21 CFR Part 1

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated December 2025 • 21 CFR Part 1, FDA general enforcement regulations, food facility registration, prior notice, Bioterrorism Act records, FSVP, sanitary transportation, food traceability records, laboratory accreditation, administrative detention • Primarily Food & Beverage (FSMA / import / transport / traceability) with limited cross-over (e.g., administrative detention of drugs)

21 CFR Part 1 (“General Enforcement Regulations”) is the part of Title 21 that collects several foundational FDA enforcement and program rules—especially for food—into one place. It’s not a single requirement like “label font size,” and it’s not a GMP part by itself. It’s a container for multiple operationally heavy obligations, including food facility registration, prior notice for imports, certain food recordkeeping, Foreign Supplier Verification Programs (FSVP), sanitary transportation, laboratory accreditation for food testing under certain conditions, and the FSMA Food Traceability Rule’s additional traceability records for certain foods.

Why does this matter in the real world? Because Part 1 is where compliance stops being “policy” and becomes evidence logistics. It asks questions that are brutally practical: Are you registered correctly? Can you prove where a food came from and where it went? Can you produce required records quickly without reconstructing a story? Can you show that your import supply chain is verified? Can you demonstrate transport controls and training? If your operating model depends on end-of-week spreadsheets, shared inboxes, and “we can pull that later,” Part 1 is the part of the CFR that exposes the gap.

Part 1 also forces a systems question: do you have structured, retrievable records that map to real events? That’s why Part 1 connects naturally to topics like Data Integrity, Lot Traceability (End-to-End Genealogy), and FSMA 204 concepts like KDE (Key Data Elements) and CTE (Critical Tracking Events). In practice, “Part 1 compliance” is less about memorizing citations and more about building a record architecture that holds up when regulators (or a recall) pressure-test it.

“If your compliance plan is ‘we can reconstruct it later,’ 21 CFR Part 1 is where that plan breaks.”

1) What people mean when they cite 21 CFR Part 1

When an auditor, consultant, importer, or QA leader says “we need to comply with 21 CFR Part 1,” they’re usually not talking about an abstract legal document. They mean one of three practical things.

First: the organization has an FDA program obligation that is easy to miss until it hurts—food facility registration, prior notice, recordkeeping, import verification, transportation controls, or traceability records. These are “gate” requirements: if you miss them, you don’t just get a finding; you can get holds, delays, or enforced corrective action.

Second: the organization is trying to build an inspection-ready evidence posture. Part 1 is full of “show me the record” moments. If your records exist only as unstructured PDFs, emails, or tribal knowledge, Part 1 is where you discover you can’t answer basic questions quickly and consistently.

Third: the organization is dealing with a recall, complaint cluster, contamination signal, import disruption, or a supplier event. Under stress, “we’ll pull it later” becomes “we can’t pull it at all.” Part 1 is not a theoretical risk. It becomes the rulebook regulators use to demand records, constrain distribution, and force accountability.

Tell it like it is: many teams fail Part 1 readiness not because they’re malicious, but because their data is not structured around events. They track orders, invoices, and shipments, but they cannot reliably connect those transactions to product identity, lot codes, transformations, and custody transitions. Part 1 pushes you toward event-driven truth.

2) Scope map: what Part 1 actually contains

Part 1 is large because it contains multiple subparts that serve different FDA programs. If you want to understand Part 1 quickly, don’t start with section numbers. Start with a scope map of subparts and what operational function they represent.

The practical takeaway is simple: Part 1 is a multi-program compliance bundle. Most companies only interact deeply with the subparts that match their business model. But if you’re in food, it’s increasingly common to have obligations that touch several subparts at once (registration + records + transportation + traceability + imports).

3) Who Part 1 applies to (and why “we’re not a manufacturer” is often wrong)

A common failure pattern is “we’re just a warehouse” or “we’re just a distributor,” followed by an unpleasant discovery that the company is still a covered entity under at least one Part 1 subpart. Part 1 coverage is function-based: if you perform a covered activity (holding, receiving, shipping, importing, transporting, transforming, testing), you can inherit obligations even if you don’t run a production line.

Three definitions drive most surprises:

Holding: If you store food, you may be pulled into registration, recordkeeping, and traceability requirements depending on your specific role and product scope. “Holding” isn’t a loophole; it’s an activity category.

