The delivery arrives at 06:15. Your usual dried herb supplier has substituted a different origin without notice. The driver waits. Production needs the material for today's batch. The incoming goods checklist asks: "Approved supplier?" You check the approved supplier list. The name isn't there. The driver says it's the same product from their other warehouse. You waive it through. Three months later, an EHO reviews your supplier approval records during a routine inspection. They trace that delivery to your approved list. Finding: "Raw material received from unapproved supplier. No documented justification. No risk assessment." Supplier approval is not a procurement function. It is a HACCP prerequisite programme. Getting it wrong undermines every CCP that follows.
What You'll Learn
- Minimum documentation requirements for supplier approval under Regulation (EC) 852/2004 and traceability obligations under Regulation (EC) 178/2002
- How to evaluate GFSI certification equivalence and when additional verification is required
- Emergency supplier procedure that satisfies auditor scrutiny without compromising food safety
Part 1: Regulatory Foundation
Regulation (EC) 852/2004 on hygiene of foodstuffs establishes the obligation for supplier control. Article 5 requires food business operators to put in place, implement, and maintain a permanent procedure based on HACCP principles. Supplier approval is a prerequisite programme supporting HACCP. Without effective supplier control, hazards introduced with raw materials may not be controlled by subsequent CCPs.
Chapter IX of Annex II to Regulation (EC) 852/2004 specifically addresses provisions applicable to foodstuffs. Paragraph 3 states: "A food business operator must not accept raw materials or ingredients, other than live animals, or any other material used in processing products, if they are known to be, or might reasonably be expected to be, contaminated with parasites, pathogenic microorganisms or toxic, decomposed or foreign substances to such an extent that, even after the food business operator had hygienically applied normal sorting and/or preparatory or processing procedures, the final product would be unfit for human consumption." This creates a positive obligation to assess incoming materials before acceptance.
Regulation (EC) 178/2002 Article 18 requires traceability at all stages of production, processing, and distribution. Food business operators must be able to identify any person from whom they have been supplied with a food, feed, food-producing animal, or substance intended to be incorporated into a food. This is the "one step back" traceability obligation. Supplier approval records are the foundation of meeting this requirement.
For UK operators, these obligations are retained in domestic law. The Food Safety and Hygiene (England) Regulations 2013 maintain the requirement for HACCP-based procedures including supplier control. The FSA Food Law Code of Practice expects local authority officers to verify supplier approval during inspections.
Part 2: Approved Supplier List — Minimum Requirements
The approved supplier list is the central document of supplier control. It must be a controlled document, maintained current, and accessible to personnel making receiving decisions. A spreadsheet saved on a leaver's desktop is not an operational approved supplier list.
Minimum content for each entry includes: supplier legal name and registered address (not only trading name), site address where product is manufactured or packed, products or material categories supplied from that site, approval status with date of initial approval and next review date, basis of approval, and any restrictions or conditions applied.
Basis of approval is the critical field. It records why the supplier is approved. Options include: third-party certification to GFSI-benchmarked standard, second-party audit conducted by the purchaser, questionnaire with supporting evidence, or historical performance with certificate of analysis conformance. The basis must be appropriate to the risk of the material supplied. High-risk RTE ingredients require stronger evidence than ambient dry goods.
| Risk Category | Material Examples | Minimum Approval Basis |
|---|---|---|
| High | RTE dairy, cooked meats, washed produce | GFSI certification or second-party audit |
| Medium | Frozen raw meat, pasteurised liquid egg | Questionnaire with CoA review or certification |
| Low | Ambient dry goods, canned products | Questionnaire with CoA or historical performance |
The list must include suppliers of food contact materials, cleaning chemicals, and outsourced services where these affect food safety. Pest control contractors, laundry services for workwear, and sanitation chemical suppliers all require approval and inclusion.
Part 3: Supplier Questionnaires
The supplier questionnaire is the most common initial approval document. It is also the most frequently inadequate. A questionnaire that asks only "Do you have HACCP?" with a yes/no tick box provides no meaningful assurance. Auditors will reject questionnaires lacking specific, verifiable information.
An effective questionnaire collects: site registration or approval number where applicable under Regulation (EC) 853/2004, scope and expiry date of any third-party certification with certificate number, details of HACCP team leader and qualifications, allergen management programme summary including whether site handles specific allergens of concern, pathogen environmental monitoring programme for high-risk products, and traceability test frequency.
The questionnaire should request supporting evidence. A copy of the current third-party certificate is minimum. For high-risk materials, request the most recent audit report summary or corrective action log. A supplier unwilling to share this information presents elevated risk regardless of stated credentials.
Questionnaires require periodic review. Annual review is standard. A questionnaire completed in 2019 provides no assurance of current practice. The approved supplier list should record questionnaire expiry and prompt renewal.
Part 4: Third-Party Audit Equivalence
GFSI-benchmarked certification standards — BRCGS Food, IFS Food, SQF, FSSC 22000 — provide a baseline of assurance. However, certification is not automatic approval. The purchaser retains responsibility for determining whether the scope of certification covers the materials supplied and whether any exclusions apply.
