🎉 Xenia raises $12M Series A and announces 2 new AI capabilities

Learn More

White cross or X mark on a black background.

Food Safety Regulatory Frameworks: FDA Food Code, FSMA, and HACCP for Operators

Last updated:
June 30, 2026
Read Time:
5 min
Author:
HACCP

Summary

Food safety regulatory frameworks for US multi-unit operators are the FDA Food Code, FSMA, and HACCP. The FDA Food Code is the model retail regulation states adopt with variation. FSMA is the 2011 federal law implemented through 21 CFR Part 117 and the Food Traceability Rule. HACCP is the seven-principle hazard-analysis methodology published by NACMCF. As of 2024, only 11 state agencies in seven states had adopted the 2022 Food Code, covering 16.06% of the US population.

What are food safety regulatory frameworks?

A food safety regulatory framework is a structured rule set, published by a regulator or standards body, that defines how a food business must identify hazards, control them at specific points, document the controls, and respond when something goes out of spec. For a multi-unit US operator, three frameworks dominate.

Two definitions worth nailing down before going further. TCS food is Time/Temperature Control for Safety food. Items that require time and temperature control to keep pathogens from multiplying. Meat, poultry, dairy, cooked rice, cut tomatoes, cut leafy greens. Per FDA Food Code §3-501.16, TCS foods must be held cold at 41°F or below, hot at 135°F or above.

CCP stands for Critical Control Point. A step in the food process where a control measure can prevent, eliminate, or reduce a hazard to an acceptable level. Cooking, cooling, hot-holding, and cold-holding are the four most common CCPs in a restaurant kitchen.

The frameworks are not redundant. They serve different layers of the same problem. A 200-unit QSR has to follow the Food Code edition adopted by each state where it operates, maintain HACCP-style hazard plans for hot-held, cooled, and reheated TCS items, and keep FSMA-compliant traceability records for any tomato, leafy green, or sprout it touches. One inspection visit can cite all three.

Regulatory framework

The three frameworks compress into a side-by-side that answers the question operators actually search.

**

Framework, What it is, Who enforces, What it covers, Recordkeeping demand

FDA Food Code, Model regulation for retail food and food-service, State and local health departments (FDA writes-states adopt), Cold/hot holding temps-employee health-equipment-cleaning-allergens-date-marking, Temp logs-employee health attestations- date-marking-cleaning logs

FSMA, Federal law (2011) with multiple implementing rules, FDA directly, Preventive controls (21 CFR Part 117)-supplier verification-sanitary transport-traceability (FSMA 204), Hazard analysis-preventive controls-monitoring-corrective actions- verification-retained 2+ years per 21 CFR 117 Subpart F

HACCP, Seven-principle hazard-analysis methodology (NACMCF-1997), Voluntary for retail food. Mandatory in USDA meat/poultry-FDA juice and seafood, Biological-chemical-physical hazards at critical control points, Monitoring logs-deviation records-corrective action records-verification

**

The seven HACCP principles, in the order FDA publishes them:

Where the frameworks overlap and confuse operators. FSMA's preventive controls rule (21 CFR Part 117) is broader than HACCP. It covers biological, chemical, physical, radiological hazards, and food defense. HARPC (Hazard Analysis and Risk-Based Preventive Controls) is the FSMA term.

In practice multi-unit retail operators rarely have to satisfy HARPC directly because retail food establishments and restaurants are exempt from the full PCHF rule, per Penn State Extension's FSMA explainer. Operators with a central kitchen or commissary that distributes to multiple branded units can be pulled into FSMA's full scope.

State adoption reality is the operator's day-to-day pain. As of 2024, 11 state agencies in seven states had adopted the 2022 Food Code (Colorado, Connecticut, Illinois, Mississippi, Ohio, Pennsylvania, Utah). That represents 16.06% of the US population. Another 24 states use the 2017 edition. Fourteen states are still on the 2013 edition.

Six states plus Washington D.C. are on the 2009 edition. Fifteen years out of date. A chain running stores in California (stricter bare-hand contact rule) and Texas (2017 edition, allows Alternative Highly Effective Measures) trains two different glove protocols on the same line.

FSMA 204 timeline shift (operationally relevant for 2026). The Food Traceability Rule's compliance date was moved from January 20, 2026 to July 20, 2028 by the Continuing Appropriations Act of 2026, per Food Safety Magazine.

