← Blog
food-safety 2026-03-06 7 min read

FSMA Compliance: The Food Safety Gaps That Lead to FDA Warning Letters

An analysis of the most common FSMA compliance failures cited in FDA warning letters — preventive controls, produce safety, supply chain programs, and the specific gaps that trigger enforcement action.

By AuditDSS Team

The FDA Food Safety Modernization Act (FSMA) shifted US food safety regulation from reactive response to preventive control. Rather than waiting for contamination events and responding after the fact, FSMA requires food facilities to identify hazards, implement preventive controls, and verify that those controls are working — before anyone gets sick.

The law has been in full effect for several years now, with all major rules implemented and enforced. And the enforcement record tells a clear story: the same categories of gaps appear in FDA warning letters repeatedly. These aren’t obscure requirements. They’re core FSMA obligations that facilities either misunderstand or implement incompletely.

The FSMA framework

FSMA comprises seven foundational rules, but three drive the majority of enforcement activity:

Preventive Controls for Human Food (21 CFR Part 117): Requires food facilities to implement a food safety plan with hazard analysis, preventive controls, monitoring procedures, corrective actions, and verification activities. This is the most broadly applicable rule, covering virtually all food manufacturing and processing facilities.

Preventive Controls for Animal Food (21 CFR Part 507): The equivalent framework for animal food facilities, with similar requirements adapted to animal food manufacturing.

Produce Safety Rule (21 CFR Part 112): Establishes science-based minimum standards for the growing, harvesting, packing, and holding of produce. Covers agricultural water quality, biological soil amendments, worker hygiene, equipment sanitation, and domesticated and wild animals.

Additional FSMA rules cover Foreign Supplier Verification Programs (FSVP), Intentional Adulteration, Sanitary Transportation, and Third-Party Accreditation — each with their own compliance requirements and enforcement patterns.

What the FDA is actually citing

Analysis of FDA warning letters and inspection observations (Form 483s) reveals consistent patterns in FSMA enforcement. The following gaps account for the large majority of citations.

Inadequate hazard analysis

The food safety plan begins with hazard analysis — identifying biological, chemical (including radiological), and physical hazards that are known or reasonably foreseeable for each food product and process. The FDA consistently cites facilities for:

  • Failing to identify known hazards: Facilities that don’t identify pathogens associated with their specific food products or processes. Listeria monocytogenes in ready-to-eat environments, Salmonella in low-moisture foods, and allergen cross-contact in shared-line facilities are frequently missed.

  • Inadequate hazard evaluation: Identifying a hazard but failing to properly evaluate its severity and probability. The evaluation must consider the food, the facility, the process, and the intended consumer. Generic hazard analyses copied from templates without facility-specific adaptation are consistently flagged.

  • Missing process hazards: Focusing on ingredient-borne hazards while overlooking process-introduced hazards — such as metal fragments from equipment, chemical contamination from cleaning agents, or environmental pathogen harbourage.

The FDA expects the hazard analysis to demonstrate that the facility has thought systematically about every hazard relevant to its specific operations. Template-based approaches that lack facility-specific detail are a primary red flag.

Preventive control deficiencies

Once hazards are identified and evaluated, preventive controls must be implemented for each hazard requiring a control. The FDA’s most common citations in this area include:

Missing preventive controls: Hazards identified in the analysis but no corresponding preventive control documented or implemented. This often occurs with environmental pathogen controls, allergen cross-contact controls, and sanitation controls for ready-to-eat products.

Process controls without validated parameters: Critical limits for process controls (cooking temperatures, cooling times, pH levels) that aren’t based on scientific evidence or regulatory guidance. The FDA expects validated parameters — not estimates or historical practice without supporting documentation.

Inadequate sanitation controls: Particularly in facilities producing ready-to-eat foods, where sanitation is a preventive control for environmental pathogens. The FDA looks for specific sanitation procedures, frequencies, agents, concentrations, and effectiveness monitoring. “Clean and sanitize daily” without operational specifics is insufficient.

Allergen controls: Facilities that manufacture products containing major allergens on shared equipment without documented allergen control procedures — including production sequencing, cleaning validation between allergen changeovers, and label verification.

Monitoring and verification failures

Having preventive controls on paper is only the beginning. The FDA expects documented evidence that controls are being monitored as specified and verified for effectiveness.

Monitoring gaps: Preventive controls must be monitored with sufficient frequency to ensure they are consistently performed. The FDA cites facilities where monitoring records are incomplete, monitoring frequencies are inadequate, or monitoring is not performed by qualified individuals.

