I think the way I was understanding it was somewhere in the middle. The way I understand the Supply-Chain PC is that it can be something like a COA can be a control but it must be from an approved supplier and it as well as the supplier must be verified through audits, testing, review of docs etc...
However after reviewing my notes it looks like it may be a moot point anyway because you must have an approved supplier program and in reality it is difficult if not impossible in our industry to determine who your actual suppliers are due to commingling at the elevators...
Thanks for all the advice!
You are on the right track. In my experience, Approved Supplier programs may or may not require COA's, etc. based upon risk level of the product. However if you determine the supplier's product requires a preventive control, then some type of proof that the hazard is being mitigated by the supplier is required. Theoretically this should be addressed in an Approved Supplier program anyway, but I've seen companies "risk-assess away" a COA requirement or testing verification based upon supplier history, etc. just so they wouldn't have to pay for extra testing or risk losing a low-cost supplier. That simply isn't going to fly under FSMA now.
And yes, the elevator storage issue has been forefront in my mind... I'm not sure that there is a good solution for this yet other than good recordkeeping.
Edited by MsMars, 12 December 2018 - 02:53 PM.