Compliance

5 FDA Supplement Regulations You're Probably Violating Right Now

Q: What's the single most important FDA GMP fix for a small brand today?

Product specifications (21 CFR 111.70). It's the most common violation, it's fixable in an afternoon, and having documented specs solves multiple other compliance issues downstream. Write your specs. Sign them. Put them in your batch records. That one action closes the single biggest GMP gap in most small supplement companies.

9 min read Updated June 9, 2026

Most supplement brands know the big stuff. Identity testing. Heavy metals. Don't make drug claims. File your serious adverse events.

But the FDA doesn't just write 483 observations for the obvious violations. They write them for the stuff buried in subparts nobody reads. I've seen brands with clean lab results, proper labels, and solid documentation get hit with observations because they missed something in 21 CFR 111 that their contract manufacturer didn't tell them about.

Here are five regulations that trip up even experienced brands.

1. You Must Establish Your Own Specifications (21 CFR 111.70)

This is the single most common GMP violation I see. 21 CFR 111.70 says the brand owner must establish specifications for identity, purity, strength, and composition of the finished product. You can't just say "matches the manufacturer's spec."

The regulation explicitly requires that YOU determine whether specifications are appropriate. You can't delegate this to your contract manufacturer. If your manufacturer sets the spec and you just accept it without independent review, you're not compliant.

What FDA expects: A document, signed by your QC person, that establishes each specification with a scientifically valid basis. For example: "Product X potency specification: 95-105% of label claim. Basis: USP monograph for ingredient Y, method AOAC 2022.01, validated for this product matrix by third-party lab Z on date."

The testing angle: You can't set specs without knowing what's achievable. Run 3-5 batches first. Get real potency data. Then set your spec based on actual results, not what the manufacturer's spreadsheet says. Specs too tight = every batch fails. Specs too loose = FDA asks why.

⚠️ Note

The most common 483 observation: "You did not establish product specifications for the finished product as required by 21 CFR 111.70(e)." The fix isn't complicated — write specs, sign them, keep them in your batch records. But most brands don't do it because nobody told them they had to.

2. Your QC Person Actually Needs Qualifications (21 CFR 111.12)

Not a suggestion. 21 CFR 111.12(c) says quality control personnel must be qualified by "education, training, or experience." The FDA investigator will ask: "Who is your QC person, and what makes them qualified?"

A lot of small supplement brands name themselves as QC. Nothing wrong with that — IF you can demonstrate qualification. That means: documentation of relevant training, a resume showing relevant experience, or certificates from QC/GMP courses. Naming yourself as QC with zero documentation of qualification is a 483 waiting to happen.

What counts as qualification: A food science degree. Industry experience in supplement QC. A PCQI (Preventive Controls Qualified Individual) certificate. GMP auditor training. Anything that shows you understand what you're signing off on. If all you have is "I care about quality," that's not enough.

The fix, today: Write a one-page QC qualification document listing your relevant training, experience, and any certifications. Sign it. Keep it in your files. When the investigator asks, hand it over.

3. You Need a Written Testing Program — Not Just Test Results (21 CFR 111.75)

21 CFR 111.75 requires a written testing program. Not just running tests and collecting COAs — an actual documented program that describes what you test, when you test it, how you test it, and how you handle failing results.

The regulation distinguishes between raw material testing, in-process testing, and finished product testing. Each needs its own section in the program. Each needs a frequency schedule. Each needs a specification with action limits and acceptance criteria. And the program needs a written justification for any tests you're NOT running (if you're doing skip-lot testing or ingredient monitoring instead of 100% testing, you need to document why).

Most brands have COAs in a folder. Almost none have a written testing program. The FDA notices.

What it looks like: A document covering:

Raw material testing: which tests, at what frequency, which specifications, which lab
In-process testing: weight checks, blend uniformity, disintegration (if applicable)
Finished product testing: identity, potency, microbial, metals — for every batch
Skip-lot justification: if any tests are reduced, document the statistical basis
Out-of-spec procedure: what happens when something fails
QC review and release: who signs, what they check, before product ships

4. Retain Samples Are Mandatory and Specific (21 CFR 111.83)

You must keep retain samples. That part most people know. But the regulation is more specific than "keep a few bottles in a closet."

21 CFR 111.83 says: retain samples must be held for "at least one year past the shelf life date" AND they must be stored under "conditions consistent with product labels." If your label says "store in a cool, dry place," your retain samples can't be in a hot humid warehouse.

Additionally, you need "at least twice the quantity necessary for all tests required to determine whether the dietary supplement meets product specifications." That means: if your lab needs 10 capsules to run the full test panel, you need 20 capsules minimum for retain samples. The FDA can and will ask you to produce retain samples for testing. If you don't have enough, or they were stored improperly, or the shelf life has passed and you've already discarded them — that's a 483.

Also required: A retain sample log. Document what you kept, how much, where it's stored, and when it was discarded (after the retention period).

5. Product Complaints Require Formal Investigation (21 CFR 111.560)

Someone emails you saying "your product made me sick." You refund them and move on, right? Wrong.

21 CFR 111.560 requires a formal investigation of any product complaint involving a possible failure of the product to meet specifications. That means: you document the complaint, you pull the retain sample, you test it, and you write a report. Even if the complaint seems frivolous. Even if you're sure the customer is wrong. The regulation says you must investigate.