Verification deficiencies: Verification is distinct from monitoring. It confirms that the food safety plan is being implemented correctly and that preventive controls are effective. Required verification activities include:

  • Validation that preventive controls are capable of controlling the identified hazards
  • Calibration of monitoring instruments
  • Review of monitoring and corrective action records
  • Product testing where appropriate
  • Environmental monitoring where appropriate

The most common verification failure is the absence of validation. Facilities implement controls but never validate that those controls actually work against the specific hazards they’re intended to prevent.

Record-keeping inadequacies: FSMA requires specific records for all monitoring, corrective actions, and verification activities. Records must include the date, the values observed, the individual performing the activity, and product identification. Incomplete records — missing dates, missing signatures, missing product identification — are among the easiest citations for FDA inspectors to issue.

Supply chain programme gaps

The FSMA Preventive Controls rules require that facilities have supply chain programs for raw materials and ingredients where the supplier’s control of a hazard is necessary. The Foreign Supplier Verification Program (FSVP) rule extends this to imported foods.

Common supply chain programme gaps include:

  • No supplier approval process: Receiving raw materials from suppliers without documented approval based on hazard analysis
  • Missing supplier verification activities: Approved suppliers without ongoing verification — audits, testing, or review of the supplier’s food safety records
  • Inadequate receiving procedures: No documented procedures for verifying that incoming materials meet specifications and were transported under appropriate conditions
  • FSVP non-compliance for imports: Importers who have not conducted hazard analysis for imported foods, have not evaluated foreign supplier performance, or have not conducted required verification activities

Produce Safety Rule violations

The Produce Safety Rule applies to farms growing, harvesting, packing, or holding covered produce. The most frequently cited violations include:

Agricultural water: The water quality requirements have been among the most complex and contested elements of FSMA. The FDA has finalised updated agricultural water requirements that focus on pre-harvest water assessments — requiring farms to conduct annual assessments of their agricultural water systems, identify conditions that could introduce known or reasonably foreseeable hazards, and implement corrective measures.

Biological soil amendments: Using raw manure or improperly composted biological soil amendments without meeting the required application-to-harvest intervals. The requirement is specific: raw manure must be applied with a defined interval before harvest (the FDA has deferred enforcement of the specific interval but expects farms to take steps to minimise risk).

Worker hygiene: Inadequate worker training, insufficient handwashing facilities in growing and harvesting areas, and absence of illness reporting policies. The requirements are prescriptive — the number and location of handwashing stations, the training content and frequency, and the hygienic practice standards are all specified.

Equipment and building sanitation: Packing houses that don’t maintain equipment, tools, and buildings in adequate condition to prevent contamination of covered produce. Food contact surfaces must be cleaned and sanitised as needed, and non-food contact surfaces must be maintained in a condition that doesn’t lead to contamination.

Why these gaps persist

The pattern across FSMA enforcement is consistent: facilities address the broad requirements but miss the specific sub-obligations within each requirement. A facility has a food safety plan, but the hazard analysis lacks facility-specific detail. Preventive controls exist, but monitoring records are incomplete. A supply chain programme is documented, but supplier verification activities aren’t being performed.

This mirrors the pattern seen across every regulatory domain — the gap between rule-level compliance and obligation-level compliance. FSMA’s seven rules contain hundreds of specific, testable obligations. Each one can be independently cited in a warning letter. Addressing the rule without systematically addressing each obligation within the rule creates the gaps that FDA inspectors are trained to find.

Building a defensible FSMA programme

  1. Conduct facility-specific hazard analysis — not template-based, covering all known and reasonably foreseeable hazards for your products and processes
  2. Implement documented preventive controls for every hazard requiring a control, with scientifically validated parameters
  3. Establish monitoring programmes with defined frequencies, methods, responsible individuals, and record formats
  4. Validate preventive controls with scientific evidence that they effectively control the identified hazards
  5. Implement verification activities — instrument calibration, record review, product and environmental testing
  6. Maintain supply chain programmes with documented supplier approval, ongoing verification, and receiving procedures
  7. Conduct systematic self-assessments against the full set of FSMA obligations — not just the rule headings

AuditDSS covers FSMA (all seven rules), EU General Food Law (Regulation 178/2002), Australia’s FSANZ Food Standards Code, and the UK Food Safety Act — decomposed into individual obligations so you can identify exactly where gaps exist before an inspector does. Explore AuditDSS.

Ready to score your compliance?

Upload your compliance document and get a risk-scored gap analysis in under 5 minutes.

Get started