Ten Considerations for Developing a FSMA-Compliant Supplier Verification Program
If you sell or import foods, you need to understand how you’re affected by the U.S. Food and Drug Administration (FDA)’s FDA Food Safety Modernization Act (FSMA) regulations that mandate supplier verification for all food sold in the United States. These new rules are detailed, document-heavy, and prescriptive—and they take effect as early as March 2017 for some companies. The bottom line is that supplier verification under FSMA looks very different than it currently looks under voluntary industry programs. Everyone will need to make changes to be FSMA-compliant. Because ignorance is not an excuse and avoidance is not an option, this article is intended to help you understand what the regulations mean for you and what steps you can take to begin coming into compliance.
Background and Overview
After several years of development, in 2015, FDA published two highly anticipated final rules: Hazard Analysis and Risk-Based Preventive Controls (Preventive Controls) and Foreign Supplier Verification Programs (FSVPs). They are a key part of FDA’s implementation of FSMA. In the big picture, the regulations shift some of the accountability for food safety from the government to food companies and importers by requiring industry members to check up on each other.
The supplier verification requirements under both regulations are parallel. Supplier verification is required when a supplier controls a hazard that can materially affect the food’s safety (as determined through a Hazard Analysis). Supplier verification is not needed if the hazard is controlled somewhere in the supply chain after the supplier and this can be demonstrated to FDA.
The regulations apply to different industry segments for each rule. Under Preventive Controls, the obligations fall on food facilities that are required to register with FDA. As part of their food safety plans, these facilities (or their parent companies) must implement “supply chain controls” as a type of preventive control. Under FSVPs, all “importers” of food must engage in supplier verification. (Hint: Pay careful attention to who is the “importer,” as it may not be whom you’re expecting.) Companies that comply with either regulation are deemed in compliance with the other. Taken together, these rules will require nearly all foods sold in the U.S., and most of their ingredients, to be subject to supplier verification activities by the receiving facility or importer.
The new regulations represent the first time that supplier verification is being regulated comprehensively; therefore, food companies and importers should be carefully assessing their programs to identify gaps and implement changes to address FSMA. This article highlights ten key issues that companies need to be aware of when preparing for compliance.
1. Who Is Legally Responsible for Doing Supplier Verification?
For Preventive Controls, this is a simple issue because the responsibility falls on the registered facility. That facility already is in the business of making food, so the concept of supplier verification should not be new. The facility will need to make changes to its program but is not entirely in uncharted waters.
For FSVPs, in contrast, companies first will need to assess who bears legal responsibility. The legal obligation falls on the “importer.” This term is defined differently than under any other regulation. Is it not necessarily the “Importer of Record” under U.S. Customs regulations; rather, the “importer” for FSVPs is the “person in the United States who, at the time of U.S. entry, either owns the food, has purchased the food, or has agreed in writing to purchase the food.” There are going to be entities in the supply chain that bear this responsibility and do not have any familiarity with food safety. Needless to say, this will cause challenges (but be sure to see the next item below for a tip about how you can leverage help from others).
The essence of the legal requirement for supplier verification is that receiving facilities and importers are now responsible for ensuring that their suppliers are doing a good job. As a starting point, you need to determine whether you are now legally responsible under FSMA for effectively overseeing your supplier’s food safety programs.
2. You Don’t Have to Do It All Yourself!
The regulations allow companies to rely on other entities to do nearly everything that’s required. For example, someone else can conduct the Hazard Analysis, develop receiving procedures, determine appropriate verification activities, and conduct those verification activities. This will be particularly helpful for entities like brokers and traders that own products when they come into the U.S. but do not have expertise in food safety. However, companies cannot disclaim their legal liabilities and still have some obligations under the regulations even when contracting with others to do some or most of the work.
3. Which Suppliers Must Be Verified?
The “supplier” is not necessarily the company that sent you the food. Rather, it’s the last company in the supply chain that grew the food (for produce), raised the animal (for dairy), or engaged in material manufacturing or processing of the food (for other processed foods). For example, if you source fresh produce, it may come from a packing house rather than directly from the farm. The packing house most likely consolidates produce from numerous growers. Those individual growers are the “suppliers” that need to be verified for FSVPs. Likewise, if you source food from a broker, they’re not the entity requiring verification. The supplier is the last entity in the supply chain that has the capacity to control food safety hazards—not an intermediary like a broker, distributor, trader, or packing house.
