HACCP, FSMA and Food Safety Compliance: Document Management Guide for US Businesses

Food safety compliance in the United States operates under a dual federal structure: the Food and Drug Administration (FDA) regulates the vast majority of the food supply, while the USDA Food Safety and Inspection Service (FSIS) holds jurisdiction over meat, poultry and egg products. The Food Safety Modernization Act (FSMA) of 2011 fundamentally restructured how FDA-regulated facilities demonstrate compliance — shifting the legal emphasis from responding to contamination events toward preventing them. For food manufacturers, importers and distributors operating in the US market, this means navigating overlapping documentary obligations under FSMA's preventive controls rules, traditional HACCP requirements that still apply in specific sectors, and the certification criteria demanded by major retail and foodservice customers.

Document fraud in food supply chains is a growing risk in the US market. Our platform has processed over 2.4 million verified documents with a 94.8% fraud detection recall rate, and internal analysis shows a 23% year-on-year increase (2024–2025) in fraudulent food safety certificates — including fabricated SQF certificates, manipulated Certificates of Analysis and forged third-party audit reports. Automated verification is a preventive control measure, not merely an operational convenience.

This guide explains how FSMA's Hazard Analysis and Risk-Based Preventive Controls (HARPC) framework differs from traditional HACCP, what the FDA Traceability Rule requires from 2026 onward, how the main US certification schemes compare, and how food businesses are using document management platforms to cut audit preparation time by up to 83% across 85+ enterprise clients.

This article is provided for informational purposes only and does not constitute legal, financial or regulatory advice. Consult a qualified professional for questions relating to your specific situation.

HARPC vs HACCP: Understanding FSMA's Preventive Controls Framework

HARPC (Hazard Analysis and Risk-Based Preventive Controls) is the regulatory framework established under 21 CFR Part 117 for human food facilities subject to FDA oversight. It replaces traditional HACCP as the documentary standard for most FDA-regulated manufacturers. Understanding the distinction is operationally critical because the two frameworks generate different documentary outputs and carry different regulatory consequences.

HARPC is explicitly broader than HACCP. Where a traditional HACCP plan identifies Critical Control Points and documents monitoring, corrective action and verification for each CCP, a HARPC Food Safety Plan must also include written allergen preventive controls, a documented sanitation preventive control programme, and — critically — supply-chain preventive controls that demonstrate the business has verified that upstream suppliers are controlling the hazards they are responsible for.

FSIS-regulated facilities (meat, poultry, egg products) continue to operate under HACCP as codified in 9 CFR Part 417. The USDA FSIS HACCP guidance is the authoritative reference for these sectors, and FSIS inspection findings against HACCP records are among the most common causes of suspension of inspection — effectively shutting down a facility.

FDA Traceability Rule (FSMA Section 204): Requirements Effective 2026

FSMA Section 204 established a new traceability framework for foods on the Food Traceability List (FTL). The final rule, published as 21 CFR Part 1, Subpart S, took effect on January 20, 2026 following extended compliance deadlines. It applies to any person who manufactures, processes, packs or holds a food on the FTL — regardless of facility size, with limited exemptions for farms below certain thresholds.

The FTL covers: leafy greens, tomatoes, peppers, fresh-cut fruits and vegetables, shell eggs, nut butters, finfish (including fresh and frozen), crustaceans, bivalve mollusks, tropical tree fruits and fresh herbs. Any business that handles these commodities at any stage of the supply chain must maintain records in a form that can be provided to FDA within 24 hours of a written request.

The rule is built around two core concepts: Critical Tracking Events (CTEs) and Key Data Elements (KDEs).

