Most food manufacturers I work with arrive at compliance with one of two questions: Do I need GMPs, or FSMA, or both? And the second question — usually asked with some frustration — is why their FDA inspector keeps asking for documents they've never had to produce before.
The short answer is that GMPs and FSMA aren't really competing frameworks. One is the foundation, and the other built an entirely new structure on top of it. But the differences matter enormously for what you actually have to do, document, and prove to an FDA investigator standing in your facility.
What GMPs Actually Cover — and What They Don't
Good Manufacturing Practices for food — now codified in Subpart B of 21 CFR Part 117 — are the baseline hygiene and facility standards that apply to virtually every registered food facility. They cover:
- Personnel (disease control, hygiene, training requirements)
- Plant and grounds (design, maintenance, pest exclusion)
- Sanitary operations (cleaning, sanitizing, pest control procedures)
- Sanitary facilities and controls (water quality, plumbing, sewage, restrooms)
- Equipment and utensils (design, materials, maintenance)
- Processes and controls (manufacturing, processing, packing, holding)
- Warehousing and distribution
GMPs are largely prescriptive. The regulations tell you what conditions your facility must meet — wash hands here, maintain temperatures there, keep pests out. They describe how a facility should operate. What they don't do is require you to systematically identify what could go wrong in your specific process, analyze the severity and likelihood of those hazards, and implement controls proportionate to the risk.
That distinction — prescriptive versus risk-based — is the heart of what separates GMPs from FSMA's preventive controls framework.
GMPs have no requirement for a written Food Safety Plan. No hazard analysis. No supply chain program. No recall plan. If you're running a food manufacturing operation under GMPs alone and haven't built out the FSMA layer, you have a compliance gap that FDA will find.
What FSMA Actually Added to the Picture
The Food Safety Modernization Act was signed into law on January 4, 2011 — the most sweeping reform of federal food safety law since the Federal Food, Drug, and Cosmetic Act of 1938. Its central rule for domestic food manufacturers is the Preventive Controls for Human Food rule, which took effect for large businesses on September 19, 2016, and is now codified in 21 CFR Part 117 in its entirety (Subparts A through G).
FSMA didn't eliminate GMPs. It kept them — now called Current Good Manufacturing Practices, or CGMPs — as Subpart B, and then layered a hazard analysis and risk-based preventive controls framework on top through Subpart C and beyond. The old 21 CFR Part 110 was effectively superseded and removed from the Code of Federal Regulations.
Here's what FSMA added that GMPs never required:
A written Food Safety Plan. FSMA requires facilities to prepare and implement a written plan that includes a hazard analysis, preventive controls, monitoring procedures, corrective action procedures, verification activities, and a recall plan. GMPs require none of this in written form.
A documented hazard analysis. You must conduct and document a hazard analysis for each type of food you manufacture, identifying known or reasonably foreseeable biological, chemical (including radiological), and physical hazards. You then determine which hazards require a preventive control.
Preventive Controls. Where hazards require controls, you must implement them. FSMA recognizes four types: process controls (like pasteurization), food allergen controls, sanitation controls, and supply chain controls. These go substantially beyond what GMPs describe.
A Preventive Controls Qualified Individual (PCQI). FSMA requires that your Food Safety Plan be prepared, or its preparation overseen, by a qualified individual — someone who has successfully completed training in accordance with the standardized curriculum developed by the Food Safety Preventive Controls Alliance (FSPCA), or who is otherwise qualified through relevant job experience. GMPs have no equivalent requirement.
A supply chain program. If a hazard in a raw material or ingredient requires a control, and you're relying on your supplier to apply that control, FSMA requires a documented supply chain program: supplier verification activities, approved supplier lists, and records of verification. GMPs don't address your suppliers at all.
A recall plan. FSMA requires a written recall plan as part of the Food Safety Plan, including procedures for conducting a recall, identifying and notifying consignees, and conducting effectiveness checks. GMPs have no recall plan requirement.
An environmental monitoring program. If you produce ready-to-eat (RTE) foods in an environment where pathogens — particularly Listeria monocytogenes — are a hazard requiring a control, FSMA requires a documented environmental monitoring program. GMPs have sanitation requirements, but no mandate for systematic environmental monitoring and testing.
