What are food safety regulatory frameworks?

A food safety regulatory framework is a structured rule set, published by a regulator or standards body, that defines how a food business must identify hazards, control them at specific points, document the controls, and respond when something goes out of spec. For a multi-unit US operator, three frameworks dominate.

• FDA Food Code. Model regulation for retail and food-service establishments. Restaurants, c-stores, grocery delis, institutional food service. Updated every four years. The latest is the 2022 Food Code, with a 2026 edition pending per FDA's published priority list.
• FSMA (Food Safety Modernization Act of 2011). Federal law that shifted FDA from a reactive posture (respond to outbreaks) to a preventive one (require written hazard plans, supplier verification, traceability). Implemented through 21 CFR Part 117 and the Food Traceability Rule (FSMA 204).
• HACCP (Hazard Analysis and Critical Control Point). The seven-principle methodology codified by NACMCF and published by the FDA in 1997. HACCP is the method operators use to build a plan. The Food Code and FSMA are the regulations that require the plan.

Two definitions worth nailing down before going further. TCS food is Time/Temperature Control for Safety food. Items that require time and temperature control to keep pathogens from multiplying. Meat, poultry, dairy, cooked rice, cut tomatoes, cut leafy greens. Per FDA Food Code §3-501.16, TCS foods must be held cold at 41°F or below, hot at 135°F or above. CCP stands for Critical Control Point. A step in the food process where a control measure can prevent, eliminate, or reduce a hazard to an acceptable level. Cooking, cooling, hot-holding, and cold-holding are the four most common CCPs in a restaurant kitchen.

The frameworks are not redundant. They serve different layers of the same problem. A 200-unit QSR has to follow the Food Code edition adopted by each state where it operates, maintain HACCP-style hazard plans for hot-held, cooled, and reheated TCS items, and keep FSMA-compliant traceability records for any tomato, leafy green, or sprout it touches. One inspection visit can cite all three.

Regulatory framework

The three frameworks compress into a side-by-side that answers the question operators actually search.

| Framework | What it is | Who enforces | What it covers | Recordkeeping demand |
|---|---|---|---|---|
| FDA Food Code | Model regulation for retail food and food-service | State and local health departments (FDA writes, states adopt) | Cold/hot holding temps, employee health, equipment, cleaning, allergens, date-marking | Temp logs, employee health attestations, date-marking, cleaning logs |
| FSMA | Federal law (2011) with multiple implementing rules | FDA directly | Preventive controls (21 CFR Part 117), supplier verification, sanitary transport, traceability (FSMA 204) | Hazard analysis, preventive controls, monitoring, corrective actions, verification, retained 2+ years per 21 CFR 117 Subpart F |
| HACCP | Seven-principle hazard-analysis methodology (NACMCF, 1997) | Voluntary for retail food. Mandatory in USDA meat/poultry, FDA juice and seafood | Biological, chemical, physical hazards at critical control points | Monitoring logs, deviation records, corrective action records, verification |

The seven HACCP principles, in the order FDA publishes them:

1. Conduct a Hazard Analysis.
2. Determine the Critical Control Points.
3. Establish Critical Limits.
4. Establish Monitoring Procedures.
5. Establish Corrective Actions.
6. Establish Verification Procedures.
7. Establish Record-Keeping and Documentation Procedures.

Where the frameworks overlap and confuse operators. FSMA's preventive controls rule (21 CFR Part 117) is broader than HACCP. It covers biological, chemical, physical, radiological hazards, and food defense. HARPC (Hazard Analysis and Risk-Based Preventive Controls) is the FSMA term. In practice multi-unit retail operators rarely have to satisfy HARPC directly because retail food establishments and restaurants are exempt from the full PCHF rule, per Penn State Extension's FSMA explainer. Operators with a central kitchen or commissary that distributes to multiple branded units can be pulled into FSMA's full scope.

State adoption reality is the operator's day-to-day pain. As of 2024, 11 state agencies in seven states had adopted the 2022 Food Code (Colorado, Connecticut, Illinois, Mississippi, Ohio, Pennsylvania, Utah). That represents 16.06% of the US population. Another 24 states use the 2017 edition. Fourteen states are still on the 2013 edition. Six states plus Washington D.C. are on the 2009 edition. Fifteen years out of date. A chain running stores in California (stricter bare-hand contact rule) and Texas (2017 edition, allows Alternative Highly Effective Measures) trains two different glove protocols on the same line.

FSMA 204 timeline shift (operationally relevant for 2026). The Food Traceability Rule's compliance date was moved from January 20, 2026 to July 20, 2028 by the Continuing Appropriations Act of 2026, per Food Safety Magazine. Operators with central kitchens or commissaries handling Food Traceability List items (leafy greens, herbs, tomatoes, cucumbers, melons, peppers, sprouts, tropical fruits, finfish, smoked finfish, crustaceans, mollusks, shell eggs, nut butters, ready-to-eat deli salads, cheeses) get an extra 2.5 years to build Traceability Lot Code and Critical Tracking Event recordkeeping. The work didn't go away. The deadline did.