If the investigation reveals the product actually failed to meet specs, you must determine if a recall is necessary. And if the complaint involves a serious adverse event, you're into mandatory reporting territory under the serious adverse event reporting rule (21 CFR 111 Subpart O), which has its own timeline (15 business days from receipt) and documentation requirements.

What to have ready: A complaint handling SOP. A complaint log. A retain sample system that lets you quickly pull the relevant batch. And a relationship with a lab that can test retain samples on short notice.

FAQ

Q: Can I be my own QC person for a small brand?

Yes. 21 CFR 111.12 allows QC personnel to be qualified by education, training, or experience. You don't need a specific degree. But you DO need to document your qualifications. Take a GMP training course. Get a certificate. Write it down. If an FDA investigator asks "what qualifies you to be QC?" and your answer is "I started the company," that's not enough.

Q: Do these apply if I use a GMP-certified contract manufacturer?

Partly. Your CM handles manufacturing GMPs (21 CFR 111 Subparts D through L regarding facilities, equipment, production). But specifications (111.70), QC qualifications (111.12), and complaint handling (111.560) are the BRAND OWNER'S responsibility regardless of who manufactures. Your CM being GMP-certified doesn't relieve you of your obligations.

Q: What's the penalty for not following these?

For a first-time observation: a Form 483 at your next inspection. If uncorrected: a Warning Letter, which is public and permanent. If serious and uncorrected: injunction, seizure, or criminal prosecution for knowingly distributing adulterated or misbranded products. Most cases stop at the 483 or Warning Letter stage — but those are public documents your competitors, retailers, and class-action attorneys can find with a Google search.

Q: How do I know which regulations apply to my specific product?

All of 21 CFR 111 applies to all dietary supplements manufactured or distributed in the US. There are some exemptions for very small businesses (less than $500K in annual supplement revenue, fewer than 500 employees), but the exemptions are limited and don't cover everything. When in doubt, comply. The cost of compliance is always less than the cost of enforcement.

Q: What's the first thing I should fix today?

Product specifications (111.70). It's the most common violation, it's fixable in an afternoon, and having documented specs solves multiple other compliance issues downstream. Write your specs. Sign them. Put them in your batch records. That one action closes the single biggest GMP gap in most small supplement companies.

Quick Reference: Obscure Regs Quick Fix

Lab Category Matching

You need an ISO 17025 supplement testing lab that understands 21 CFR 111 requirements — not just runs tests. Labs experienced with GMP release testing will understand batch records, specifications, and retain sample requirements. Avoid labs that only do environmental or water testing.

Internal links: See GMP 21 CFR 111 Checklist and Finished Product Testing.

Real Methods for Compliance Verification

Regulatory Requirement	Testing Needed	Method
111.70 — Specifications	Establish potency ranges from 3-5 batch results	HPLC/ICP-MS as applicable
111.75 — Written testing program	Documented identity, potency, metals, micro schedule	Per USP/AOAC methods
111.83 — Retain samples	2× quantity for full retest	Same as release testing
111.560 — Complaint investigation	Retain sample testing identical to release	Same methods, possibly rush TAT

What Sample to Send (Retain/Complaint Investigation)

Retain samples: Keep at your facility. Store per label conditions. Log quantity, location, batch number.
Complaint investigation: Pull retain sample. Ship to lab with chain of custody. Request same tests as original release panel.

Expected Turnaround

Service	Standard	Rush (complaint investigation)
Specification development support	1-2 weeks	—
Full release panel	10-14 days	5-7 days
Retain sample retest	7-10 days	3-5 days
Complaint investigation testing	—	5-7 days priority

Accreditation Notes

Lab must hold ISO 17025 accreditation from ANAB, A2LA, or equivalent ILAC-recognized body. Scope must explicitly cover dietary supplement finished product testing. For complaint investigations and retain sample testing, having an established relationship with a lab that knows your product specifications speeds everything up.

Price Ranges (US Market)

Service	Low	High
Specification development consulting	$500	$2,000
Written testing program review	$800	$2,500
Full batch release panel	$600	$1,500
Retain sample retest (full panel)	$500	$1,200
Rush complaint investigation testing	$800	$1,800

Country/Region Notes

US: 21 CFR 111 applies to all supplements sold in the US regardless of where manufactured. Import testing is the importer's responsibility.
Canada: NHP regulations (SOR/2003-196) have similar specification, QC, and complaint requirements. Different regulation numbers, same principles.
EU: Directive 2002/46/EC and Regulation (EC) 178/2002 cover specifications and traceability.

Get Compliant — Starting Today

Current situation: ☐ No written specs ☐ No QC qualification documented ☐ No testing program ☐ No retain sample system ☐ No complaint SOP
Product type: [What do you sell?]
Manufacturing: ☐ In-house ☐ Contract manufacturer

Get a Lab for Compliance Testing →

Ready to get your products tested?

Build a basket of the tests you need and compare quotes from ISO 17025–accredited labs in one place. Free to start.

Get lab quotes

Browse all tests & build a quote

More guides

Cost & Pricing

How Much Does Supplement Testing Actually Cost?

Amazon & Marketplace

Amazon Supplement Compliance: Don't Get Delisted

FDA & GMP

The "Oh Crap, The FDA Is Calling" Guide to 21 CFR 111 Testing Requirements

Getting Started

How to Find a Supplement Testing Lab — The Complete Guide