Supply chain preventive controls: explained!

Within the Preventive Control Rule for Human Food in subpart C: Hazard analysis and risk-based preventive controls, §117.135 details the types of preventive controls that are required, these are:


  • Process preventive controls
  • Food allergen preventive controls
  • Sanitation preventive controls
  • Supply-chain controls
  • Recall plan
  • ‘Other’ preventive controls
In the following posts I’m going to go through each, one by one – to explain what is required to comply with the rule and also how this fits to the requirements of BRC. I know you’re keen to understand the supply-chain preventive controls, so I’ll go through those first.

Supply-chain Preventive Controls

First of all, you need to work out what supply-chain preventive controls you need to apply.

To do this, you need to carry out a risk assessment of your raw materials (as we would for clause of the BRC Food Safety standard).  For each raw material (or group of raw materials) list and assess the inherent hazards for that raw material.

Where a raw material hazard is risk assessed as significant, a preventive control must be applied.  The preventive control must be one of the following:

  • A supply-chain preventive control applied by your suppliers (before it gets to you)
  • a preventive control applied by you
  • a supply-chain preventive control applied by your customer or the consumer (after it leaves you).

Only where a supply-chain preventive control must be applied (by your suppliers or by your customer), do you have to comply with Subpart G of the rule (I’ll explain that in a bit).

You do not need to apply supply-chain preventive controls, if:

  • You do not identify any raw material hazards
  • you risk assess the raw material hazards and they are not significant, so do not need a preventive control
  • you apply the preventive controls at your facility, therefore making the food safe anyway.

Where you have identified preventive controls that must be applied to make the food safe, either before it gets to you (by your suppliers) or after it leaves you (by your customers) – you must adhere to the requirements of subpart G.

Out of all the preventive controls, the FDA have provided the most guidance for the supply-chain preventive controls – explained in subpart G of the rule.  However, reading the rule is really hard going, so I’m going use the clause references (shown using a ‘§’) and pull out the important parts and ‘translate’ them into plain English.

§117.406 Requirement to establish and implement a supply-chain program

This clause defines who must put a supply-chain program in place.  All facilities must put a supply-chain program of preventive controls in place, unless they are:
  • An importer – and so, they must follow the foreign supplier rule instead which essentially meets the same requirements
  • only providing food for research or evaluation purposes.
Where food is supplied for research or evaluation purposes:
  • It must not be sold for retail purposes
  • it must not be distributed to the public
  • it must be labelled ‘Food for research or evaluation use’
  • it must only be supplied in small quantities (quantities consistent with research)
  • it must be accompanied by paperwork that details the research destination, purpose and that it cannot be used for any other purpose.
It states that the supply-chain program must be documented. It also states that where a supply-chain preventive control is applied not by the facilities supplier, but by another party further up the supply-chain (so, essentially your suppliers, suppliers), then:
  • The facility must verify the supply-chain preventive control
  • or, obtain documentation from the party that applies the supply-chain preventive control, and then assess the documentation to ensure that the controls they have in place are sufficient. This must be documented.

If you adhere to section 3.5 of the BRC Food Safety standard, the only additional thing you will need to do to comply with clause §117.406 – is the verification of supply-chain preventive controls, where the control is not applied by your supplier, but by another party further up the supply-chain (your suppliers, suppliers).

§117.410 General requirements applicable to a supply-chain program

This section defines the overall requirements of the supply-chain program, which are:
  • That only approved suppliers must be used
  • it must determine and then carry out the supplier verification activities
  • it must ensure verification or confirmation of supply-chain preventive controls carried out by your suppliers, suppliers (as detailed above).
The supply-chain program documentation must include:
  • The hazard analysis of your raw materials
    • showing which require supply-chain preventive controls
    • and where in the supply-chain the preventive control is required
  • supplier approval and monitoring
  • applicable storage and distribution controls.
This section also states that where it becomes apparent (through supplier monitoring) that the supplier is not controlling the identified hazard, corrective action must be put in place.

If you adhere to the principles of section 3.5 of the BRC standard, the only additional requirement here would be to identify the preventive controls that must be applied – after the product leaves you (by your customer).