How does Xenia handle multiple regulatory frameworks?

Xenia sits underneath the three frameworks as the digital audit trail that satisfies their common denominator. The operator can show, on demand, who did what check, when, what they found, and what they did about it. Xenia is not a HACCP-certification platform. It does not auto-file reports with state health authorities. It does not replace ServSafe certification. It is the audit-and-corrective-action layer that produces the evidence inspectors ask for.

The mapping from framework requirement to Xenia capability:

| Framework requirement | Where Xenia covers it |
|---|---|
| FDA Food Code §3-501.16 cold/hot-holding (41°F / 135°F) | Bluetooth thermometer integration auto-logs walk-in, hot-hold, and line-station temps. Out-of-range readings trigger a follow-up question and required photo |
| FDA Food Code employee health attestations | Daily ops checklists capture shift-start health attestations with timestamp and digital acknowledgment |
| FDA Food Code allergen disclosure (9 major allergens including sesame, added 2023) | Audit templates include allergen-handling questions with conditional visibility for menu items containing sesame, tree nuts, dairy |
| HACCP Principle 4 (Monitoring) | Scheduled audits at CCP cadences (line check, walk-in temp, cooling logs) with assigned owner and tablet capture, linked to HACCP-aligned temperature logs |
| HACCP Principle 5 (Corrective Actions) | Audit failure auto-creates a corrective task with assignee, deadline, and escalation rule. The audit trail and the closure trail are the same record. See food-safety corrective action workflow |
| HACCP Principle 7 (Recordkeeping) | All audits, photos, signatures, and corrective actions stored with timestamps. Retrievable by location, date, item, or owner |
| 21 CFR Part 117 Subpart F (recordkeeping) | Digital records satisfy FDA's electronic records provisions: audit trail, controlled corrections, retention period, fast retrieval |
| State-by-state Food Code variation | Conditional visibility shows the right questions per state. California units see the bare-hand-contact prompts. Texas units see the AHEM documentation prompts. One template, no manual duplication |

Weighted scoring is what makes the score mean something. Food safety violations are critical (10 points). A misaligned menu board is cosmetic (1 point). Cooler temp out of range is critical. Dave's Hot Chicken replaced RizePoint for exactly this feature, and you can read the long version in our weighted audit scoring breakdown.

Bluetooth thermometers turn the line check into automatic compliance evidence. Pair Bluetooth thermometers with Xenia and walk-in temps log automatically every 15 minutes. Out-of-range readings auto-alert. No manual data entry. Dave's Hot Chicken's top driver across 321 locations. The detailed pairing process is in our Bluetooth thermometer setup guide.

The Dave's Hot Chicken anchor. Dave's Hot Chicken migrated from RizePoint at 321 locations because their old audit platform treated a missing patio chair the same as a temp violation in the walk-in. The food safety score was always 87%. Always. With Xenia, weighted scoring let food safety items count for 10 points and cosmetic items count for 1. Bluetooth thermometers log temps every 15 minutes automatically. An out-of-range reading triggers a follow-up question on the audit, requires a photo of the corrective action, and assigns a corrective task to the kitchen manager with a deadline. If it isn't closed in 24 hours, the DM gets the escalation. The food safety score finally tracked what mattered.

A note on what Xenia does not do. It does not certify HACCP compliance. It supports HACCP-aligned audits and corrective action workflows. It does not auto-file with health authorities. The audit trail is available, submission is operator-driven. It does not stream temperatures in real time. Bluetooth thermometers log at intervals (15-minute cadence in the Dave's case). And it does not replace ServSafe certification. The platform tracks acknowledgment of training. Certification itself is a separate process administered by the National Restaurant Association.

How to set up framework-aligned audits in Xenia

Below is the build sequence a multi-state QSR or c-store ops director can run with an internal team. Each step maps to a framework requirement.

1. Map your locations to a state-by-state Food Code matrix. Pull each state's adopted edition from the FDA state adoption table. For each location record, set the state Food Code version field so conditional visibility can show the right prompts later.

2. Identify your TCS items and CCPs. Walk the menu. For each item that is meat, poultry, dairy, cooked rice, cooked beans, cut tomatoes, cut leafy greens, sprouts, or shell eggs, list the CCPs (receiving, cold-holding, cooking, hot-holding, cooling, reheating). HACCP Principles 1 and 2, done once.

