Last updated: 2026-03-16
The Food Safety Modernization Act (FSMA) fundamentally shifted the FDA's regulatory posture from reactive — responding to outbreaks — to preventive, requiring food facilities to identify hazards before they cause harm. At the center of that shift sits the Preventive Controls for Human Food rule (21 CFR Part 117), which applies to the vast majority of domestic and foreign food facilities that register with the FDA.
If your facility is registered with FDA and manufactures, processes, packs, or holds food for U.S. consumption, this rule almost certainly applies to you. And the consequences of non-compliance are real: FDA has issued hundreds of Warning Letters and initiated injunctions against facilities that fail to implement an adequate food safety system under FSMA.
This pillar article walks you through every major element your facility must have in place — written plainly, organized practically, and grounded in what FDA actually looks for during inspections.
What Is the FSMA Preventive Controls Rule?
Signed into law in January 2011 and finalized in September 2015, the Preventive Controls for Human Food rule (21 CFR Part 117) is one of seven foundational FSMA rules. It requires covered facilities to implement a Food Safety Plan — a written, science-based system for identifying and controlling hazards that could cause illness or injury.
The rule borrows heavily from HACCP principles but goes further. Where traditional HACCP was voluntary for most sectors (except meat, poultry, and seafood), FSMA makes preventive controls mandatory and extends them beyond just biological, chemical, and physical hazards to include radiological hazards and economically motivated adulteration in some contexts.
Citation hook: Under 21 CFR Part 117, every covered facility must prepare and implement a written Food Safety Plan that is reviewed and signed by a Preventive Controls Qualified Individual (PCQI) — making credentialed human oversight a legal requirement, not a best practice.
Who Must Comply? Covered vs. Exempt Facilities
Not every food business falls under Part 117. Understanding your classification is step one.
| Facility Type | Applicability | Key Threshold |
|---|---|---|
| Large Business (500+ FTEs) | Fully covered | Compliance required since Sept. 2016 |
| Small Business (< 500 FTEs) | Fully covered | Compliance required since Sept. 2017 |
| Very Small Business (< $1M/yr) | Fully covered | Compliance required since Sept. 2018 |
| Qualified Facility (< $1M avg annual sales to consumers/retailers) | Modified requirements | Must submit attestations to FDA |
| Farm (primary production) | Partially exempt | Covered by Produce Safety Rule instead |
| Facility subject to USDA HACCP | Exempt from some provisions | Dual jurisdiction applies |
Key insight: Even "qualified facilities" that claim a modified requirements exemption must still submit Form FDA 3942a or 3942b to the FDA every two years and must disclose their qualified facility status on food labels or at point of sale. Missing this attestation deadline can void the exemption entirely.
The Seven Core Elements of a FSMA-Compliant Food Safety Plan
FDA's Part 117 Subpart C lays out the required components of a Food Safety Plan. Here is what every covered facility must have documented and implemented.
1. Hazard Analysis
The foundation of your Food Safety Plan is a written hazard analysis — a systematic evaluation of each ingredient, processing step, and facility condition to identify known or reasonably foreseeable hazards.
Hazards fall into four categories under Part 117: - Biological (e.g., Salmonella, Listeria monocytogenes, E. coli O157:H7) - Chemical (e.g., allergens, pesticide residues, cleaning chemical carry-over) - Physical (e.g., metal fragments, glass, bone) - Radiological (rare but required to consider)
The analysis must evaluate both the likelihood of a hazard occurring and the severity of the potential harm. Critically, you must also evaluate hazards introduced by economically motivated adulteration if your product is vulnerable. The written hazard analysis must cover every type of food manufactured at the facility.
Citation hook: A hazard analysis under 21 CFR §117.130 must be written regardless of whether a preventive control is warranted — the absence of a documented hazard analysis is itself a 483 observation, even if the facility has a clean safety record.
2. Preventive Controls
For every hazard that is reasonably likely to cause illness or injury if not controlled, the facility must establish one or more preventive controls — measures that are reasonably appropriate to significantly minimize or prevent the hazard.