§117.415 Responsibilities of the receiving facility

This section explains how the receiving facility can and cannot verify the supply-chain preventive controls, applied by their supplier. Essentially your supplier cannot decide that their controls are adequate, with you confirming your agreement.  This means:
  • The supplier cannot decide the verification activities to control the hazard (without your review and documented approval)
  • the supplier cannot carry out an audit of themselves (this must be done by you, if required)
  • the supplier cannot carry out their own document review (without your additional review and documented approval)
  • the supplier cannot carry out any other activities (without your involvement and documented approval) to prove that the preventive control is effective.
The supplier may however, carry out and provide testing results to you, to prove that the preventive control is effective, for example in the form of a certificate of analysis.

There are no additional requirements in this clause, above and beyond the requirements set out in section 3.5 of BRC.  Supplier audit questionnaires may be seen as the supplier assessing themselves, however – as long as you review the questionnaire to decide if it is sufficient and then document your approval this would comply.

§117.420 Using approved suppliers

There must a documented approval process and the approval of each supplier must be documented. The approval and then routine re-approval (referred to in the BRC standard as monitoring) must take into account:
  • The supplier’s procedures, process and practices – meaning their standard of performance/ ability to produce safe food
  • whether they adhere to the FDA’s regulations, where applicable
  • the supplier’s previous performance in elements such as testing results, complaints, audit results, close out of corrective actions.
This clause also requires procedures to be in place for the receipt of raw materials on delivery.  This must include:
  • A procedure for raw material receipt
  • the procedure must include assessment to ensure that the raw material is from an approved supplier
  • the procedure must include controls for verification of raw materials, when they are received from non-approved suppliers on a temporary basis (BRC refer to this as exceptions – see clause
  • if testing or assessment is required on receipt, the procedure would need to include this and also what to do in the event of a failure.

There are no additional requirements in this clause, above and beyond the requirements set out in section 3.5 of BRC.

§117.430 Conducting supplier verification activities for raw materials and other ingredients

This section defines the types of approval and monitoring activities that can be applied as a supply-chain preventive control.  These activities must be completed prior to the commencement of supply:
  • On-site audit (the frequency of this must be based on risk)
  • written assurance that the supplier is a qualified facility (reviewed annually)
  • written assurance that the supplier is adhering to FDA food safety regulations, or local legislation which is seemed equivalent to the standard in the US (reviewed every 2 years)
  • self-audit questionnaire or description of the preventive controls (no frequency defined so this should be based on risk).
Although it is not clear, in addition to the above types of verification activities, further monitoring of suppliers would also be required – to allow for performance reviews.  This may include complaints, non-conformances and also assessment of certificates of analysis on delivery.
This section also states that verification activities do not need to be completed for suppliers who:
  • For qualified facilities (very small businesses)
  • farms that grow produce and are not covered under the standards for produce safety regulations
  • shell egg produces who has <3,000 laying hens.
The section also includes a statement that there must not be any financial conflicts of interest with suppliers, and that payment for raw materials must not be based on the results of their approval.

There are no major additional requirements in this clause, above and beyond the requirements set out in section 3.5 of BRC.  It would be expected that facilities that are GFSI certified would be acceptable – as this would be seen as an equivalent standard to that expected in the US.  However, the BRC does not state that the frequency of audits must be determined through risk assessment, so where audits are applied this would need to be added.

§117.435 Onsite audit

Basically, this section states that the audits must be completed by a qualified auditor and the scope of the audit must be in line with the FDAs requirements.
It also states that you can substitute an audit if one of the following has been completed within a year of when you would have done your audit:
  • An FDA inspection
  • an FDA instructed inspection of a foreign supplier
  • an inspection carried out by a local authority for that country, which has been approved by the FDA
  • an audit is carried out by a certification body who is recognized by the FDA.
You would need written proof of the above.

BRC does not specify that you can substitute audits by other means.  However, they do allow for approval and monitoring through the application of a third party audit – to which this would fit.

§117.475 Records documenting the supply-chain program

This section repeats all of the requirements already covered, reiterating that records of these elements are required.  Where something is required – you must be able to prove it, therefore you need to record it to do this.  Basically, if it’s not written down – in the FDA’s (or the BRC’s) eyes – it didn’t happen.
The records need to be clear enough and record enough information, so that they can be clearly traced or linked to the particular verification activity.

