21 CFR 117 Subpart C

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • FSMA Preventive Controls for Human Food, hazard analysis, preventive controls selection, process/allergen/sanitation controls, parameters & limits, recall plan, risk-based decision logic • Primarily Food & Beverage Manufacturing (PCQI-led food safety plans, audit readiness, shop floor execution discipline)

21 CFR 117 Subpart C (“Hazard Analysis and Risk-Based Preventive Controls”) is the part of the FSMA Preventive Controls for Human Food rule that turns food safety from “good practices” into an explicit, documented, risk-based control system. Subpart C is where you (1) conduct a hazard analysis, (2) decide which hazards require preventive controls, (3) define how those controls will be implemented and validated at the facility, and (4) establish the recall plan requirement tied to hazards requiring a preventive control.

Subpart C is the heart of Part 117. If Subpart B is the GMP foundation and Subpart F is recordkeeping proof, Subpart C is the decision engine. It forces you to answer uncomfortable questions with written logic: What could go wrong? How would we prevent it? Which prevention activities are essential vs optional? What does “control” mean in measurable terms? And if control fails, how do we respond?

Tell it like it is: most sites fail Subpart C not because they ignore hazards, but because their hazard analysis is vague, their preventive controls are “whatever we already do,” and their control definitions aren’t measurable. The moment an auditor asks, “Show me how you decided this is a preventive control and what your limits are,” weak programs collapse into narratives. Subpart C exists to remove narrative risk and replace it with defensible, auditable logic.

“Subpart C is where ‘we’re safe’ has to become ‘here is our hazard analysis and the specific controls that make us safe.’”

1) What people mean when they cite 21 CFR 117 Subpart C

When someone says “we need Subpart C compliance,” they’re usually dealing with one of these situations:

First: they’re building or rebuilding a Food Safety Plan and need the hazard analysis and preventive controls to be defensible, not just “industry standard.”

Second: an auditor or inspector is asking “why is this a preventive control, and where are your limits?” Subpart C is where that justification lives.

Third: a site had a real event—mislabeling, allergen cross-contact, sanitation failure, supplier incident—and now must prove the preventive controls were correctly designed and implemented.

In all three cases, Subpart C isn’t about paperwork volume. It’s about decision quality. It’s the logic layer that determines whether your controls are meaningful.

2) How Subpart C fits into the overall Part 117 structure

Part 117 is a system. Subpart C is not standalone—it’s the “design” of the preventive control system. The rest of the rule supports execution and proof:

• Subpart B: CGMPs (the baseline conditions that support safe manufacturing).
• Subpart C: hazard analysis and the decision to implement preventive controls (and recall plan requirement).
• Subpart D: monitoring (how you run the controls in real time).
• Subpart E: corrective actions and corrections (how you respond when something deviates).
• Subpart F: recordkeeping (how you prove the system exists and is executed).
• Subpart G: supply-chain program (often required when hazards are controlled by suppliers).

Subpart C provides the “why” and “what” of controls. Without it, monitoring and records become activity without purpose.

3) Scope map: who Subpart C applies to and when

Subpart C generally applies to facilities that must implement hazard analysis and risk-based preventive controls under Part 117. The practical scope question is: does your operation require a preventive controls food safety plan rather than relying solely on CGMPs?

In real audits, the scope is tested by product risk and process complexity. If you handle allergens, high-risk ingredients, RTE exposure, or have kill steps, Subpart C work becomes unavoidable.

Subpart C is not the same for every plant. The hazards and controls are site-specific. But the decision framework must be consistent and documented.

4) Hazard analysis: what you’re required to evaluate

Subpart C requires a hazard analysis that identifies known or reasonably foreseeable hazards for each type of food manufactured, processed, packed, or held at the facility. The hazard analysis is where you break the “we make product” process into steps and ask: what can go wrong here?

Hazard categories typically include:

• Biological hazards: pathogens, growth, toxin formation, contamination risk.
• Chemical hazards: allergens, residues, sanitation chemicals, natural toxins.
• Physical hazards: metal, glass, hard plastic, foreign material.
• Radiological hazards: rare, but evaluated where relevant.

