An FDA inspector arrives at your food manufacturing facility requesting your Food Safety Plan, hazard analysis documentation, and evidence that preventive controls are being monitored as required. For facilities without organized compliance systems, this moment triggers panic—scattered paper records, incomplete monitoring logs, and uncertainty about whether documentation meets FSMA requirements. Facilities using Sign Up for digital compliance tracking respond differently: complete records retrieved in minutes, monitoring data with timestamps, and corrective action documentation that demonstrates systematic control. The difference isn't luck—it's preparation.
The FDA's Preventive Controls for Human Food rule transformed food safety from reactive testing to proactive prevention. Compliance requires more than a written plan—it demands ongoing monitoring, verification activities, and documentation that proves your controls work. This guide breaks down FSMA preventive controls requirements into actionable steps that food manufacturers can implement systematically. Book a demo to see how Oxmaint's Compliance & Audit Tracking module organizes your FSMA documentation.
Compliance Guide / Food Safety
Preventive Controls for Human Food: FSMA Compliance Guide
Practical implementation framework for FDA preventive controls requirements, hazard analysis, and audit-ready documentation.
7Core FSMA Requirements
100%Documentation Required
PCQIQualified Individual Required
3 YrRecord Retention Minimum
Understanding FSMA Preventive Controls
The Preventive Controls for Human Food rule (21 CFR Part 117) requires food facilities to implement a food safety system that identifies hazards and puts controls in place to prevent them. Unlike traditional HACCP which focused primarily on processing hazards, FSMA expands requirements to include supply chain controls, sanitation controls, and allergen management.
!
Key Distinction: FSMA preventive controls apply to virtually all food facilities required to register with FDA—not just those with traditional "critical control points." Even facilities that previously operated without formal HACCP plans now need documented Food Safety Plans.
The Seven Core Components of FSMA Compliance
FDA requires food facilities to address seven interconnected components. Each builds on the others—gaps in any area can trigger inspection findings. Start tracking compliance with Oxmaint by Signing Up to ensure nothing falls through the cracks.
Written plan prepared by (or under oversight of) a Preventive Controls Qualified Individual (PCQI). Must include hazard analysis, preventive controls, and supporting documentation.
Required: Written document, PCQI signature, reanalysis procedures
Systematic evaluation of known or reasonably foreseeable biological, chemical, and physical hazards for each food type and process step.
Required: Written analysis, severity/likelihood assessment, control determination
Risk-based controls including process controls, food allergen controls, sanitation controls, supply-chain controls, and recall plans.
Required: Written procedures, parameters, responsible personnel
Ongoing activities to ensure preventive controls are consistently performed. Frequency must be adequate to provide assurance controls are working.
Required: What, how, frequency, who monitors, records
Procedures to identify problems, take appropriate action to correct them, reduce likelihood of recurrence, and evaluate affected product safety.
Required: Written procedures, product disposition, root cause analysis
Activities to confirm preventive controls are implemented correctly and effective—including calibration, record review, and environmental monitoring.
Required: Validation, verification frequency, PCQI review
Documentation proving all requirements are met. Records must be maintained for minimum 2 years (or product shelf life plus 2 years if longer).
Required: Monitoring records, corrective actions, verification, plan reanalysis
Simplify FSMA Documentation
Oxmaint's Compliance & Audit Tracking module organizes monitoring records, corrective actions, and verification activities in one searchable system.
Hazard Analysis: The Foundation of Your Food Safety Plan
Every preventive control flows from hazard analysis. FDA expects facilities to evaluate hazards systematically—not just list obvious risks. Document your reasoning for why each hazard does or doesn't require a preventive control.
Biological
Salmonella, Listeria, E. coli, parasites, viruses
Process controls (cooking, pasteurization), sanitation controls
Chemical
Allergens, sanitizer residues, pesticides, mycotoxins
Allergen controls, supplier verification, sanitation procedures
Physical
Metal fragments, glass, plastic, stones, wood
Detection equipment, supplier controls, equipment maintenance
Radiological
Radionuclides (rare, situation-specific)
Supply-chain controls if applicable
Preventive Control Categories
FSMA defines specific categories of preventive controls. Most facilities need controls from multiple categories. Schedule a consultation to assess which controls apply to your operations.
