have to know what the material carries. Run the hazard analysis for the ingredient, pathogen, allergen, chemical, physical, fraud, and note whether your process controls each hazard or the supplier must. This connects directly to your HACCP plan.
- Risk-rank the supplier-material pair. Combine material hazard and supplier confidence to set the tier. Rank the pair, not just the supplier: the same supplier may be low-risk for one item and high-risk for another.
- Collect the required documents. Gather the specification, certification, COA arrangement, questionnaire, and audit appropriate to the tier. Missing documents mean not-yet-approved, not approved-with-exceptions.
- Verify, do not just file. Confirm the certificate is current and in scope, the specification is signed, and the audit is recent and relevant. Verification is the step that separates a real program from a folder of PDFs.
- Approve with a signature and a status. A qualified person records the approval decision, the basis for it, and any conditions. Give each supplier-material a clear status: approved, conditionally approved, or not approved.
- Monitor performance continuously. Track incoming nonconformances, COA compliance, and delivery against each approved supplier. Feed it from receiving data and nonconformance records you already generate, not a once-a-year memory exercise.
- Re-approve on a schedule and on triggers. Re-evaluate on a defined cadence, annually for higher-risk, and off-cycle whenever a certificate lapses, an audit expires, ownership changes, or an escape occurs. Withdraw approval when the evidence no longer supports it.
How does the program satisfy FSMA and GFSI?
The approval program satisfies GFSI schemes directly and provides the foundation FSMA's supply-chain program builds on. For GFSI, the codes require a documented approach to approving suppliers and verifying they keep meeting requirements, exactly what the program above produces. For FSMA, the U.S. preventive-controls rule adds a specific layer: when your hazard analysis finds a hazard that is controlled by the supplier rather than by your process, you must have a supply-chain program with approved suppliers and defined verification for that hazard.
The relationship is nesting, not duplication. The supplier approval program is the wide gate every supplier passes through; supply-chain preventive controls are the extra, regulated scrutiny applied to the specific supplier-controlled hazards FSMA cares about. Build the approval program well and the FSMA piece becomes a documented subset of it rather than a separate system. The supply-chain preventive controls guide covers exactly when that regulated layer kicks in and what verification it demands.
By the numbers. The regulatory and benchmark anchors for supplier approval:
- FDA's preventive-controls rule requires, in 21 CFR Part 117 Subpart G that receiving facilities use approved suppliers and conduct supplier verification for raw materials with a hazard requiring a supply-chain-applied control.
- The Global Food Safety Initiative benchmark, met by schemes such as SQF, BRCGS, and FSSC 22000, requires a documented supplier approval and ongoing-verification program as a core element of every recognized code.
Where does the program live?
An approval program is a document- and date-management problem as much as a food safety one: certificates that expire, audits that age out, COAs that must match specifications lot after lot, and nonconformances that need to roll up by supplier. On paper and in scattered folders, the expired certificate is discovered by the auditor, not by you, and the slipping supplier is spotted after the recall, not before. Capturing approval status, document expiries, and incoming performance as connected records turns the program into a live control with reminders and trends instead of a binder that is accurate only on the day it was assembled. That is the kind of plumbing Harmony's connected data model handles alongside the supplier quality and traceability records you already keep, so approval is something you can prove in minutes, on any supplier, on any day. No rip-and-replace.