The rule identifies four types of preventive controls:
| Control Type | Purpose | Common Examples |
|---|---|---|
| Process Controls | Manage hazards during processing | Pasteurization temps, cooking kill steps, acidification pH |
| Food Allergen Controls | Prevent allergen cross-contact and mislabeling | Segregation protocols, label verification, equipment cleaning validation |
| Sanitation Controls | Address environmental pathogens and cross-contamination | Listeria environmental monitoring, sanitation procedures for food-contact surfaces |
| Supply Chain Controls | Control hazards from suppliers | Approved supplier programs, audits, COA verification, incoming inspection |
It is important to understand that not every hazard requires a preventive control — only those where control is necessary to prevent or significantly minimize risk. But you must document the reasoning for any hazard you determine does not require a control.
3. Monitoring Procedures
For each preventive control, your plan must include written monitoring procedures: what is monitored, how it is monitored, the frequency, and who is responsible. Monitoring creates the real-time data trail that demonstrates your controls are consistently operating as intended.
Monitoring records are among the first things an FDA investigator will request during an inspection. Gaps in monitoring records — even if no actual safety event occurred — are a common basis for 483 observations and Warning Letters.
4. Corrective Action Procedures
When monitoring indicates a preventive control is not operating within parameters — or when a preventive control failure is discovered — your facility must have written corrective action procedures to:
- Determine if affected food is safe to distribute (and if not, how to disposition it)
- Restore the preventive control to proper operation
- Prevent the same failure from recurring
- Evaluate whether affected food caused illness or injury (if distributed)
Corrective action records must be retained for at least two years. Facilities that lack documented corrective action procedures — or that lack evidence of corrective actions being implemented — routinely receive Warning Letters.
5. Verification Activities
Verification is how you confirm your Food Safety Plan is actually working. Part 117 requires verification activities that include:
- Validation of process preventive controls (demonstrating the control actually achieves the intended outcome, e.g., a thermal kill step validated by a process authority)
- Calibration of monitoring instruments
- Record review — a PCQI or designee must review corrective action records within 7 days of the activity
- Reanalysis of the entire Food Safety Plan at least every 3 years, or when a significant change occurs
Validation is the most frequently misunderstood requirement. Many facilities monitor and record their kill steps faithfully but never formally validate that the step actually achieves the necessary pathogen reduction. That gap is an FDA finding waiting to happen.
6. Recall Plan
Any facility whose Food Safety Plan identifies a hazard requiring a preventive control must also have a written recall plan. The plan must include procedures for:
- Notifying direct consignees of the recall
- Notifying the public when appropriate
- Conducting effectiveness checks to verify the recall is working
A recall plan is not the same as a crisis communication plan. FDA expects to see operational, step-by-step procedures that your team could execute with minimal lead time.
7. Supply Chain Program
If your hazard analysis identifies a hazard in a raw material or ingredient that is controlled before receipt by a supplier (rather than by your own process), you must implement a supply chain program. This program must:
- Determine and document appropriate supplier verification activities based on risk
- Conduct (or obtain documentation of) supplier verification activities before using the ingredient
- Document the basis for the type and frequency of supplier verification
The four recognized supplier verification activities under Part 117 are: onsite audits, sampling and testing, review of the supplier's food safety records, and other appropriate procedures.
The PCQI: Who Owns the Food Safety Plan?
The Preventive Controls Qualified Individual (PCQI) requirement is one of the most distinctive features of FSMA. Under 21 CFR §117.4, the Food Safety Plan must be prepared by or under the oversight of a PCQI — a person who has successfully completed FSPCA's standardized curriculum or can otherwise demonstrate equivalent job experience.
A PCQI must: - Prepare (or oversee preparation of) the Food Safety Plan - Validate preventive controls - Review monitoring records within 7 days - Review corrective action records within 7 days - Lead reanalysis of the Food Safety Plan
The PCQI does not have to be an employee — a consultant with PCQI credentials can fulfill this role contractually, which is a common arrangement for small and mid-sized facilities. At Certify Consulting, our PCQI-credentialed consultants have helped over 200 food and dietary supplement facilities build audit-ready Food Safety Plans — with a 100% first-time audit pass rate.
