The past decade has witnessed explosive growth in prepackaged fresh foods designed to be consumed on the go. Individually packaged sandwiches, salads, fresh-cut fruits and vegetables, and snack boxes filled with nuts, hard-boiled eggs, peanut butter, and other foods are readily available at convenience stores, gas stations, coffee shops, grocery store delis, and in almost all airports. Many of these products carry higher microbial risk.

Food companies that prepare these fresh food items often source the individual ingredients from primary suppliers. The food safety risk is typically controlled at primary supplier plants or farms. Should the supplier fail to control the risk and the contamination goes undetected by the receiving plant, the end result could be a foodborne illness outbreak.

The food safety stakes are high. In response to this higher risk, the U.S. Food and Drug Administration (FDA) included requirements for supplier food safety management in the Food Safety Modernization Act (FSMA). While the Preventive Controls Rule applies to FDA-regulated ingredients, the principles and importance of effective supplier food safety management programs cuts across all food, regardless of who regulates or sells it.

FDA and Subpart G

The Preventive Controls for Human Food Rule (21 CFR Part 117) contains seven subparts (A through G). The last, Subpart G, outlines the requirements for receiving facilities to establish and implement a supply chain program.

Subpart G is placed at the end of the Preventive Controls Rule, which is curious, since receiving raw materials is usually the first step in most manufacturing processes. Nonetheless, it is a significant part of the regulation that requires many food manufacturers to elevate their supplier approval and management programs, including the qualifications of the food safety personnel who evaluate and approve suppliers.  

Subpart G, although short in content, pushes industry to the next level in supplier food safety management in an effort to prevent foodborne illness outbreaks related to contaminated supply. The heart of the requirement is that the supply chain program must provide assurance that a hazard requiring a supply chain-applied control has been significantly minimized or prevented. If a process does not include a risk mitigation step (such as cooking), and the risk is controlled by a supplier, then Subpart G applies to the ingredient and the supplier. In these instances, the supply chain program requirement places ultimate responsibility for the safety of raw materials on the manufacturing/receiving facility in the last step of the food production process. It also requires the receiving facility to provide assurance that the materials are safe for human consumption. This is a tall order, even for the best of programs.  

Supplier Approval Programs

Many supplier approval programs today consist solely of a checklist of documents to collect from a supplier and file away in a filing cabinet. Programs that only require the existence of paperwork will likely not meet the risk assessment requirements of Subpart G. Documents commonly collected today are third-party audit reports (or just the audit certificates), Letters of Guarantee, and Certificates of Analysis (COAs).  

Sometimes supplier surveys are completed, but often these surveys are just a repeat of information available through third-party audit reports and provide little insight into the supplier's specific food safety mitigation processes and their effectiveness, as required by Subpart G. Once all the documents are received, the supplier is "approved." In many instances, this approval happens after the material has already been received and utilized. Subpart G is clear in requiring that a supplier risk assessment must be conducted and documented prior to receiving any material to be used in finished goods that will be sold to the public.

Slightly more advanced supplier programs may include requirements for GFSI certification, and even a minimum score. Considering that many foodborne illness outbreaks have been linked to food companies that were certified to a GFSI scheme, this approach should be used primarily as a price of entry, rather than as the full requirement for supplier approval.

Supplier food safety programs based on the exchange and filing of paperwork operate primarily on luck. If a company's luck runs out, it could end up causing human illness and find itself facing civil lawsuits—or worse, criminal charges. As the receiver of these raw materials, a manufacturer/receiver is responsible, by law, for verifying that they are safe for human consumption. Audit certificates and COAs alone will not provide adequate information about a supplier's risk mitigation program and its effectiveness in delivering safe product—which is what the law now requires.

The level of assurance required by the regulation ("significantly minimized or prevented") requires a thorough understanding of biological, chemical, and physical risk, as well as the food safety systems required to mitigate the risk. It requires food safety personnel who have experience with the food categories they are assessing and are capable of applied critical thinking to assess food safety risk. Importantly, it requires the ability of an independent supplier approval department to have authority to approve (or disapprove) sources of supply prior to their use.