Operators with central kitchens or commissaries handling Food Traceability List items (leafy greens, herbs, tomatoes, cucumbers, melons, peppers, sprouts, tropical fruits, finfish, smoked finfish, crustaceans, mollusks, shell eggs, nut butters, ready-to-eat deli salads, cheeses) get an extra 2.5 years to build Traceability Lot Code and Critical Tracking Event recordkeeping. The work didn't go away. The deadline did.

How does Xenia handle multiple regulatory frameworks?

Xenia sits underneath the three frameworks as the digital audit trail that satisfies their common denominator. The operator can show, on demand, who did what check, when, what they found, and what they did about it. Xenia is not a HACCP-certification platform. It does not auto-file reports with state health authorities. It does not replace ServSafe certification. It is the audit-and-corrective-action layer that produces the evidence inspectors ask for.

The mapping from framework requirement to Xenia capability:

**

Framework requirement, Where Xenia covers it

FDA Food Code §3-501.16 cold/hot-holding (41°F / 135°F), Bluetooth thermometer integration auto-logs walk-in-hot-hold and line-station temps. Out-of-range readings trigger a follow-up question and required photo

FDA Food Code employee health attestations, Daily ops checklists capture shift-start health attestations with timestamp and digital acknowledgment

FDA Food Code allergen disclosure (9 major allergens including sesame-added 2023), Audit templates include allergen-handling questions with conditional visibility for menu items containing sesame-tree nuts-dairy

HACCP Principle 4 (Monitoring), Scheduled audits at CCP cadences (line check-walk-in temp-cooling logs) with assigned owner and tablet capture-linked to HACCP-aligned temperature logs

HACCP Principle 5 (Corrective Actions), Audit failure auto-creates a corrective task with assignee-deadline and escalation rule. The audit trail and the closure trail are the same record. See food-safety corrective action workflow

HACCP Principle 7 (Recordkeeping), All audits-photos-signatures and corrective actions stored with timestamps. Retrievable by location-date-item or owner

21 CFR Part 117 Subpart F (recordkeeping), Digital records satisfy FDA's electronic records provisions: audit trail-controlled corrections-retention period-fast retrieval

State-by-state Food Code variation, Conditional visibility shows the right questions per state. California units see the bare-hand-contact prompts. Texas units see the AHEM documentation prompts. One template-no manual duplication

**

Weighted scoring is what makes the score mean something. Food safety violations are critical (10 points). A misaligned menu board is cosmetic (1 point). Cooler temp out of range is critical. Dave's Hot Chicken replaced RizePoint for exactly this feature, and you can read the long version in our weighted audit scoring breakdown.

Bluetooth thermometers turn the line check into automatic compliance evidence. Pair Bluetooth thermometers with Xenia and walk-in temps log automatically every 15 minutes. Out-of-range readings auto-alert. No manual data entry. Dave's Hot Chicken's top driver across 321 locations. The detailed pairing process is in our Bluetooth thermometer setup guide.

The Dave's Hot Chicken anchor. Dave's Hot Chicken migrated from RizePoint at 321 locations because their old audit platform treated a missing patio chair the same as a temp violation in the walk-in. The food safety score was always 87%. Always. With Xenia, weighted scoring let food safety items count for 10 points and cosmetic items count for 1.

Bluetooth thermometers log temps every 15 minutes automatically. An out-of-range reading triggers a follow-up question on the audit, requires a photo of the corrective action, and assigns a corrective task to the kitchen manager with a deadline. If it isn't closed in 24 hours, the DM gets the escalation. The food safety score finally tracked what mattered.

A note on what Xenia does not do. It does not certify HACCP compliance. It supports HACCP-aligned audits and corrective action workflows. It does not auto-file with health authorities. The audit trail is available, submission is operator-driven. It does not stream temperatures in real time. Bluetooth thermometers log at intervals (15-minute cadence in the Dave's case). And it does not replace ServSafe certification. The platform tracks acknowledgment of training. Certification itself is a separate process administered by the National Restaurant Association.

Rated 4.9/5 stars on Capterra
Pricing:
Supported Platforms:
Priced on per user or per location basis
Available on iOS, Android and Web
Pricing:
Priced on per user or per location basis
Supported Platforms:
Available on iOS, Android and Web
Download Xenia app on
Apple App Store BadgeGoogle Play

Where do operators see results?