Critical Tracking Events are defined points in the supply chain where a record-keeping obligation is triggered:

• Growing: first land-based receipt of FTL produce
• Receiving: receipt of FTL food from another entity
• Transforming: creating a new food from one or more FTL foods (e.g. fresh-cut processing)
• Creating: producing an FTL food (e.g. shelling eggs, shucking oysters)
• Shipping: sending FTL food to another entity

Key Data Elements must be captured at each CTE. For receiving, this includes: traceability lot code, quantity and unit of measure, product description, location description for where the food was received, and the name of the person who transported it. For shipping, it includes the traceability lot code assigned by the business, ship-to location, date of departure, and quantity shipped.

Records must be retained for a minimum of 2 years and must be shareable in an electronic, sortable spreadsheet format (at minimum) within 24 hours of an FDA request. Manual paper-only systems that cannot produce electronic exports within that window are non-compliant.

Key documentary obligations under FSMA 204:

• Traceability lot code assignment and maintenance procedures
• CTE records for all FTL foods received, transformed, created or shipped
• KDE capture procedures at each CTE
• Linkage records connecting incoming lots to outgoing lots through transformation events
• Electronic record-keeping system or documented export procedure meeting the 24-hour response requirement

Food Safety Certifications in the US: SQF, FSSC 22000 and BRCGS

Statutory compliance under FSMA and FDA/FSIS regulations is the legal floor. Major US retailers and foodservice operators — including Walmart, Kroger, Costco and major quick-service restaurant chains — additionally require their suppliers to hold a current GFSI-benchmarked certification. The dominant schemes in the North American market are:

SQF is the most widely used GFSI scheme in North America. The Safe Quality Food Institute (SQFI) is based in Arlington, Virginia, and administers the SQF Code. An SQF Level 2 audit covers food safety fundamentals; Level 3 adds food quality. SQF audits examine the food safety plan (HACCP or HARPC-based), PRPs, allergen management, the supplier approval programme and the food fraud vulnerability assessment — a documentary requirement introduced in recent editions. SQF 2000 (manufacturing) and SQF 1000 (primary production) are distinct programmes.

FSSC 22000 builds on ISO 22000:2018 and is particularly well-suited to manufacturers that have already invested in the ISO certification infrastructure. Additional FSSC requirements include a food fraud vulnerability assessment, food defense plan, and allergen management programme documented beyond the ISO 22000 baseline.

ISO 22000:2018 and GFSI Recognition in the US Market

ISO 22000:2018 is the international standard for food safety management systems. In the US market, it functions primarily as a foundation for FSSC 22000 certification rather than as a standalone customer requirement. Standalone ISO 22000 certification is widely accepted in B2B ingredient supply, contract manufacturing and export contexts, but does not substitute for SQF, FSSC 22000 or BRCGS as a condition of supply to major US retailers.

Key documentary requirements under ISO 22000:2018 that align with FSMA compliance:

• Food safety policy and objectives (clause 5.2, 6.2): documented statements signed by top management, with measurable targets
• Hazard control plan (clause 8.5.4): the output of hazard analysis, specifying whether each control measure is a CCP or Operational PRP (OPRP), with associated monitoring procedures and corrective action triggers — this maps directly onto the FSMA Food Safety Plan requirement
• Traceability system (clause 8.3): one-step-back/one-step-forward procedures for raw materials, ingredients, processing aids, packaging and finished goods — directly supporting FSMA 204 KDE/CTE obligations
• External communication (clause 7.4.2): documented procedures for communicating with regulators (FDA, FSIS) and customers, including product withdrawal and recall procedures
• Management review (clause 9.3): annual records of top management review, including food safety performance data and resourcing decisions

One practical advantage for US manufacturers: building an ISO 22000-aligned FSMS before pursuing SQF or FSSC 22000 certification reduces the incremental effort at the scheme audit stage, since the ISO documentation framework largely satisfies the management system sections of both schemes.

See our vendor compliance certificate verification guide for practical advice on collecting and verifying ISO 22000 and GFSI certificates from your US and international supply chain.

Automating Food Safety Document Management

Two questions appear repeatedly in US food safety practitioner forums: "What documents do I need for an FDA inspection under FSMA?" and "How does FSMA 204 traceability work in practice when FDA sends a 24-hour data request?"