GMP vs. FSMA Preventive Controls: Side-by-Side
| Requirement | GMPs (21 CFR §117, Subpart B) | FSMA Preventive Controls (Subpart C+) |
|---|---|---|
| Written Food Safety Plan | ❌ Not required | ✅ Required |
| Hazard Analysis | ❌ Not required | ✅ Required |
| Risk-based preventive controls | ❌ Not required | ✅ Required |
| PCQI (Qualified Individual) | ❌ Not required | ✅ Required |
| Supply chain program | ❌ Not required | ✅ Required (when applicable) |
| Environmental monitoring program | ❌ Not required | ✅ Required (RTE/pathogen hazards) |
| Recall plan | ❌ Not required | ✅ Required |
| Systematic verification activities | ⬜ Limited | ✅ Required |
| Monitoring records | ✅ Some | ✅ Extensive |
| Corrective action documentation | ✅ Basic | ✅ Documented and systematic |
| Personnel hygiene standards | ✅ Required | ✅ Maintained |
| Facility and equipment standards | ✅ Required | ✅ Maintained |
| Sanitation requirements | ✅ Required | ✅ Maintained and enhanced |
This table is worth sitting with. Everything in GMPs remains in force under FSMA — compliance with Subpart B is still required. What FSMA adds is a risk-based decision-making layer on top, and it demands documentation of that decision-making in ways that GMPs never did.
The Risk-Based Divide Is More Than a Philosophical Difference
In practice, the shift from prescriptive GMPs to FSMA's risk-based approach means your compliance posture has to change in a fundamental way.
Under GMPs, you could, in theory, satisfy a regulator by showing that your facility met the described conditions. Your floors are sealed, your equipment is cleanable, your employees wash their hands. Compliance was largely observable during a walk-through.
Under FSMA, you have to show your thinking. Why did you conclude that allergen cross-contact is a hazard requiring a preventive control for your product? What monitoring procedure ensures your process control is consistently achieving its intended result? What did you do when your monitoring data showed a deviation, and how do you know the corrective action worked?
FDA investigators operating under FSMA aren't just looking at your facility — they're asking to see your Food Safety Plan, your monitoring records, your corrective action logs. In my experience working with food manufacturers, this is the transition that catches people off guard most often. They've been GMP-compliant for years, but FSMA compliance requires a documented food safety management system that many had never built.
Documentation: Where the Real Gap Shows Up
The CDC estimates that foodborne illness affects approximately 48 million Americans annually, causing roughly 128,000 hospitalizations and 3,000 deaths. FSMA's documentation requirements exist precisely because FDA needs evidence — not just conditions — that manufacturers are systematically controlling the hazards most likely to drive those outcomes.
Here's how the documentation burden compares:
Under GMPs, you're typically maintaining: - Employee training records for hygiene requirements - Basic cleaning and sanitizing logs - Temperature records where applicable
Under FSMA Preventive Controls, you're maintaining all of the above, plus: - The written Food Safety Plan itself (hazard analysis, preventive controls, monitoring procedures, corrective action procedures, verification procedures, and recall plan) - Monitoring records at the frequency specified in your plan — generated in real time, not reconstructed after the fact - Corrective action records every time a critical limit deviation occurs or a preventive control isn't properly implemented - Verification records: calibration records, environmental monitoring results, product testing results, and documentation of your Food Safety Plan reanalysis (required at minimum every three years or when certain triggers occur) - Supply chain program records: supplier verification activities, approved supplier documentation
Records under FSMA must generally be retained for at least two years, and FDA has the authority to copy them and request access within 24 hours. If you can't produce them on demand, it's treated the same as if they don't exist.
FDA issues approximately 4,000 to 5,000 Form 483 observations annually across food facilities. Inadequate or missing Food Safety Plan documentation and insufficient hazard analysis are consistently among the most frequently cited findings in food facility inspections — not because the food isn't safe, but because the paperwork trail isn't there.
Who Has to Comply With What
Not every food facility faces the full FSMA preventive controls requirement. Applicability depends on facility type and size.