Operators see results when the audit cadence and the corrective-action loop close on the same record. Five live examples worth naming.

The patterns operators ask about, with the honest answer.

A common mistake worth flagging. Operators assume "we follow the Food Code" means they are FSMA-compliant. They are not necessarily. If you run a central kitchen or commissary that distributes to multiple units, FSMA preventive controls and traceability rules can apply on top of the Food Code. The frameworks stack. They do not substitute.

For the broader operator playbook, see the food safety operations hub and the cross-cluster audit management hub. Vertical context for QSR and full-service teams lives in the restaurant task management hub. For the c-store reading, the convenience store operations software hub covers the forecourt and cooler side of the same problem.

Frequently Asked Questions

Got a question? Find our FAQs here. If your question hasn't been answered here, contact us.

What is the FDA Food Code?

The FDA Food Code is the model regulation for retail food and food-service establishments, updated every four years, that states adopt to govern restaurants, c-stores, and institutional kitchens. The current edition is the 2022 Food Code, with a 2026 edition pending. It sets the cold-hold and hot-hold thresholds, 41°F and 135°F, that drive every line check in a Xenia audit template. States adopt with variation, so a chain in California and Texas operates under two different rule sets at once.

How does FSMA differ from the FDA Food Code?

FSMA is a federal preventive-controls and traceability law from 2011. The FDA Food Code is a model retail regulation that states adopt. FSMA covers written hazard plans, supplier verification, and traceability through 21 CFR Part 117 and the Food Traceability Rule. The Food Code covers store-level operations like holding temps, employee health, and allergen disclosure. A 200-unit QSR with a central commissary can be pulled into both, because FSMA stacks on top of the Food Code rather than replacing it.

What are the seven HACCP principles?

The seven HACCP principles published by FDA are conduct a hazard analysis, determine the critical control points, establish critical limits, establish monitoring procedures, establish corrective actions, establish verification procedures, and establish recordkeeping and documentation procedures. Operators use HACCP to build the plan. The Food Code and FSMA are the regulations that require the plan exist. In Xenia, principles four, five, and seven map directly to scheduled CCP audits, auto-assigned corrective tasks, and timestamped audit-trail retention.

Does my state follow the FDA Food Code or its own version?

Every state adopts the FDA Food Code with variation, and the edition lag is the operator's daily pain. As of 2024, 11 state agencies in seven states had adopted the 2022 Food Code, 24 states use the 2017 edition, 14 states are on the 2013 edition, and six states plus Washington D.C. are still on the 2009 edition. Check the FDA state adoption table, then set each location's Food Code version field so Xenia's conditional visibility shows the right prompts per store.

Do digital audit trails satisfy FSMA recordkeeping?

Yes. Digital records satisfy 21 CFR Part 117 Subpart F if they have an audit trail, controlled corrections, a retention period of at least two years, and fast retrievability on demand. A Xenia audit captures all four natively, every check is timestamped, edits are tracked, records persist past the two-year window, and an inspector can pull a specific location and date in seconds. Bluetooth thermometer logs at 15-minute cadence add the monitoring evidence that FSMA preventive controls expect.

Which framework should I align my internal audits to?

Align internal audits to all three at once. Build templates against FDA Food Code thresholds (41°F cold, 135°F hot, allergen disclosure, employee health attestations), structure the workflow on HACCP principles four through seven (monitoring, corrective actions, verification, recordkeeping), and retain records to FSMA's 21 CFR Part 117 Subpart F standard. Weighted scoring keeps the framework honest, critical food safety items at 10 points, cosmetic items at 1. Dave's Hot Chicken runs this stack across 321 locations.
Author

Samreen

Has 2+ years of experience working closely with frontline and deskless industries, with a focus on understanding operational workflows, challenges, and execution gaps. Her perspective is shaped by continuous exposure to real operational challenges, helping ensure the content reflects how teams actually plan, coordinate, and execute work.

Unify Operations, Safety and Maintenance
Unite your team with an all-in-one platform handling inspections, maintenance and daily operations
Get Started for Free
Xenia ChecklistsXenia Software Mockups
Food Safety Regulatory Frameworks: FDA Food Code, FSMA, and HACCP for Operators
Book a Demo
Capterra Logo
Rated 4.9/5 stars on Capterra
User interface showing a task and work orders dashboard with task creation, status filters, categories, priorities, and a security patrol checkpoints panel.