Citation hook: The FDA's FSMA Preventive Controls rule at 21 CFR §117.4 requires that the individual overseeing the Food Safety Plan be a Preventive Controls Qualified Individual (PCQI), establishing a named, credentialed accountability structure that mirrors pharmaceutical industry standards for qualified persons.
Current Good Manufacturing Practices (CGMPs): The Foundation Beneath Preventive Controls
Before a facility can effectively implement preventive controls, it must operate in conformance with Current Good Manufacturing Practices (21 CFR Part 117, Subpart B). CGMPs are not optional prerequisites — they are a concurrent legal requirement.
Key CGMP areas covered under Part 117 Subpart B include:
- Personnel hygiene (handwashing, illness reporting, protective clothing)
- Plant and grounds (pest exclusion, facility maintenance)
- Sanitary operations (cleaning procedures, sanitizer concentrations)
- Sanitary facilities and controls (water supply, sewage, hand-washing facilities)
- Equipment and utensils (construction, maintenance, calibration)
- Processes and controls (temperature controls, cross-contamination prevention)
- Warehousing and distribution (storage conditions, temperature controls)
In FDA inspections under FSMA, investigators evaluate CGMPs and the Food Safety Plan together. A robust written plan does not compensate for CGMP deficiencies observed on the floor.
What FDA Inspectors Actually Look For: Common 483 Observations
Based on publicly available FDA inspection data and Warning Letters, the most common FSMA Part 117 deficiencies inspectors cite include:
- No written hazard analysis — or a hazard analysis that omits known hazards for the product type
- Allergen controls not implemented — label discrepancies, no rework controls, no cleaning validation after allergen changeover
- Environmental monitoring gaps — no Listeria environmental monitoring program for RTE facilities, or monitoring data not reviewed
- Validation absent — process kill steps applied without supporting validation studies
- PCQI records not maintained — no evidence that a PCQI reviewed monitoring and corrective action records within required timeframes
- Supply chain program deficient — using unapproved suppliers, or failing to obtain/review supplier verification documentation before use
- Recall plan incomplete — missing consignee notification procedures or effectiveness check criteria
According to the FDA's own FSMA implementation data, allergen controls and environmental monitoring represent two of the highest-frequency deficiency categories across all food facility inspections — areas that are also directly linked to major outbreak investigations and Class I recalls.
FSMA vs. HACCP: Understanding the Difference
Many food professionals are more familiar with HACCP (Hazard Analysis and Critical Control Points) than with FSMA's preventive controls framework. The two systems are related but not identical.
| Feature | HACCP (Traditional) | FSMA Preventive Controls |
|---|---|---|
| Regulatory basis | Voluntary for most; mandatory for meat/seafood | Mandatory for all covered food facilities |
| Hazard scope | Biological, chemical, physical | Biological, chemical, physical, radiological |
| Allergen controls | Not explicitly required | Explicitly required as a control type |
| Supply chain controls | Not required | Explicitly required program |
| PCQI requirement | None | Mandatory credentialed individual |
| Recall plan | Not required | Required if hazard needs a control |
| Reanalysis frequency | No defined interval | At least every 3 years |
| Record review timeframe | Not specified | Within 7 days for corrective actions |
The practical takeaway: if your facility runs a HACCP plan and has never updated it for FSMA, you are likely out of compliance in several material ways. A HACCP-to-FSMA gap assessment is often the fastest way to identify what needs to be addressed.
How to Get — and Stay — Audit Ready
Achieving FSMA compliance is not a one-time project. FDA FSMA inspections are increasingly conducted using the FSMA-aligned inspection approach, and investigators are trained to probe beyond paperwork to assess whether the system is actually functioning.