Both questions describe the same underlying challenge: the volume and complexity of food safety documentation required under FSMA, HARPC, GFSI schemes and FSMA 204 traceability obligations cannot be managed reliably through shared drives, email chains and spreadsheets. The consequences are familiar: missing corrective action records for CCP deviations, supplier CoAs filed without lot-number linkage, PCQI-review sign-offs that cannot be located during an unannounced FDA inspection, and traceability lot codes that exist in multiple disconnected systems.

Our platform reduces audit preparation time by 83% for the 85+ enterprise food clients that have deployed it. Every document — supplier certificate, CoA, calibration record, corrective action form, PCQI review record — is ingested at source, matched to the correct supplier, product and lot reference, and verified against expected parameters before it enters the approved document set. The 94.8% fraud detection recall rate means that a fabricated SQF certificate or a CoA with an altered microbial count is flagged at intake, not during an FDA investigator's review.

Specific capabilities that address US food safety compliance needs:

• FSMA 204 traceability support: automated KDE capture at receiving and shipping events, with lot-code linkage through transformation records, generating an electronic export that can respond to an FDA 24-hour data request without manual compilation
• PCQI documentation management: Food Safety Plan versioning, PCQI review sign-offs and reanalysis records are maintained with a complete audit trail, satisfying the 2-year retention requirement under 21 CFR 117.335
• Supply-chain preventive control records: supplier verification activities — onsite audit reports, CoA review records, third-party audit certificates — are collected, matched and tracked by supplier and lot, satisfying the HARPC supply-chain programme documentation requirement
• Certificate expiry monitoring: SQF, FSSC 22000, BRCGS and GLOBALG.A.P. certificates are tracked against expiry dates, with automated alerts at 90, 60 and 30 days, preventing the approved supplier list from containing lapsed certifications
• Mock recall execution: traceability queries across FTL foods — identifying all finished goods lots containing a specific ingredient lot — resolve in seconds, supporting both internal mock recalls and potential FDA Section 204 data requests

For related guidance on supply chain document compliance, see our articles on transport and logistics document compliance and vendor compliance certificate verification, and the broader industry verification guide.

The CheckFile platform integrates with existing ERP and quality management systems via API, extending automated verification to food safety records without requiring infrastructure replacement. Security architecture and data handling details are at /securite; pricing for food sector deployments is at /tarifs. Food businesses with KYC or supplier onboarding requirements can also review the /solutions/banque-kyc capability set.

FDA and USDA Inspections: What Investigators Check

FDA investigators operate under authority granted by the Federal Food, Drug, and Cosmetic Act (FD&C Act) as amended by FSMA. Domestic food facility inspections are conducted by FDA district offices; FDA also conducts foreign supplier verification inspections. FSIS inspection is continuous for federally inspected meat and poultry facilities — FSIS inspectors are present during every production shift, not just during periodic audits.

During an FDA inspection of a FSMA-registered food facility, investigators will typically examine:

• Food Safety Plan: Is a written Food Safety Plan in place, signed by a PCQI? Does it address all known or reasonably foreseeable hazards? Are all preventive controls (process, allergen, sanitation, supply-chain) documented with monitoring procedures, corrective action procedures and verification activities?
• PCQI qualification records: Is there documentation that the individual who prepared or oversaw the Food Safety Plan completed an FDA-recognized PCQI training course (e.g. FSPCA Preventive Controls for Human Food)?
• Monitoring records: Are CCP and preventive control monitoring records current, signed and complete? Are there unexplained gaps in temperature logs or other continuous monitoring records?
• Corrective action records: For every out-of-range monitoring result, is there a corrective action record that identifies what was done to the affected product, what was done to correct the root cause, and who authorized the corrective action?
• Supplier verification records: For each supply-chain preventive control, are there records of the supplier verification activity performed (e.g. onsite audit report, CoA review, approved third-party audit certificate)?
• Allergen control records: Are allergen controls documented? Are changeover cleaning verification records maintained? Are label review records current?
• FSMA 204 traceability records (for FTL foods): Are KDEs captured at each CTE? Can the facility produce a complete forward and backward trace for an FTL food within 24 hours?