The hazard analysis must consider both hazards introduced and hazards increased, as well as the severity of illness/injury and the probability of occurrence if the hazard is not controlled. This is where risk-based thinking becomes mandatory, not optional. It’s also where many programs get lazy—listing hazards without linking to process reality and actual exposure points.

5) “Hazards requiring a preventive control”: the decision threshold

Subpart C forces you to decide which hazards require a preventive control. This is the most important decision point because it determines what becomes mandatory to monitor, verify, and document. The risk is that teams either:

• over-design: label everything a preventive control, creating a bloated system that nobody can execute, or
• under-design: claim hazards are controlled by “GMP” without justification, leaving real risk unmanaged.

A defensible program uses a consistent method. Many sites use risk scoring or structured rationale similar to risk management thinking: severity, likelihood, detectability, and practical controls.

Operationally, the “hazard requires preventive control” decision must be tied to specific mechanisms that are measurable. If a hazard “requires a preventive control” but the control is not measurable, you’ve made a compliance claim you can’t prove.

6) Preventive control types: process, allergen, sanitation, and other

Subpart C defines the main classes of preventive controls a facility may implement based on the hazard analysis. In practical plant terms, these become the control families you implement and govern.

The important part is not the category. It’s whether the control is defined in measurable terms and integrated into how the plant operates every day.

7) Process preventive controls: kill steps, time/temp, formulation gates

Process preventive controls are the most intuitive: they are the steps that reduce or prevent hazards through a defined process. The classic example is lethality control—see kill step validation.

A defensible process control includes:

• Defined critical parameters: time, temperature, pH, concentration, flow rate, etc.
• Defined limits: what must be achieved (not “about this much”).
• Monitoring method: how you measure it (device, frequency, responsibility).
• Validation/scientific support: evidence that the control can achieve hazard reduction under your conditions.
• Response rules: what happens if limits are not met (hold, rework, discard, investigation).

Process controls fail when they are described at a high level (“we cook it”) without measurable limits and without evidence that the cook step controls the hazard for your product and equipment. Subpart C pushes you away from “we do it” and toward “we can prove it.”

8) Allergen preventive controls: the mislabeling and cross-contact reality

Allergens are a unique hazard because failure modes are often operational and labeling-driven, not microbiological. Under Subpart C, allergen controls may be required when allergen hazards need a preventive control. In practice, allergen controls often include:

• Segregation controls: storage and staging rules (see allergen segregation).
• Changeover and sanitation controls: cleaning and verification to prevent cross-contact (see allergen cross-contact).
• Rework rules: rework identification and restricted use to prevent hidden allergen introduction (see rework traceability).
• Label verification: verifying that the correct label is applied for the correct SKU and allergen profile (see label verification).

Tell it like it is: allergen failures often happen at the edges—startups, changeovers, rework, and rushed packaging runs. Subpart C pushes you to design controls that work under real pressure, not only in perfect conditions.

9) Sanitation preventive controls: when sanitation becomes a PC

Sanitation is always important, but it becomes a preventive control when your hazard analysis says sanitation is essential to control a hazard (especially for RTE exposure and high hygiene risks). Sanitation preventive controls typically require stronger definition, stronger verification, and stronger response rules than routine “cleaning logs.”

Operationally, sanitation preventive controls often involve:

• defined sanitation procedures and schedules,
• verification evidence (ATP, swabs, visual criteria; see cleaning verification),
• scientific support and validation where required (see cleaning validation),
• environmental monitoring where applicable (see EM), and
• defined corrective actions when sanitation criteria are not met.

Sanitation controls fail when they are “checkbox cleaning” without verification and without linkages to product risk decisions. Subpart C forces sanitation to be defined as a control system, not an activity.

10) Parameters and limits: what “control” must look like operationally

This is where Subpart C becomes brutally practical: if a hazard requires a preventive control, then that control must have parameters and limits that define “controlled” vs “not controlled.” Without limits, you cannot monitor, and without monitoring you cannot verify.