Certificate verification requires checking: certifying body is accredited to ISO/IEC 17065, scope includes the product category being supplied, site address matches the supply location, certificate is current, and no exclusions are noted for relevant product safety requirements.
BRCGS certificates include a grading system. Grade AA and A indicate full compliance at audit. Grade B indicates non-conformities requiring corrective action. Grade C indicates significant non-conformities. Purchasers should establish a policy on minimum acceptable grade. Many UK retailers require Grade A minimum for high-risk suppliers. Certificates with major non-conformities open at time of supply warrant additional scrutiny.
Certification does not eliminate the need for ongoing verification. Certificate validity confirms the system was compliant on the audit date, which may be 11 months prior. Certificate of analysis review and incoming goods inspection remain required regardless of certification status.
Part 5: Certificates of Analysis
Certificate of analysis (CoA) or certificate of conformance (CoC) provides batch-specific assurance. CoA contains actual test results. CoC states conformance to specification without providing data. The distinction matters. CoA is required where specification limits relate to food safety — microbiological criteria under Regulation (EC) 2073/2005, mycotoxin limits under Regulation (EU) 2023/915, or allergen declarations.
CoA review must verify that the results meet specification and that the testing is appropriate to the material. A CoA for RTE cooked chicken showing Listeria spp. tested but not Listeria monocytogenes is inadequate. A CoA for ground paprika showing total aflatoxin but not ochratoxin A may be incomplete depending on origin risk.
Frequency of CoA requirement depends on risk. High-risk materials may require CoA with every delivery. Medium-risk may accept periodic CoA with reduced frequency testing. Low-risk may accept CoC with annual CoA verification. The HACCP plan should define frequency based on hazard analysis of the material.
CoA review is a receiving CCP in many HACCP plans. The monitoring procedure must specify who reviews, what parameters are checked, and what corrective action applies when CoA is missing or shows out-of-specification results. Rejecting the load is the default corrective action. Use pending investigation is not acceptable without documented justification and traceability hold.
Part 6: Emergency and Unapproved Suppliers
Every site occasionally faces supply disruption requiring purchase from a non-approved source. The auditor expects to see a documented procedure for managing this scenario, not evidence it never occurs. A site claiming zero emergency purchases in three years invites scrutiny.
The emergency supplier procedure must include: risk assessment completed before use, not retrospectively, specifying the material, reason standard supplier unavailable, proposed alternative source, and justification that risk is not increased. The assessment must be approved by technical management, not procurement alone.
Additional controls for emergency use include: increased sampling and testing of the specific batch, full traceability segregation until testing clears material, enhanced incoming inspection, and formal approval review within defined period if source becomes ongoing.
Emergency use should be time-limited. A single delivery under concession is defensible. Six months of weekly deliveries from the same "emergency" source indicates the approved list is not being maintained. The auditor will find that the procedure is being used to bypass normal approval, not to manage genuine emergencies.
Records of emergency use must be retained with traceability to the specific batches produced. Regulation (EC) 178/2002 Article 19 requires operators to withdraw product if they have reason to believe it is not compliant with food safety requirements. Traceability records linking emergency supply to finished product are essential for effective recall.
Part 7: Supplier Performance Monitoring
Supplier approval is not a one-time event. Ongoing performance monitoring is required. The HACCP prerequisite programme must define how supplier performance is measured and what triggers review or removal from the approved list.
Performance indicators include: CoA conformance rate, delivery note accuracy for traceability information, incoming goods inspection rejection rate, complaint or foreign body incidents traced to supplier, audit non-conformance trend where applicable, and responsiveness to corrective action requests.
Review frequency should be defined. Annual review of all approved suppliers is minimum. High-risk suppliers may warrant quarterly review. Review includes verification that certification remains current, questionnaire renewal completed, and performance indicators within acceptable limits.
Suppliers with declining performance require documented action. This may include increased inspection frequency, request for corrective action plan, or suspension pending audit. Suppliers removed from the approved list must be flagged to procurement with effective controls preventing future purchase. Reinstatement requires documented corrective action verification.
| Performance Issue | Required Action | Documentation |
|---|---|---|
| Single CoA out-of-spec | Reject load, request investigation | Rejection record, supplier response |
| Repeated CoA failures | Suspend approval, require corrective action plan | Suspension notice, CAPA review |
| Certification expired | Suspend until renewed | Updated certificate before reinstatement |
| Traceability failure | Immediate suspension | Investigation report, evidence of correction |
Part 8: Traceability Integration
Supplier approval and traceability are linked obligations. Regulation (EC) 178/2002 Article 18 requires operators to have systems in place to identify suppliers. The approved supplier list is the index for that system. Delivery records provide the transaction-level traceability.
Traceability information required at receipt includes: supplier name and address, product description and lot or batch code, quantity, and date of receipt. This information must be retained and linked to finished product batches. Regulation (EC) 178/2002 does not prescribe a fixed retention period; retention should be proportionate to the shelf-life of the product and the reasonable foreseeable period during which a recall or investigation could arise.
