A supply-chain preventive control is what FSMA requires when your hazard analysis finds a hazard in an incoming raw material that your supplier controls instead of your own process. In plain terms: if the safety of an ingredient depends on something the supplier did before it reached you, U.S. food-safety law makes you verify that they actually did it. The requirement is codified in 21 CFR Part 117, Subpart G, the supply-chain program.
This is one of the four preventive-control types a food safety plan can require, alongside process, allergen, and sanitation controls, and it is the one most tied to your suppliers. It is also frequently confused with the broader supplier approval program: the approval program governs every supplier, while supply-chain preventive controls are the narrower, regulated layer that applies only to specific supplier-controlled hazards. This post covers exactly when the requirement triggers, what verification satisfies it, and how receiving controls fit in.
What are supply-chain preventive controls?
Supply-chain preventive controls are the risk-based verification activities a receiving facility must perform to ensure that hazards controlled by its suppliers are, in fact, being controlled. They are one of the preventive-control categories established by FSMA's Preventive Controls for Human Food rule, and they apply specifically to raw materials and ingredients for which the receiving facility has identified a hazard requiring a supply-chain-applied control.
The concept rests on a single question in your hazard analysis: for each hazard you identify, who controls it? If your own process controls it, a cook step that kills the pathogen, a metal detector that catches the fragment, then you manage it with a process control, and the supply-chain rule does not apply to that hazard. But if the hazard is controlled before the material reaches you, by the supplier, then you cannot verify it on your own line, and the rule requires you to verify the supplier's control instead. That is the whole logic. Your hazard analysis is what sorts every hazard into one bucket or the other, which is why a qualified preventive-controls person (a PCQI) owns the decision.
When does FSMA require a supply-chain program?
FSMA requires a supply-chain program when your hazard analysis identifies a hazard in a raw material or ingredient that requires a preventive control and that control is applied by the supplier rather than by you or a subsequent entity in the chain. All three conditions have to be true, and if any one fails, the supply-chain program is not required for that material.
Two clarifications save a lot of confusion:
- It is per hazard, not per supplier. The same supplier can provide one ingredient that triggers a supply-chain control and another that does not. You evaluate each raw material's hazards, not the supplier as a whole.
- A downstream kill step can move the obligation. If your process, or a customer's, applies a control that handles the hazard later, the supply-chain-applied control may not be required of you. The rule follows where the hazard is actually controlled.
There is also a small-business dimension: certain qualified facilities and specific supply-chain relationships carry modified or exempt obligations. As always, the rule text and FDA guidance govern the edge cases, so map your materials against them rather than assuming.
What counts as supplier verification?
Supplier verification is the activity you perform to confirm the supplier is controlling the hazard, and Subpart G gives you a menu rather than a single mandate. The appropriate activity depends on the severity of the hazard and who controls it. The recognized activities are an onsite audit, review of the supplier's food safety records, sampling and testing of the raw material, and other appropriate procedures you justify.
| Verification activity | What it confirms | Best fit |
|---|---|---|
| Onsite audit | That the supplier's food safety plan exists, is implemented, and controls the hazard, verified in person by a qualified auditor | The default for a SAHCODHA hazard controlled by the supplier; performed before use and at least annually |
| Review of food safety records | That the supplier's monitoring and verification records for the hazard show the control working | Lower-severity hazards, or supplementing another activity |
| Sampling and testing | That specific lots of the material meet the hazard limit | Where a test reliably detects the hazard; often paired with records review |
| Other appropriate activity | Whatever a qualified person justifies as providing adequate assurance for the specific hazard | Case-by-case, with documented rationale |
The one hard default worth memorizing: when the hazard could result in serious adverse health consequences or death to humans (a "SAHCODHA" hazard) and the supplier controls it, the required verification is an onsite audit conducted before first use and at least annually thereafter, unless a qualified individual documents a written determination that other activities, or less-frequent auditing, provide adequate assurance. You can deviate, but only with a justified, written basis. Everything else in the menu is available for less-severe hazards without that specific default.
How do approved suppliers and receiving controls fit?
The supply-chain program has two working parts: using approved suppliers, and verifying them. Approval comes first, you may only receive a covered raw material from a supplier you have approved, using a written procedure, though the rule allows temporary receipt from an unapproved supplier if you verify the material before use and document it. The approval mechanics are exactly what a good supplier approval program already produces; Subpart G just makes approval mandatory for these specific hazard-controlled materials.
Here is the program assembled end to end.
- Run the hazard analysis. For every raw material, identify hazards requiring a preventive control and determine who controls each one. This is the gate that decides whether Subpart G applies at all.
- Flag the supplier-controlled hazards. Mark the materials where the hazard is controlled by the supplier, not your process. These, and only these, need a supply-chain program.
- Establish approved suppliers. Approve suppliers for those materials with a written procedure, and receive covered materials only from approved suppliers (or under a documented temporary-receipt provision).
- Choose the verification activity by severity. Assign onsite audit, records review, sampling and testing, or another justified activity to each supplier-controlled hazard, defaulting to an annual onsite audit for SAHCODHA hazards.
- Assign who performs and reviews it. A qualified auditor performs onsite audits; a qualified individual approves suppliers, determines and conducts verification activities, and documents any alternative to the audit default.
- Conduct verification before use and periodically after. Perform the chosen activity before you first use the material and on the defined recurring schedule, not once at onboarding and never again.
- Document everything and act on findings. Keep records of approvals, verification activities, and results, and take corrective action when a supplier's control is not adequate. Records are what make the program auditable and defensible.
A word on receiving controls, because people expect them here: for most supplier-controlled hazards, the verification happens through the audit-or-testing activities above, not through a check at the dock. But receiving is still where approval is enforced, your receiving procedure should reject material from unapproved suppliers and confirm that required documents (like a COA, where that is your verification activity) arrived with the shipment. Receiving is the enforcement point for the program, even when it is not the verification method.
By the numbers. The requirement is regulatory, so the primary sources are the rule and FDA's guidance:
- The supply-chain program is codified at 21 CFR Part 117, Subpart G which sets the approved-supplier and supplier-verification requirements for hazards requiring a supply-chain-applied control.
- FDA's resources on supplier verification confirm that a hazard causing serious adverse health consequences or death, when controlled by the supplier, defaults to an annual onsite audit unless a documented determination supports an alternative.
Where does the recordkeeping live?
A supply-chain program is, on the floor, a recordkeeping obligation: approved-supplier lists, audit reports with their annual due dates, COAs matched to lots, testing results, and the written determinations behind any deviation from the audit default. When those records live in inboxes and folders, the lapsed annual audit surfaces at your own FDA inspection rather than before it, and reconstructing which lot was verified how becomes the worst kind of scramble. Capturing approvals, verification activities, and their due dates as connected records, tied to the material, the supplier, and the hazard, turns the program into a live control that reminds you before an audit expires. That is the plumbing Harmony's connected data model handles alongside the GMP and traceability records you already keep, so proving your supply-chain program is a query rather than an excavation. No rip-and-replace.