Examples of measurable control definitions:

• Process control limit: minimum time/temperature achieved at the cold spot.
• Allergen control criterion: label verification pass + changeover verification completed before run start.
• Sanitation criterion: ATP/swab results below threshold + pre-op inspection pass.
• Foreign material control criterion: detector verification test passes at defined frequency.

Limits must be real: defined numbers, defined pass/fail criteria, and defined frequency of checks. “We check periodically” is not a control definition. Subpart C is what forces you to stop using vague language.

11) Validation and scientific support: proving controls can work

Subpart C expects you to have scientific support and validation where required—especially for process preventive controls. Validation is not “we think it works.” It is evidence that the control, as designed and executed in your plant, can control the hazard.

Operationally, this may include:

• process validation data or scientific studies supporting lethality,
• equipment qualification and mapping for heat transfer where relevant,
• challenge studies or documented support for sanitation and allergen controls (where applicable),
• verification of monitoring instruments and calibration discipline (so measurements are trustworthy).

The key Subpart C point: you can’t treat preventive controls as “best practices.” You have to treat them as controlled risk-reduction mechanisms with support behind them.

12) Monitoring and response design: building controls into execution

Subpart C defines what must be controlled; your system must define how monitoring happens in real operations. In practice, monitoring design should:

• Bind monitoring to steps: monitoring occurs at the right process step, not “sometime today.”
• Use hard gating where appropriate: critical steps can’t proceed unless monitoring passes (see hard gating if you apply that concept).
• Use role-based accountability: who monitors, who reviews, who approves.
• Create immediate visibility: if a limit is missed, the system triggers containment (hold) and escalation.

Monitoring that is not integrated into execution tends to become backfilled paperwork. Subpart C doesn’t tolerate “monitoring in theory.” It requires monitoring as a controlled behavior.

13) Corrective actions and corrections: what happens when control fails

Subpart C is also about response. A preventive control system is only credible if you can show what happens when a limit is not met. The practical response model includes:

• Immediate correction: stop the process, adjust parameters, segregate product.
• Product disposition: hold, rework, or discard based on risk evaluation.
• Investigation trigger: when deviations indicate systemic issues, route to governed deviation/NC processes.
• Prevent recurrence: corrective actions on equipment, training, procedures, or supplier controls.

This is where Subpart C connects to the broader quality system: holds, deviations, CAPAs, and release readiness. If your system handles deviations informally (“we fixed it, trust us”), inspectors will treat your preventive controls as weak.

14) Recall plan requirement: why Subpart C forces recall readiness

Subpart C includes the recall plan requirement tied to hazards requiring a preventive control. The operational meaning is blunt: if you claim a hazard requires preventive control, you must be able to remove affected product rapidly when the control fails or when hazards are discovered later.

A recall plan is not just “call customers.” It must be executable: identify product, notify consignees, conduct effectiveness checks, disposition product, and document the event. That’s why Subpart C links naturally to recall readiness and mock recall performance.

Practical takeaway: a weak traceability system makes the recall plan performative. Subpart C essentially forces you to make traceability real because recall is part of the control story.

15) Reanalysis triggers: when Subpart C must be revisited

Subpart C hazard analysis and preventive controls are not “write once.” They must be reanalyzed when conditions change. Practical triggers include:

• significant process changes (new line, new equipment, new kill step parameters),
• new products or new ingredients (especially allergens and hazard profile shifts),
• supplier changes (new supplier, new site, repeated supplier deviations),
• new hazards identified (customer complaints, EM findings, regulatory alerts),
• repeated preventive control failures or deviations indicating system weakness.

Reanalysis is where you prove your preventive control system evolves with reality, rather than staying frozen while operations change underneath it.

16) Audit posture: what inspectors pressure-test under Subpart C

Inspectors and auditors tend to pressure-test Subpart C by selecting a hazard and asking you to demonstrate the control chain from hazard analysis to execution evidence. Typical pressure-test questions:

• “Show me your hazard analysis for this product and process step.”
• “Why does this hazard require a preventive control (or not)?”
• “What are your limits and how do you monitor them?”
• “Show me monitoring records and verification evidence for a recent run.”
• “What happens when monitoring fails—show me a real example.”
• “Show me your recall plan and how you tested recall readiness.”