Boots on the Ground

The single best way to assess a supplier's ability to manufacture or grow safe materials is through an onsite food safety assessment conducted by a qualified employee of the receiving company, especially when that supplier controls the microbial risk. A "boots-on-the-ground" approach to supplier food safety management allows the receiving company to have greater insight into its supplier's ability to provide safe, consistent supply.

Ideally, the assessment is not a checklist audit of the supplier's facility or farm that duplicates existing audit schemes; rather, it should be an opportunity to gain insight into a supplier's food safety culture and general capabilities. A number of questions can be asked:

  • How do the employees talk to and interact with each other?
  • How organized is the facility?
  • Does the facility design promote food safety?
  • How is the equipment maintained?
  • Who accompanies the representative from the receiving company during their site visit?
  • What are the food safety risks to be mitigated for the ingredient, and what are the outcomes of the food safety systems that are fundamental in mitigating that risk (cooking, cooling, environmental control and monitoring, equipment maintenance and sanitation, employee hygiene, crop inputs on the farm, etc.)?
  • Are the supplier's food safety and quality programs an integral part of its operation and designed to produce or grow safe, consistent product—or do the programs exist just to pass audits?
  • Does the supplier's management team understand its job in relation to food safety?
  • Does the management team set and reinforce the behaviors expected of the plant employees to promote safe food manufacturing?
  • Is the management team trustworthy?

In addition to better insight into a supplier's ability to mitigate food safety risk, having boots on the ground allows the receiving company's team to develop a deeper understanding of its supplier's operation, which can help expedite business recovery when things go wrong. Meeting suppliers in person at their operation also helps build trust and, by extension, improve communication and transparency, which is important when responding to difficult situations.

Why Boots on the Ground? History Speaks—and Repeats

Consider a number of historical foodborne illness outbreaks driven, in large part, by contaminated supply that went undetected by the purchasers of the materials: ground beef sold by Vons to Foodmaker (Jack in the Box) in 1992; peanut butter products sold by the Peanut Corporation of America (PCA) to numerous Fortune 500 food manufacturers in 2008, cantaloupes sold by Jensen Brothers Produce to several large grocery chains in 2011. In these three examples alone, the collective result was more than 1,500 illnesses (many requiring hospitalization and others with lifelong health impairment), 46 deaths, hundreds of millions of dollars in financial losses and insurance payouts, and several criminal prosecutions leading to lengthy prison terms for company owners, plant managers, and a quality assurance manager.

In the aftermath of the PCA illness outbreak, several food manufacturing executives testified before Congress about their role in the outbreak. Some Congressional leaders struggled to understand why Nestle did not approve PCA as a supplier, yet many other companies did. U.S. House Representative Bart Stupak asked, rhetorically, of a large food manufacturer: "Nestle didn't solely rely on an auditor selected by PCA and paid by PCA. It conducts its own audit with its own staff. You all talk about how food safety is the number-one issue. Why didn't you do the same thing?"

Lyndsey Layton, writing for The Washington Post on March 20, 2009, opined: "Nestle USA, considering whether to buy ingredients from Peanut Corporation of America, twice sent its own inspectors to check out the company. Both times, they rejected the company after finding sanitary problems at its facilities in Georgia and Texas, noting rat droppings, live beetles, dead insects, and the potential for microbial contamination. It proved to be a good call." Indeed—it proved to be a multimillion-dollar great call for Nestle, and it likely prevented additional illnesses, hospitalizations, and even deaths.

There is no doubt that the PCA outbreak, and the noticeable differences in supplier approval programs among even top food companies, played a large part in the inclusion of consistent supplier controls in the 2011 Food Safety Modernization Act. In a twist that rivals the best episodes of The Twilight Zone, FDA places the responsibility for ensuring that the supplier's control actually works—all of the time—on the company that receives and uses that supplier's material in its finished goods.

