21 CFR 117 Subpart F

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • FSMA Preventive Controls for Human Food recordkeeping, what records must exist, how records must be created and protected, retention & retrieval, electronic records, audit trail expectations • Primarily Food & Beverage Manufacturing (audit readiness, inspections, preventive controls evidence, sanitation/allergen programs, supplier verification documentation)

21 CFR 117 Subpart F is the recordkeeping backbone of the FSMA Preventive Controls for Human Food rule. It sets the baseline requirements for the records you must establish and maintain under Part 117 and, more importantly, the quality of those records: what they must contain, how they must be created, how long they must be retained, and how quickly they must be retrievable during an FDA inspection.

Subpart F is where “we have a food safety program” stops being a set of intentions and becomes a provable system. You can run excellent sanitation, allergen, and preventive controls day-to-day and still fail an inspection if your records are late, incomplete, inconsistent, or not retrievable. Inspectors don’t audit your intentions. They audit your evidence. Subpart F is the rule that determines whether your evidence is credible.

Tell it like it is: most Part 117 compliance failures are not because companies refuse to do controls. They fail because records are fragmented (binders + spreadsheets + emails), created after the fact, missing key identifiers (lot, time, person, instrument), or stored in a way that makes them practically unretrievable. Subpart F turns those failure patterns into inspection risk.

“Part 117 is what you do. Subpart F is how you prove you did it, when you did it, and that it can’t be quietly rewritten later.”

1) What people mean when they cite 21 CFR 117 Subpart F

When someone says “we need to be compliant with Subpart F,” they are usually reacting to one of these operational moments:

First: an audit or inspection is coming, and the site realizes its records are not organized, not complete, or not retrievable. Subpart F becomes the checklist that determines what the inspector will ask for.

Second: the site experienced a food safety event (allergen incident, sanitation failure, supplier issue) and suddenly needs to reconstruct what happened. If records were created late or scattered, reconstruction becomes unreliable. Subpart F is the rule that makes reconstruction failure look like compliance failure.

Third: the site is moving from paper to digital and wants to know what “good electronic records” look like. Subpart F doesn’t force one technology, but it sets the expectations your system must satisfy.

In practical terms, Subpart F is not “a form.” It’s the rule that defines whether your Food Safety Plan and related programs are real enough to stand up to inspection.

2) Why Subpart F is the “proof layer” of your FSMA program

FSMA preventive controls is about prevention, but prevention is only credible when you can prove it happened. Subpart F provides the proof rules. In inspections, FDA doesn’t only ask “do you have procedures?” They ask “show me evidence you executed them.” That is Subpart F territory.

Subpart F also protects you operationally. Strong records reduce:

• Time to investigate: you can replay what happened without email archaeology.
• Scope blow-up: you can bound impacted product because the identity story is coherent.
• Release delays: QA can review a complete evidence set instead of hunting for missing pieces.
• Repeat failures: you can trend evidence and fix systemic gaps instead of firefighting.

In other words, Subpart F is not “compliance overhead.” It’s operational resilience.

3) Scope map: which programs generate Subpart F records

Subpart F is not limited to a single program. It applies across the parts of Part 117 that require records. That typically includes evidence from programs such as:

Subpart F is essentially the “records standard” for the practical output of these programs.

4) Record categories: what evidence you must be able to produce

Instead of thinking “what does FDA want,” think “what questions must we answer.” Record categories exist to answer those questions.

Identity records answer: what lot was it, where was it, and what was done to it? These include lot codes, labels, and traceability linkages.

Execution records answer: did we actually perform the required control? These include monitoring records, sanitation execution logs, allergen changeover checks, and label verification.

Verification records answer: how do we know the control worked? These include review signatures, verification checks, and periodic validation evidence.

Corrective action records answer: what happened when the control failed? These include deviations, hold/release actions, and disposition decisions.

Training and competency records answer: were the people doing this work qualified? See training matrix and role-based competency evidence.

Subpart F makes sure these categories are not “nice to have.” They are retrievable obligations.

5) Record quality rules: legibility, accuracy, and timeliness

Record content is one part of compliance. Record quality is the other. Subpart F expects records to be:

• Legible: readable without interpretation (no smeared ink, no missing fields).
• Accurate: reflects what actually happened, not what should have happened.
• Timely: created at the time the activity is performed, not days later.
• Complete: includes required identifiers (date/time, lot, person, device where relevant).