PRC
Process Controls
Parameters and values for processes that control hazards—cooking temperatures, cooling times, pH levels, formulation controls.
Cook to 165°F internal tempCool from 135°F to 70°F within 2 hoursMaintain pH below 4.6
ALG
Food Allergen Controls
Procedures to prevent cross-contact and ensure accurate labeling for the major food allergens (Big 9).
Production scheduling to minimize changeoversDedicated equipment or validated cleaningLabel verification procedures
SAN
Sanitation Controls
Procedures for cleaning and sanitizing when necessary to prevent contamination—especially for RTE foods exposed to environmental pathogens.
Food contact surface sanitationEnvironmental monitoring programsEmployee hygiene practices
SUP
Supply-Chain Controls
Verification activities for raw materials and ingredients when your facility relies on suppliers to control hazards.
Supplier approval programCertificates of analysisPeriodic supplier audits
RCL
Recall Plan
Written procedures for recalling product that may be adulterated or misbranded. Required for all facilities subject to preventive controls.
Notification proceduresProduct traceability systemEffectiveness checks
Monitoring & Documentation Requirements
FSMA requires documented monitoring for each preventive control. Records must capture what was monitored, results, who performed it, and when. Digital systems like Oxmaint automate timestamp capture and prevent backdating.
Temperature logsEach batch or continuous
Time/temperature combinationsEach cook cycle
pH and water activityPer batch/lot
Formulation verificationEach production run
Changeover cleaning verificationEach changeover
Label accuracy checksEach production run
Ingredient segregation auditsWeekly minimum
Cleaning completion verificationEach sanitation cycle
Environmental swab resultsPer sampling plan
Sanitizer concentrationEach use
Supplier approval statusBefore first use, annually
COA reviewEach shipment
Incoming inspectionEach receipt
Automate Compliance Monitoring
Replace paper logs with digital records that capture timestamps automatically, trigger alerts for missed checks, and generate audit-ready reports.
PCQI Requirements
The Preventive Controls Qualified Individual (PCQI) is central to FSMA compliance. This person must have completed standardized training or have equivalent job experience.
PCQI Responsibilities
Prepare or oversee Food Safety Plan preparation
Validate preventive controls
Review monitoring and verification records
Conduct or oversee reanalysis
Qualification Pathways
FDA-recognized PCQI training course (standardized curriculum)
Equivalent job experience in food safety
Combination of education and experience
Common FDA Inspection Findings
Understanding frequent inspection observations helps prioritize compliance efforts. These are among the most common FSMA-related findings.
1
Incomplete Hazard Analysis
Failure to evaluate all known or reasonably foreseeable hazards, or inadequate justification for hazards not requiring preventive controls.
2
Missing or Incomplete Monitoring Records
Gaps in monitoring documentation, missing signatures/initials, or records that don't demonstrate preventive controls were applied.
3
Inadequate Corrective Action Documentation
Corrective actions taken but not documented, or failure to address root cause and prevent recurrence.
4
No Written Recall Plan
Missing or incomplete recall procedures—a requirement for all facilities subject to preventive controls.
5
Supply-Chain Program Deficiencies
Relying on suppliers to control hazards without documented verification activities.
Frequently Asked Questions
Do small facilities have to comply with FSMA preventive controls?
Most registered food facilities must comply, but qualified facilities (based on sales thresholds and direct consumer sales percentages) have modified requirements. Very small businesses had extended compliance timelines but are now fully subject to the rule.
Schedule a consultation to determine your facility's requirements.
How often must the Food Safety Plan be reanalyzed?
At minimum every 3 years, or whenever a significant change occurs that could affect hazard analysis—new products, process changes, new equipment, or new scientific information about hazards.
What records does FDA expect to see during an inspection?
Inspectors typically request the Food Safety Plan, hazard analysis, monitoring records, corrective action documentation, verification records, supplier verification files, and training records. Digital systems like Oxmaint enable instant retrieval of all required documentation.
How long must FSMA records be retained?
Minimum 2 years after the date the record was created—or 2 years beyond the product's shelf life if that's longer. Many facilities retain records for 3+ years as best practice.
Build Your FSMA Compliance System
Oxmaint helps food manufacturers organize Food Safety Plans, track monitoring activities, document corrective actions, and prepare for FDA inspections—all in one platform.