In October 2021, FDA issued a Warning Letter to a manufacturer of vegan cashew brie after a foodborne illness outbreak was linked to its finished products. As part of its investigation, FDA tested and found the same Salmonella serotypes in the manufacturer's supply of imported cashews as in the illness outbreak. The manufacturer relied on COAs provided by the supplier to determine that its incoming supply was safe. However, FDA's response was that because Salmonella had been detected in the cashews, the supplier was not controlling its hazard, regardless of what the COA claimed.

In its Warning Letter, FDA noted, "Your supplier was not controlling the hazard of Salmonella in the raw cashews; therefore, it was not appropriate for you to rely on testing (as reported by the COA) to address the Salmonella hazard. Because the hazard of Salmonella was not controlled by your supplier, it was necessary for you to control the hazard." That statement sums up the intent and requirement of Subpart G. The COAs and other paperwork the cashew brie manufacturer so diligently collected and put into its filing cabinet as part of its supplier paperwork-collecting exercise were ultimately meaningless; the cashews were contaminated regardless of what the Salmonella test results said on the COA. The result was 20 illnesses and five hospitalizations.

On April 22, 2021, the manufacturer voluntarily recalled all of its products from the market and suspended production of any new products. FDA issued regulatory citations to the manufacturer on May 24, 2021, including one for control of raw materials. FDA wrote, "You did not ensure that raw materials and other ingredients were not adulterated by pathogenic microorganisms." A Warning Letter followed on October 19, 2021: "Based on FDA's inspectional findings and analytical results for the environmental samples collected during the inspection, we determined that the RTE [ready-to-eat] vegan cashew brie products manufactured in your facility are adulterated…"

Verifying the effectiveness of a supplier's food safety systems with paperwork alone is a program based primarily on luck. Sometimes, there is no substitute for boots on the ground—or, at the very least, going beyond the checklist.

It bears repeating that if a supplier is supposed to control microbial risk, then a receiving company should put as much effort into verifying that the supplier's controls are effective in controlling risk as the receiving company does into its own verification programs. Our businesses, our employees, and the health and safety of the public depends on it.

Going Beyond the Checklist

Not all companies have the resources to fund onsite assessments for each of their suppliers. Companies with thousands of suppliers likely need to prioritize onsite assessments of their suppliers based on risk, as onsite assessments of each supplier are not logistically possible.

However, if desktop paperwork reviews are the sole basis of a supplier's approval and monitoring, it is imperative that experienced, qualified food safety professionals thoroughly review the content of the documentation as part of their risk assessment. They must go beyond simply collecting documents on a checklist to truly assessing the effectiveness of the supplier's food safety systems in mitigating risk. Note: Assigning this responsibility to employees with little training or experience in food safety management is unlikely to advance your program beyond the checklist.

In addition to the documentation typically requested, process flow diagrams with process control points and limits identified, validation data for the risk mitigation steps in the process, full technical specifications, environmental testing programs and results, and several years of third-party audit reports (as opposed to only the most recent) can provide additional detail on a supplier's food safety systems. Third-party audit reports are valuable in ensuring the existence of food safety programs at the supplier, but it is often necessary to review the design of the food safety programs and the outcomes over extended periods of time to assess whether the processes are in control and effective in mitigating risk. This requires going beyond a third-party audit report and reviewing the content and data from the supplier's food safety programs, which are critical in mitigating the risk of the ingredient that is sourced from them.

Many questions can be considered when assessing potential suppliers. These questions require basic knowledge of how the material is manufactured—either from prior experience or through other training. Some examples include:

  • Where is the product actually made or grown? (This is especially important when sourcing through distributors.)
  • Is the product handled at multiple points past the initial farm or plant?
  • Does the third-party audit (even with a passing score) contain an excessive number of minor observations related to facility and equipment design, sanitation, or employee hygiene? (If so, then the story the audit is telling might require further investigation.)
  • What is the detail behind the testing results a supplier may report on a COA? For example, how frequently does the supplier collect samples from production, what are the sizes of the samples, what labs does the supplier use for testing? Does the supplier maintain control of the inventory while results are pending? How does the supplier define production lots?
  • Are the test results on the COA relevant to the primary risk factors for the ingredient?
  • Is the COA tied to an agreed-upon material specification that includes chemical, physical, microbiological, and organoleptic standards?