This is where paper systems often fail: people do the work, then fill out the log later. That creates a record, but it’s weak evidence. Digital systems can fail too if they allow backdating and silent edits. This is why Subpart F pairs naturally with data integrity and audit trail thinking.

6) Attribution: who did it, when, and under what authority

Attribution is what turns a record into accountable evidence. Your records must show:

• Who performed the activity (name or unique identifier).
• When it was performed (date/time, ideally tied to event time, not entry time only).
• Who reviewed/verified it where review is required.
• What lot/equipment/location it applied to so it can be linked to traceability.

This is why shared logins and shared clipboards are risky. They break attribution. If you can’t prove who did the work, your record becomes “someone did something,” which is exactly what inspectors don’t accept as strong evidence.

7) Controls on changes: corrections, edits, and audit trail logic

Records are not perfect; corrections happen. Subpart F doesn’t require perfection, but it demands integrity. The key expectation is that records cannot be quietly rewritten.

Defensible correction controls include:

• Reason-for-change: why was the correction necessary?
• Attribution of change: who made the change and when?
• Preservation of original: original entry remains visible (or at least recoverable), not overwritten.
• Review of change: certain changes require supervisor/QA review.

This is where digital systems must behave like controlled systems: edits must be captured in an audit trail. Paper systems must behave similarly: single-line corrections, initials, dates, no whiteout. The principle is the same: changes must be transparent.

8) Retention rules: how long records must be kept and why

Subpart F sets baseline retention expectations so records remain available across meaningful time horizons (production, shelf life, inspection cycles). The operational takeaway is simple: if you throw away records too soon, you can’t defend product decisions when questions arise later.

Retention is more than keeping files. It requires:

• Organized storage: records aren’t “somewhere on a drive.”
• Protection from loss: backups and controlled access.
• Retrievability: you can find them by lot, date, and program area.
• Integrity over time: records don’t silently degrade or get overwritten.

See record retention and archival. Retention without retrieval is not meaningful compliance.

9) Retrieval readiness: “can you produce it now?” expectations

The most practical Subpart F test is retrieval. FDA and auditors will ask for specific records—often for a specific lot and time window—and they will watch how you respond. If retrieval takes hours or depends on one person’s memory, you look out of control even if the records exist somewhere.

Retrieval readiness means:

• records are indexed by lot/date/program,
• electronic records can be exported or displayed quickly,
• paper records are stored in a way that allows fast retrieval,
• site staff knows how to retrieve records (not just “the QA manager can do it”), and
• records are coherent as a set (they tell a consistent story).

Fast retrieval is not vanity. It’s how you demonstrate that the system is governed and that controls are routine.

10) Electronic records: what makes e-records defensible

Subpart F allows electronic records, but electronic records must still satisfy integrity expectations: attributable, legible, contemporaneous, and protected from silent alteration.

In practice, defensible electronic record systems include:

• Role-based access: only authorized roles can create, edit, approve.
• Audit trails: changes are recorded automatically and cannot be disabled casually.
• Unique user identity: no shared logins; approvals tied to specific users.
• Time integrity: event time captured, not just “time the record was edited later.”
• Exportability: records can be produced for inspection without custom engineering.

Even though Part 117 is not 21 CFR Part 11, inspection expectations increasingly mirror strong data integrity principles. If your system behaves like “editable spreadsheets,” you invite scrutiny.

11) Supplier records: CoAs, approvals, and verification evidence

Supplier documentation is one of the most common record categories sites mishandle. Subpart F expectations show up when you cannot prove you verified supplier inputs.

Strong supplier record discipline includes:

• supplier approval records (see supplier qualification),
• CoA capture and matching (see CoA verification),
• receiving inspection evidence and lot linkage,
• disposition evidence when a supplier lot fails acceptance.

The compliance failure pattern is “we have the CoA somewhere” without lot linkage and without evidence of review. Subpart F pushes you toward controlled linking and review evidence.

12) Sanitation and allergen records: the inspection pressure points

Sanitation and allergen programs are where Subpart F becomes visible in minutes. Inspectors routinely ask for:

• sanitation monitoring records,
• cleaning verification results (see cleaning verification),
• allergen changeover controls and segregation evidence (see segregation and cross-contact),
• label verification checks that prevent allergen mislabeling.