FDA can issue a Warning Letter for FSMA violations, seek a consent decree of injunction, or mandate a recall. FSIS enforcement options include Noncompliance Records (NRs), regulatory control actions (holding product), and suspension of inspection, which halts production at the affected facility.

The most common documentary failures observed in FDA warning letters related to FSMA Part 117 are: written Food Safety Plans that lack a supply-chain preventive control programme, corrective action records that do not address the disposition of potentially affected food, and monitoring records with gaps that were not documented with an explanation or corrective action.

Frequently Asked Questions

What documents are required for an FDA inspection under FSMA 21 CFR Part 117?

A facility subject to 21 CFR Part 117 must be able to produce: the written Food Safety Plan (hazard analysis, risk-based preventive controls, monitoring procedures, corrective action procedures, verification procedures and recall plan), records demonstrating that monitoring was conducted as required, corrective action records for any deviation from a critical limit or action level, verification records (including validation studies for process preventive controls), and supply-chain preventive control records including supplier verification activities. All records must be retained for a minimum of 2 years (21 CFR 117.335) and must be available for FDA review within 24 hours of a written request for most record types.

What is the difference between HARPC and traditional HACCP, and which applies to my facility?

Traditional HACCP — the seven-principle framework from Codex Alimentarius — applies to juice manufacturers under 21 CFR Part 120 and seafood processors under 21 CFR Part 123 as specifically mandated FDA regulations, and to all FSIS-regulated meat, poultry and egg product facilities under 9 CFR Part 417. For all other FDA-regulated human food facilities, FSMA's Hazard Analysis and Risk-Based Preventive Controls (HARPC) under 21 CFR Part 117 is the governing framework. HARPC is broader: it requires documented allergen preventive controls, sanitation preventive controls and supply-chain preventive controls in addition to process preventive controls that correspond to traditional HACCP CCPs.

When did the FDA FSMA 204 Traceability Rule take effect, and does it apply to my business?

The FSMA Section 204 final rule (21 CFR Part 1, Subpart S) took effect on January 20, 2026. It applies to any person who manufactures, processes, packs or holds food on the Food Traceability List (FTL), including leafy greens, tomatoes, peppers, fresh-cut produce, shell eggs, nut butters, finfish, crustaceans, bivalve mollusks, tropical tree fruits and fresh herbs. Farms below the rule's thresholds and certain other entities are exempt. Covered businesses must maintain CTE/KDE records and be able to provide them to FDA in electronic sortable format within 24 hours of a written request.

Is SQF certification accepted by US retailers as equivalent to FSMA compliance?

SQF certification demonstrates that an independently audited food safety management system is in place, but it does not substitute for regulatory compliance under FSMA. An SQF-certified facility is still subject to FDA inspection and must maintain all records required under 21 CFR Part 117 and, where applicable, the FSMA 204 traceability rule. SQF certification is valued by US retailers as evidence of systematic food safety management, but retailers' contractual SQF requirements and FDA's regulatory requirements are parallel obligations, not alternatives.

How can US food manufacturers automate supply-chain preventive control documentation?

The most efficient approach combines a supplier portal that triggers secure document upload requests at the point of purchase order confirmation, automated matching of CoAs to purchase orders and approved specifications, and certificate tracking for third-party audit certificates (SQF, FSSC 22000, BRCGS). This creates a continuously maintained, auditable record of supplier verification activities that satisfies the HARPC supply-chain preventive control documentation requirement and is available for FDA review within 24 hours. The CheckFile platform supports this workflow for businesses managing supplier bases from 20 to over 2,000 active suppliers. See /tarifs for deployment options.