Online resources can provide additional insight into a company. FDA maintains a compliance database that discloses inspection results and compliance actions (such as Warning Letters, Import Alerts, and Recalls). The U.S. Department of Agriculture (USDA) Food Safety Inspection Service (FSIS) publishes a Quarterly Enforcement Report that details what regulatory and other actions have been taken against USDA-FSIS inspected operations. Google Maps and Google Earth can often provide a glimpse of the farm operation and its surroundings, or the manufacturing plant exterior, to gauge the general condition of the operation. Also, virtual facility or farm tours—used frequently during the COVID-19 pandemic—can be used in lieu of onsite visits. Although not as impactful as an onsite assessment, a virtual tour can provide a basic overview of the facility or farm and the team members responsible for program execution.

A supplier's financial stability is important to assess during supplier qualification—not only for business purposes, but also to ensure safe supply. Important questions to ask include: How long has the company been in business? How long has it been manufacturing or growing the specific material the receiving company plans to buy? Does the supplier have the financial resources to maintain and invest in facility and equipment sanitary design? Is the supplier adequately staffed to provide acceptable levels of customer service?

It is also important to investigate a supplier's food safety culture. Who leads food safety for the supplier, and what are that person's qualifications? Is food safety part of the company's executive leadership team, and is it a separate position or does it fall under an operations or other executive? How does the supplier talk about food safety and quality on its own websites (if at all)? What metrics does the company's leadership monitor to measure the health of its food safety and quality programs? (Beware if the leading or only metric is third-party audit scores.) Does the leadership team communicate these metrics to all of the company's employees? Is leadership transparent with this information? Is leadership trustworthy?

These questions should be an integral part of the receiving company's overall assessment of a potential supplier. Sometimes the answers will not add up, and the supplier should not be approved even if everything looks sufficient on paper. Sometimes the answers will help determine what level of oversight will be required to manage the supplier if it is approved.

Documents and questionnaires provide information and data; it is the assessment of that information and data leading to insight that should determine a supplier's acceptability. A receiving company needs experienced food safety professionals who can think critically and have the time to do this effectively. Placing numerical scores on all the variables and then adding them up to get one number to describe a supplier's risk over-simplifies the task and is rarely useful in advancing food safety and protecting public health.

Do Not Rely on Luck Alone

Supplier food safety management systems, which include approving new suppliers and ingredients, should be aligned with the risk profile of the ingredients that are being sourced from suppliers (inherent risk) and how those ingredients will be used in a process (applied risk). They do not need to be difficult or complex, even for complex supply chains; however, they do need to ensure that the supplier has food safety systems in place that are effective in mitigating and controlling risk. Maintaining documentation is a necessary part of a supplier management system, and what this documentation tells about the supplier and its product is important—not simply data to be filed away. There is no substitute for having "boots on the ground" to assess how food safety and quality programs are integrated with the front-line operation for those suppliers who mitigate food safety risk on the behalf of a receiving company.

A plant can establish the best food safety systems within its walls, but using contaminated ingredients from a supplier in finished goods can make all those systems worthless in an instant. If the supplier controls the risk, then the receiving company should be placing as much effort into verifying the supplier's controls as the receiving company does in verifying its own.

The stakes have been, and will continue to be, too high to operate on luck alone. Subpart G of the Preventive Controls Rule requires a higher level of supplier and ingredient risk assessment than what many programs accomplish today. A higher level of risk assessment requires a closer level of scrutiny—which means boots on the ground and going beyond the checklist.

Andrew Kesler is the Corporate Director of Supplier Compliance at Taylor Fresh Foods Inc. He leads supply chain food safety systems for Taylor Fresh Foods, a leading producer of salads and fresh, healthy foods with over 20 plants across North America. Previously, he managed supplier food safety programs for McDonald's, Jack in the Box, and Qdoba restaurants. He also provided supplier management support to Subway and other clients as part of Dr. Dave Theno's Gray Dog Partners food safety consulting team. Mr. Kesler began his career in food manufacturing at Hormel Foods after serving in the U.S. Air Force.