4. You Need to Develop a Written Program
Companies need to have a written program that explains their supplier verification process. Think of this as a plain-language cover letter that provides an outsider with insight into how your program works. This written program will go a long way when FDA inspects your program, helping to ensure that they understand your approach. It often helps to have the written program vetted by a third party so they can test its clarity and assess whether it truly reflects all of the hard work that went into developing your program.
The key to supplier verification is identifying the hazards that you are relying on your suppliers to control—and then making sure they are taking the necessary steps to control those hazards adequately. Start with the question: “What am I relying on my suppliers to do to ensure safety of the ingredient or other food product?” Then ask: “What do I need to do to be sure my supplier is doing that?”
5. Requiring Annual Audits for All Suppliers Is Not Enough
We often are asked: “Are we compliant if all of our suppliers have Global Food Safety Initiative (GFSI)-benchmarked certifications?” The short answer is no, for two reasons. First, audits are a verification activity, but that’s only one piece of the puzzle. You still need to conduct a Hazard Analysis, evaluate the supplier’s performance, and have other key elements of the verification program.
Second, GFSI audits are not FSMA-compliant (yet). Because FSMA is new, existing audit schemes do not incorporate its requirements. For example, FSMA requires that audits include a review of the supplier’s food safety plan (if any) and its implementation for the hazard being controlled. FDA has explained that “it is premature to reach any definitive conclusions as to whether importers can rely on the results of audits conducted under any existing auditing schemes to verify compliance” with FSMA supplier verification requirements. With time, the leading audit programs are likely to align with FSMA.
6. Who Will Prepare and Oversee Your Supplier Verification Program?
Supplier verification programs must be prepared and overseen by a “qualified individual.” This term is broadly defined as someone who has the necessary qualifications to do the job they’re assigned. For example, the person conducting the Hazard Analysis needs an understanding of food safety hazards. The person assessing supplier risk should understand how a supplier’s food safety history can affect their performance. The person keeping the files needs to understand the importance of record-keeping. At the outset, you need to think through who in your company is going to take the lead on supplier verification and whether you need any additional, or outside, help.
7. There Are a Few Exemptions…
Before you go too far down the road of developing your program, be sure you understand the scope of products that are covered. The regulations include a number of exemptions, including foods under seafood and juice Hazard Analysis and Critical Control Points and alcoholic beverages. There also are specific carve-outs from the Hazard Analysis for certain products.
8. …But Intracompany Shipments and Food Packaging Are Not Exempt
If you’re sourcing food from your own company (or an affiliate), it is not exempt from supplier verification. You can take your familiarity with and trust in this company into account when determining the appropriate verification activities, but you still need to engage in supplier verification. Likewise, “food” is broadly interpreted and includes food contact substances, such as food packaging.
9. Document, Document, Document!
The supplier verification requirements are very document-intensive. There is a full page of regulations in the Preventive Controls rule just itemizing all of the different types of documents needed. Remember the mantra “If it isn’t documented, it didn’t happen.” You’re going to get credit for all of your thoughtful analysis only if you actually write it down, so get in the habit early of documenting every aspect of your program. For example, you need to document your justification for the verification activities necessary for each supplier. Likewise, thoughtful document creation is important—documents can (and will) be held against you if they are not developed carefully. Training on good record-keeping practices is essential.
10. What’s Your Action Plan?
Recognizing what you’re up against is an important first step. Management also needs to understand the scope of requirements so that you have adequate resources to develop a compliance program. A good place to start is conducting a gap assessment to consider where you are today, where you need to go, and how you are going to get there. You’ll also be well served to convene a multi-functional implementation team and to establish meetings to check in regularly. Another step is to work with legal counsel to be sure that all of your implementation efforts are aligned with FDA’s regulations. You don’t want to spend 6 months going in the wrong direction, only to find out that you didn’t understand what FSMA really requires.
Summary
If you’re feeling confused and overwhelmed, that means you’re paying attention! The new requirements are complicated and daunting, but fortunately there are FSMA experts who can guide you through the regulations and help you develop a compliant program.
It’s important to get started soon, as the compliance dates will be here before you know it. The supplier verification requirements in the Preventive Controls regulation take effect in March 2017 for companies with over 500 employees. FSVP takes effect as early as May 2017 for some importers. (And note that you may have different compliance dates for different suppliers under both regulations, so even determining your compliance date can be complicated!)