Traceability testing under Article 18 requires demonstration that the system can make information available to competent authorities without undue delay. The test should include a forward trace from raw material to finished product and backward trace from finished product to all raw materials and suppliers. Many third-party certification schemes such as BRCGS set their own benchmark timeframes for traceability exercises, but these are scheme requirements, not statutory obligations.
Supplier approval records are examined during traceability tests. The auditor will select a finished product batch, trace to raw material lots, then verify that each supplier appears on the approved list at the date of supply. A supplier not on the list at the date of supply is a finding regardless of current approval status.
Part 9: Outsourced Processing and Subcontractors
Outsourced processing presents specific approval requirements. Where part of production is subcontracted — off-site freezing, contract packing, third-party storage — the subcontractor is a supplier for HACCP purposes and requires approval.
Approval of subcontractors must address: whether the site requires approval under Regulation (EC) 853/2004, HACCP controls for the specific process outsourced, segregation and traceability during subcontract operation, and transport conditions between sites.
The contractual relationship does not transfer food safety responsibility. The brand owner or manufacturer placing product on the market retains responsibility for ensuring all stages of production meet food safety requirements. Approval of subcontractors must be equivalent to direct supplier approval.
Audit of subcontractors is often more critical than audit of raw material suppliers because the subcontractor is handling the operator's product. A second-party audit of critical subcontractors is standard industry practice. Reliance solely on third-party certification without site visit may be challenged for high-risk processes.
Part 10: Documentation and Record Retention
Supplier approval documentation must be organised and retrievable. The auditor will request the supplier approval file for a specific material. Inability to produce records within reasonable time suggests the system is not maintained.
Required records include: approved supplier list current and historical versions, supplier questionnaires with supporting evidence, certificates of analysis for received batches, third-party certificates with verification of currency, performance review records, emergency use concessions with risk assessments, and records of any supplier audits conducted.
Retention periods should be proportionate to the nature of the material and the foreseeable period during which a recall or enforcement investigation could arise. As a practical guide: approved supplier list versions — permanent or duration of supply relationship plus a risk-proportionate period; supplier questionnaires and certificates — duration of approval plus a suitable period to evidence historic status; CoA and delivery records — retained to cover the shelf-life of products produced plus a reasonable further period; emergency use concessions — retained for the foreseeable investigation horizon; audit reports — duration of approval plus three years. Third-party certification schemes such as BRCGS and IFS prescribe their own minimum retention periods, which operators subject to those schemes must also meet.
Electronic systems are acceptable provided they maintain version control and prevent unauthorised amendment. An uncontrolled spreadsheet is not a compliant system. Audit trails showing who approved supplier additions or changes are required.
Part 11: Common Audit Findings
| Audit Finding | Root Cause | Prevention |
|---|---|---|
| Supplier not on approved list at date of supply | List not maintained; procurement bypasses approval | Integrate approval with purchase ordering system |
| Expired third-party certificate | No certificate expiry tracking | Certificate register with expiry alerts |
| Questionnaire incomplete or outdated | Annual review not conducted | Scheduled review cycle with documented follow-up |
| Emergency use without documented risk assessment | No procedure or procedure ignored under pressure | Simple concession form; technical sign-off required before use |
| CoA not reviewed before use | CoA arrives after material used | Require CoA with delivery; positive release for high-risk materials |
Part 12: Quick Reference — Supplier Approval by Material Risk
| Material Type | Approval Basis | CoA Frequency | Audit Requirement |
|---|---|---|---|
| RTE high-risk ingredients | GFSI certified + questionnaire | Every delivery | Second-party audit if high volume |
| Raw meat/poultry | 853/2004 approval + questionnaire | Periodic CoA + incoming inspection | Certification or audit based on risk |
| Ambient dry goods | Questionnaire + CoA verification | Annual CoA | Not routinely required |
| Food contact packaging | Declaration of compliance + questionnaire | CoC per delivery; migration test per specification | Certification for high-risk applications |
| Cleaning chemicals | Specification + food-safe certification | CoC per delivery | Not routinely required |
Key Takeaways
- Supplier approval is a HACCP prerequisite programme required under Regulation (EC) 852/2004. The approved supplier list must be controlled, current, and accessible to receiving personnel.
- Basis of approval must be appropriate to material risk. GFSI certification provides assurance but does not eliminate need for CoA review and ongoing performance monitoring.
- Certificate of analysis review is required for materials where specification limits relate to food safety. Review must occur before use — positive release for high-risk materials.
- Emergency use of unapproved suppliers requires documented risk assessment approved by technical management before material use, not retrospective justification.
- Supplier approval records are traceability records under Regulation (EC) 178/2002. Retention period is not prescribed by Article 18; it should be proportionate to product shelf-life and the foreseeable investigation horizon.
- Auditors cross-reference delivery records against the approved supplier list. Any unapproved supply is a finding regardless of material quality.