3. Set critical limits per the FDA Food Code. Cold-hold 41°F or below. Hot-hold 135°F or above. Cook poultry to 165°F for 15 seconds. Ground meat to 155°F for 17 seconds. Whole-muscle meat to 145°F for 15 seconds. Shell eggs for immediate service to 145°F for 15 seconds (Food Code §3-401.11). Two-stage cooling: 135°F to 70°F within 2 hours, then 70°F to 41°F within an additional 4 hours (§3-501.14). Use the same thresholds inside your food safety audit frequency cadence.

4. Build the audit templates with weighted scoring. Critical items (temp violations, employee illness, cross-contamination) at 10 points. Important items (cleaning, dating, glove use) at 3 to 5 points. Cosmetic items (label alignment, decorative cleanliness) at 1 point. Set the pass threshold at 90% for a unit-level food safety pass.

5. Pair the audit with Bluetooth thermometers at every walk-in, hot-hold, and line station. Logging cadence: 15 minutes (matches Dave's Hot Chicken deployment). Set the out-of-range alert threshold at 41°F cold and 135°F hot per Food Code §3-501.16. Detail in the Bluetooth thermometer setup walkthrough.

6. Configure follow-up questions and required photo capture. Any out-of-range temp triggers: "What corrective action did you take?" plus a required photo. Any allergen-related fail triggers: "Describe what was found" plus a photo of the affected item.

7. Wire corrective-action workflows. Failure on a critical item auto-assigns a task to the kitchen manager. 2-hour deadline for temp issues. 24-hour for cleaning issues. Escalation rule: if not closed by deadline, route to the DM. Second escalation at 48 hours routes to the regional director.

8. Set conditional visibility for state-specific variations. California units see the bare-hand-contact-prohibited gloves prompt. Texas units see the AHEM (Alternative Highly Effective Measures) documentation prompt. Units without a patio do not see patio cleanliness questions. Conditional visibility plus nullify scoring keep the score honest for stores with format variation.

9. Capture acknowledgment of SOP changes. When FDA updates the Food Code (next edition expected 2026), broadcast the change via the announcements module. Each store manager acknowledges and signs digitally. The auditable trail of who saw the new policy and when sits in the system.

10. Set the dashboard to surface issues, not completion percentage. The view that matters for an ops director is open corrective actions, locations trending toward food safety failure, and cooler temps trending out of range across multiple units. Use the issues dashboard, not the completion-percent rollup.

Where do operators see results?

Operators see results when the audit cadence and the corrective-action loop close on the same record. Five live examples worth naming.

• Dave's Hot Chicken (321 locations). Migrated from RizePoint. The drivers were weighted scoring, Bluetooth thermometer integration across every walk-in, hot-hold, and line station, and corrective action workflows with deadlines and escalation. The food safety score moved from a flat "always 87%" pattern to a range that reflected reality. That made DM walks actionable.
• H&S Energy (360+ stores, now Power Market). Continuous Bluetooth and LoRaWAN sensor deployment across coolers and hot-holds. The food-safety story is the sensor network catching cooler drift before a customer complaint.
• Power Market. Went live with bilingual food-safety checklists and QR deployment. 40% faster task resolution at the store level. The bilingual layer matters when frontline crews speak Spanish or Tagalog and the SOP only ever existed in English.
• Cook Out (335 locations). Weekly price-change process plus line-check temperature capture at QSR scale. The proof point is that audit cadence and temp capture run as one workflow, not two systems.
• Refuel. Drivers were offline mode (rural fuel stops with intermittent connectivity), work orders, and third-party Service Channel integration. The approval workflow runs DM to Regional to Corporate with a fatality-tier escalation path.

The patterns operators ask about, with the honest answer.

1. Can I cut audit time? Yes. Bluetooth thermometers eliminate the manual line check entry, and conditional visibility means the audit only asks what matters at each location. Multi-unit teams that run restaurant line check workflows on Xenia report visible time savings within weeks.
2. Can I prove compliance without printing? Yes. Digital records satisfy 21 CFR Part 117 Subpart F recordkeeping if they have an audit trail, controlled corrections, retention, and retrievability. Xenia's records do all four.
3. Will the inspector accept a tablet log? Yes, per state. State health departments accept electronic records as long as they are retrievable on demand. The Squadle guide on what inspectors look for in temp logs confirms inspectors want timestamps, completeness, and corrective-action documentation. All native to a Xenia audit.

A common mistake worth flagging. Operators assume "we follow the Food Code" means they are FSMA-compliant. They are not necessarily. If you run a central kitchen or commissary that distributes to multiple units, FSMA preventive controls and traceability rules can apply on top of the Food Code. The frameworks stack. They do not substitute. For the broader operator playbook, see the food safety operations hub and the cross-cluster audit management hub. Vertical context for QSR and full-service teams lives in the restaurant task management hub. For the c-store reading, the convenience store operations software hub covers the forecourt and cooler side of the same problem.