Full FSMA Preventive Controls apply to facilities required to register with FDA under Section 415 of the FD&C Act that are not otherwise exempt or modified.
Qualified Facility Exemption: Facilities that are "very small businesses" — with average annual human food sales below $1 million over the preceding three-year period, where the majority of food sales are directly to qualified end-users (consumers, or restaurants and retailers in the same state or within 275 miles) — may qualify for modified requirements. They still must comply with CGMPs and disclose their status on food labels, but are not subject to the full preventive controls framework.
Farm operations are generally not covered by 21 CFR Part 117. Farms growing produce may be covered by the Produce Safety Rule (21 CFR Part 112) instead, which has its own distinct requirements.
Dietary supplement manufacturers are covered by a different GMP rule — 21 CFR Part 111 — not Part 117.
In my experience, the qualifying threshold questions trip up food businesses that have grown past the small-business definitions without fully recognizing that their compliance obligations changed. If your revenue has crossed $1 million in food sales, you need to honestly assess whether you've been operating under the full FSMA framework — and whether your records would demonstrate it to an FDA investigator.
Common Misconceptions Worth Naming
"We're GMP compliant, so we're FSMA compliant." This is the most common mistake I see, and it's an expensive one to discover during an FDA inspection. GMP compliance is necessary but not sufficient for FSMA compliance. Every FSMA-regulated facility must comply with CGMPs, but CGMPs alone don't satisfy FSMA's preventive controls requirements.
"FSMA replaced GMPs." FSMA incorporated and updated the GMP requirements — the old Part 110 was effectively superseded by the new Subpart B of Part 117 — but GMPs themselves didn't disappear. They became the foundation of an integrated rule that now also requires hazard analysis and preventive controls.
"We don't have significant hazards, so preventive controls don't apply to us." The hazard analysis is required regardless of what you conclude. Even if your analysis determines that no hazards require a preventive control — which is genuinely rare for food manufacturers — you still have to document that analysis and the reasoning behind the conclusion. The outcome doesn't eliminate the documentation requirement.
"Small businesses are exempt from FSMA." Some very small businesses qualify for the Qualified Facility Exemption, but most food manufacturers do not. And even those who qualify still have GMP obligations.
How to Start If You're Behind on FSMA
If you've been operating primarily under a GMP framework and haven't built out FSMA compliance, the practical starting point is your Food Safety Plan. Specifically:
- Conduct a documented hazard analysis for each product type or process category you run.
- Identify which hazards require preventive controls and document your reasoning — this is where FSMA auditors focus.
- Write your preventive controls, monitoring procedures, and corrective action procedures with enough specificity that someone could follow them without asking you what they mean.
- Designate or train your PCQI. The FSPCA's standardized training course is the recognized pathway. If that's not feasible internally, working with a qualified outside consultant who holds PCQI credentials is a legitimate and common approach.
- Build your records system so monitoring is captured in real time and corrective actions are logged when they happen.
- Assess your supply chain and determine which incoming materials carry supplier-controlled hazards that require your supply chain program to address.
At Certify Consulting, I've helped more than 200 food and dietary supplement manufacturers work through exactly this sequence — and the facilities that come out strongest are the ones who treat the Food Safety Plan as a living document, not a box-checking exercise. The plan has to reflect how your process actually works, not an idealized version of it. An FDA investigator will notice the gap between what your SOP says and what your production floor does, and so will I when I'm preparing a client for an inspection.
The FSPCA's PCQI training is the right first investment for whoever will own your Food Safety Plan internally. After that, the work is building the system — the monitoring, the records, the verification routine — that makes the plan real.
For additional guidance on preparing for FDA food facility inspections, see our FDA Food Facility Inspection Preparation Guide. For food manufacturers working through the FSMA Food Safety Plan for the first time, our GMP Compliance Consulting for Food Manufacturers page outlines how we approach the process.
Last updated: 2026-07-03
Jared Clark
GMP Compliance Consultant, Certify Consulting
Jared Clark is a GMP compliance consultant and founder of Certify Consulting, specializing in FDA GMP requirements for pharmaceuticals, dietary supplements, cosmetics, and food manufacturing.