The fastest way to pass these questions is not memorization. It’s having a system where the hazard analysis links to specific controls and those controls link to real records and real gating in day-to-day execution.

17) Copy/paste readiness scorecard

Use this as a blunt internal test. If you can’t answer cleanly, fix the system—not the wording.

18) Failure patterns: how Subpart C gets “done” without being real

• Template hazard analysis. Hazards listed generically, not tied to your actual steps and exposures.
• GMP as a preventive control without rationale. “We do GMP” used as a blanket control without measurable criteria.
• Controls without limits. Control described as “monitor temperature” with no defined limit, frequency, or response rules.
• Allergen controls treated as labeling only. Cross-contact and rework risks ignored until an incident occurs.
• Sanitation records as checkbox logs. No verification, no linkage to hazard control, no response discipline.
• Recall plan as a binder artifact. Exists on paper but not tested; traceability cannot support execution.
• No reanalysis culture. Process changes happen, but hazard analysis stays frozen.

Subpart C compliance is not achieved by having a document. It’s achieved by having a hazard-control system that can be demonstrated with evidence.

19) How this maps to V5 by SG Systems Global

V5 supports Subpart C outcomes by making hazard controls executable, measurable, and evidence-linked. Subpart C is a design requirement; V5 makes that design operational:

• Hazard-to-control mapping: tie hazards in the food safety plan to specific execution controls (process/allergen/sanitation).
• Hard-gated execution: enforce required checks and prevent proceeding when controls aren’t satisfied (especially for critical steps).
• Allergen and label controls: enforce segregation rules, changeover checks, and label verification workflows.
• Sanitation evidence: capture cleaning verification and EM evidence as linked records, not free-form logs.
• Supplier evidence linkage: capture supplier approvals and CoA verification as part of inbound control posture.
• Recall readiness: generate traceability outputs quickly and support mock recall workflows using linked lot genealogy.

For platform context, start with V5 Solution Overview. Where Subpart C controls require shop floor enforcement, V5 MES provides the execution truth, V5 WMS enforces movement and segregation, and V5 QMS governs holds, deviations, approvals, and evidence integrity.

20) Extended FAQ

Q1. Is Subpart C the same as HACCP?
It’s related, but not identical. Many Subpart C concepts map to HACCP thinking (hazard analysis, controls, monitoring), but Subpart C is part of the FSMA preventive controls framework and includes broader control categories and the recall plan requirement tied to preventive controls.

Q2. What’s the most common Subpart C weakness?
Controls that are not measurable. “We monitor” without defined limits and response rules is not a defensible preventive control design.

Q3. Do allergen hazards typically require preventive controls?
Often yes, especially where mislabeling and cross-contact risk exists. The key is not the word “allergen” but the hazard analysis conclusion and whether controls must be implemented and verified to manage the risk.

Q4. Does Subpart C require a recall plan for everything?
The recall plan requirement is tied to hazards requiring a preventive control. In practice, if you implement preventive controls, you should be able to execute a recall or withdrawal with traceability and effectiveness checks.

Q5. How do we test if our Subpart C program is real?
Pick one hazard (allergen, lethality, sanitation) and attempt to trace the control chain end-to-end: hazard analysis decision → preventive control definition (limits) → monitoring evidence → verification evidence → a real exception example and response → recall readiness outputs. If any link is “we think,” your program is fragile.

Related Reading (keep it practical)
If you’re implementing Subpart C rigorously, anchor it to a measurable Food Safety Plan supported by disciplined risk thinking (see risk management), then build enforceable controls for allergens (cross-contact and segregation), process lethality (kill step validation), and sanitation verification (cleaning verification). For the primary regulation text, use 21 CFR Part 117 (eCFR) and the section-level view at 21 CFR Part 117 (Cornell).