These records are frequent, high-volume, and easy to backfill in paper systems. That’s why inspectors scrutinize them. If your sanitation records are consistently time-stamped, attributable, and linked to equipment/areas, you look in control. If they’re “all filled in at the end of the shift,” you look exposed.

13) When records become investigations: deviations, corrections, gaps

Subpart F becomes painful when there are gaps. A gap is not just “missing paperwork.” It is a signal that control may have failed. When records are missing or inconsistent, you often must treat it as an exception and evaluate impact.

Practical examples:

• Missing monitoring record: was the control performed but not recorded, or not performed?
• Late record creation: is it contemporaneous evidence or reconstruction?
• Conflicting entries: two records disagree on which lot was used or which step occurred.
• Unapproved changes: edited values without reason-for-change or review.

In a mature system, these conditions trigger a governed exception workflow (deviation/NC) and potentially a product hold until the impact is bounded. This is where Subpart F drives real operational behavior: it forces you to treat evidence gaps as risk, not as clerical inconvenience.

14) Copy/paste readiness scorecard

Use this as a blunt internal test. If you can’t answer cleanly, fix the system—not the wording.

15) Failure patterns: how Subpart F gets “complied with” on paper

• End-of-shift backfill. Records exist, but they’re not contemporaneous.
• Shared drives without indexing. Records exist, but retrieval is slow and unreliable.
• Spreadsheet-as-QMS. Data is editable without audit trail; integrity is weak.
• Missing identifiers. Records don’t tie to lots/equipment/areas, so they can’t support investigations.
• Paper overload. Paper exists but is too fragmented to prove a coherent story.
• Training assumed. Competency isn’t proven; records are generated by people not demonstrably trained.
• “We’ll find it later.” Retrieval is treated as a future problem until an inspection makes it a current crisis.

Subpart F punishes these patterns because they turn your program into a story instead of evidence.

16) How this maps to V5 by SG Systems Global

V5 supports Subpart F outcomes by making records workflow-driven, attributable, and retrievable rather than scattered. In practice, Subpart F alignment is less about “a report” and more about system properties:

• records captured as events tied to lots, equipment, and locations,
• role-based permissions and review workflows (see approval workflow),
• built-in audit trails for changes (see audit trail),
• structured document control for SOPs and program documents (see document control),
• retention and retrieval structures aligned to record retention,
• traceability linkage so inspection packages are generated quickly by lot and time window.

For the system-level picture of how workflow records, traceability, and quality governance fit together, start with V5 Solution Overview. Where the site needs strong shop-floor evidence capture and lot linkage, V5 MES and V5 WMS provide the execution and movement truth, while V5 QMS governs holds, deviations, approvals, and record integrity.

17) Extended FAQ

Q1. Is Subpart F only about keeping records?
No. It’s about keeping records that are credible: complete, accurate, timely, attributable, protected from silent alteration, retained, and retrievable quickly during inspection.

Q2. What’s the fastest way to fail Subpart F in an inspection?
Slow retrieval and backfilled logs. If you can’t produce required records quickly—or if the records look like they were created later—inspectors will question the integrity of the entire program.

Q3. Do electronic systems automatically satisfy Subpart F?
No. Electronic systems can still allow shared logins, silent edits, and poor indexing. A defensible electronic system needs role controls, audit trails, and linked record structures.

Q4. Where do inspectors look first?
High-frequency, high-risk records: sanitation, allergens, supplier verification, and monitoring records tied to preventive controls. These reveal whether records are routine or reconstructed.

Q5. How do we know we’re ready?
Run an internal “inspection drill”: pick a lot and attempt to produce the complete evidence package in one sitting—receiving, sanitation/allergen records, verification records, corrective actions if any, and release decisions. If it takes hours or multiple systems with manual reconciliation, your Subpart F posture is fragile.

Related Reading (keep it practical)
If you’re building a Subpart F-ready evidence system, start by tightening lot identity and traceability so records link naturally (see end-to-end lot genealogy), then harden record integrity using data integrity and audit trails, with disciplined document control and record retention. For the primary regulation text, use 21 CFR Part 117 (eCFR) and the section-level view at 21 CFR Part 117 (Cornell).