There are no additional requirements in this clause, above and beyond the requirements set out in section 3.5 of BRC.


There are a few small differences between the requirements laid out by the FDA and the BRC, but nothing major.  If you are looking to implement or update your supply-chain program to ensure that it meets the FDA’s requirements you may find our pack helpful, which meets section 3.5 of the BRC standard.
If you have any questions about the supply-chain program requirements, please feel free to add them to the comments below and I’ll answer them for you.

Have your say…

6 thoughts on “Supply-chain preventive controls

  1. Great comparison, and just what I was looking for. I’ll be sharing this with our customers.

    One specific area I believe that’s different is that the FDA put a heavy emphasis on quite specific methods of supplier performance monitoring, which they state as follows:

    “Before importing a food from the foreign supplier, you must determine and document whether the foreign supplier of the food is in good compliance standing with the food safety authority of the country in which the foreign supplier is located. You must continue to monitor whether the foreign supplier is in good compliance standing and promptly review any information obtained” [ Source: ]

    This is a lot more specific that the relevant BRC clauses and indicates that importers need to know where to get this information, a subject that may prove elusive in some cases due to unfamiliarity with the country of origins regulatory structures (if they exist). Therefore, I believe this means that monitoring other sources is required, such as the FDA Import Alerts, the RASSF database, US Pharmacopoeial Convention / Food Fraud database, and other national databases on food recall, and even social media. I wonder what your views on this topic are as, keeping tabs on multiple channels on many suppliers is not a trivial task and pointers would be helpful.

    Thank you again for a great exploration of the differences between BRC and FSVP requirements.

    James Flynn

    1. Hi James

      Thanks for your comments and the addition of your thoughts. I agree, it will be interesting to see if the BRC include this type of requirement in the new version of the Agents and Brokers standard when it is published. We’ll have to wait and see!

      Your system (3iVerify) will assist greatly in helping importers to trace and manage this information.


  2. Hi Kassy,
    Very informative and great comparison kassy.
    A part from forward supply chain i.e being a manufacture when product leaves you the logistic preventive controls are not discussed in this article. Can you please help. Also please suggest RM vulnerability or threat assessment for both backward( from suppliers) and forward (to customer) part to be addressed in supply chain program and preventive controls may applied to that. Appreciate your feedback thanks

    1. Hi,
      Thank you. PC’s in the forward supply-chain would need to be included where the product is made safe, or kept safe in the forward supply-chain. For example, if the product is dispatched raw and then cooked at the next step in the supply-chain (i.e by your customer) then this PC would need to be included.
      Fraud in the forward or backwards supply-chain would also need to be assessed, yes, but remember – only where there is a risk to food safety (quality or legal issues would not be included).
      Does this help?

  3. Yes quite clear that if there is any food safety risk associated either inherently,environmental and or fraudlent activity. Means process flow must design from start of procurement till customer destination. In case of importing the food to distributers/buyers . Does their facility/storage area would also need to be verified by manufacture?

    As i am going to merge HACCP 22000 with HARPC and your articles are very much helpful. What i get that Conduct hazard analysis without assuming current control measures.
    Identify significant hazard based on risk level.
    Apply preventive controls / control measures that prevent/minimize hazard.
    Identify CCP’s using codex decision tree. rest would be your PCs/OPRP’s.
    Establish critical limits of CCP’s.
    Monitor and verify
    Corrective & Preventive Actions.
    All would be summarized as HACCP/Food Safety Plan in single sheet.
    Lastly does fraud assessment be carried out with hazard assessment because the severity of any fraud always high.
    Am i right…
    Further i need some templates for combining HACCP/HARPC Really thanks if you help.

    1. If you use a facility to store your product, while it is within your ownership, you need to ensure that you have verified the supplier of that service (supplier assurance) – by audit, certificate etc.

      Your summary of the hazard analysis process looks fine to me, just make sure you cover all the topics in the analysis that FSMA require (process, allergens, sanitation, fraud, supply-chain inc raw material risk assessment).

      I have written a book on how to combine your HACCP and HARPC process, which you may find useful:

      Thanks, Kassy

Share your thoughts…

Your email address will not be published.

We've tagged this article as:

The icing on the cake

We've got a range of products for organisations of every size. Our clients agree that they really do put the icing on the cake…