Here is a practical readiness checklist based on what Certify Consulting's team evaluates when preparing a facility for FDA inspection:
Written Documentation
- [ ] Current, signed Food Safety Plan on file
- [ ] Hazard analysis covers all products and all hazard categories
- [ ] All preventive controls documented with monitoring, corrective action, and verification procedures
- [ ] Recall plan current and includes consignee notification procedures
- [ ] Supply chain program documented for each controlled ingredient
Operational Evidence
- [ ] Monitoring records current with no unexplained gaps
- [ ] Corrective action records available and reviewed by PCQI within 7 days
- [ ] Environmental monitoring program active with trend analysis
- [ ] Allergen changeover cleaning records available and validated
- [ ] Calibration records for all monitoring instruments
Personnel Readiness
- [ ] PCQI identified and credentialed
- [ ] Employees trained on relevant SOPs (with training records)
- [ ] Front-line staff can explain what they monitor and why
Reanalysis
- [ ] Reanalysis completed within last 3 years
- [ ] Significant changes (new products, new suppliers, new processes) trigger reanalysis
How Certify Consulting Can Help
At Certify Consulting, we specialize in building FSMA-compliant Food Safety Plans that are not just defensible on paper but functional on the floor. Our team of credentialed consultants — including PCQIs, RACs, and food safety specialists — has served over 200 food and dietary supplement facilities with a 100% first-time audit pass rate over more than eight years of practice.
Our FSMA preventive controls services include:
- Food Safety Plan development from gap assessment through final documentation
- PCQI oversight for facilities without an in-house qualified individual
- HACCP-to-FSMA conversion for facilities operating under legacy HACCP plans
- Mock FDA inspections to evaluate real-world readiness
- Supply chain program development and supplier qualification support
- Recall plan drafting and tabletop exercises
Whether you are preparing for your first FDA inspection or responding to a 483 observation, our team is ready to help. Learn more about our food safety consulting services at https://certify.consulting.
Related Resources on TheFDAExpert.com
- Understanding FDA Warning Letters: What They Mean and How to Respond
- FDA Food Facility Registration Requirements Under FSMA
Frequently Asked Questions
What is the difference between a CCP and a preventive control under FSMA?
A Critical Control Point (CCP) under traditional HACCP is a specific step where a control measure is essential to prevent or eliminate a food safety hazard. Under FSMA's preventive controls framework, the concept is broader — "preventive controls" include process controls (similar to CCPs), but also allergen controls, sanitation controls, and supply chain controls, none of which fit neatly into the traditional CCP model. FSMA does not require the use of the term "CCP," but facilities must control hazards that are reasonably likely to cause harm.
Do dietary supplement facilities need to comply with FSMA Preventive Controls?
Dietary supplement facilities are subject to 21 CFR Part 111 (Current Good Manufacturing Practice for dietary supplements), not Part 117. However, dietary supplement facilities that also manufacture conventional food products in the same facility may have dual compliance obligations. Additionally, the FDA has signaled increased scrutiny of dietary supplement supply chains under FSMA frameworks, so understanding where the boundaries apply is critical.
How often does a Food Safety Plan need to be reanalyzed?
Under 21 CFR §117.170, a Food Safety Plan must be reanalyzed at least once every three years, or whenever a significant change occurs that could affect whether a new hazard has been introduced or whether existing controls are still adequate. Significant changes include new products, new suppliers, new ingredients, new processes, or new scientific information about a hazard.
What records are required under FSMA Preventive Controls, and how long must they be kept?
Covered facilities must retain records of the Food Safety Plan itself, all monitoring records, corrective action records, verification records, and supply chain program records. Under 21 CFR §117.300, most records must be retained for at least 2 years from the date the record was created. Records supporting the validation of a process preventive control must be retained for at least 2 years after their use is discontinued.
Can a small food business use a consultant as their PCQI?
Yes. FDA explicitly allows a consultant to serve as the PCQI for a food facility. The consultant must have successfully completed FSPCA's standardized PCQI training curriculum or have equivalent experience. Using a consulting firm for PCQI oversight is a common and cost-effective strategy for small and mid-sized facilities that lack in-house resources with the required qualifications.
Last updated: 2026-03-16
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.