Transport roles: Part 1’s transportation subpart doesn’t just apply to carriers. Shippers, loaders, and receivers can have obligations (e.g., specifications, sanitary conditions, temperature requirements, training documentation, and records) that must be coordinated, not guessed.

Importer responsibility: If you are the “importer” for FSVP purposes, you own a supplier verification program obligation. That is a quality workflow requirement, not a purchasing preference.

4) Subpart H: Food facility registration in operational terms

Food facility registration is conceptually simple and operationally annoying. You are telling FDA: “This facility exists, and here is who and what it is.” But the failure modes are predictable: registrations that are incomplete, not kept current, inconsistently represented across systems, or misunderstood when corporate structures change.

Think about registration as a master data obligation. If your legal entity names, facility addresses, product categories, and contact roles are sloppy inside your ERP or QMS, they will be sloppy in your registration story too. That becomes a risk during inspections, import interactions, and incident response because regulators and brokers will not “interpret” your intent. They will compare what you filed to what you are doing.

A second practical point: registration is not a GMP substitute. Registration does not prove your sanitation program, preventive controls, or traceability posture. It is a baseline status gate. If you treat it as “we registered so we’re good,” you are building false confidence.

If you want implementation context that maps to how teams actually manage this (ownership, change control, and “show me the record” readiness), start with the Food Safety Management System (FSMS) hub and align evidence lifecycle expectations using a Record Retention Policy.

Operationally, a mature registration control looks like this: (1) a single internal “source of truth” for facility identity data, (2) change control for facility information (address, ownership, activity, contacts), and (3) periodic reconciliation so the registration posture stays aligned with reality. If you can’t explain who owns your registrations and how updates are governed, you’re one acquisition, one relocation, or one outsourced storage shift away from a compliance surprise.

5) Subpart I: Prior notice for imported foods and why it fails

Prior notice is the import equivalent of “tell us what’s coming before it shows up.” The reason it fails is almost never because the company does not “know it exists.” It fails because the company treats it as a broker checkbox rather than a controlled data process.

There are two core operational realities here. First, import data is messy: suppliers, brokers, carriers, and receivers often disagree about product descriptions, lot identifiers, packaging formats, and arrival windows. Second, systems are fragmented: the import story lives across email threads, purchase orders, commercial invoices, customs documents, spreadsheets, and warehouse receiving logs. When those inputs don’t reconcile, prior notice becomes brittle.

A robust posture looks like an “import evidence packet” that is reproducible for every shipment: standardized product identity fields, lot/code identity, supplier identity, receiving facility identity, and documented process ownership for submissions and exceptions. If the organization can’t generate that packet quickly and consistently, prior notice will be a recurring pain point.

The bigger takeaway is not the citation; it’s the operational discipline: treat import controls as a controlled data workflow that can be audited and repeated, not as a last-minute logistics task. If you want a practical blueprint for tightening the “handoff seams” (shipper/loader/carrier/receiver), see the Warehouse & Logistics hub.

6) Subpart J: Establishment, maintenance, and availability of records

Subpart J is where many organizations discover that their “traceability” is mostly narrative. The recordkeeping concept is often summarized as “one-up / one-down”: you should be able to identify where you got a food from (immediate previous source) and where you sent it (immediate subsequent recipient). In practice, the details matter, and the details are exactly what weak systems avoid capturing.

One reason this subpart is operationally heavy is that it applies to receiving and releasing events. That means it cuts across procurement, receiving, quality release, warehousing, shipping, and customer service. If these functions do not share a consistent identity model (item, lot/code, packaging, quantity, dates), recordkeeping compliance becomes a patchwork.

If you are trying to design a system around Subpart J, don’t start by asking “what reports do we need?” Start by asking “what events must be captured, with what identity fields, under what governance?” Reports are the output. Event capture is the control.

For implementation patterns that directly support Subpart J outcomes, use: Food Traceability Program and Manufacturing Traceability Software.

7) Record retention: what you keep, how long, and where “electronic” is acceptable

Retention is where compliance quietly fails. Teams often have “records,” but they’re not retained for the required period, not retained in an accessible location, or not retained in a retrievable structure. When FDA asks for records, “we used to have that” is not a defense.

Retention requirements can vary by category and shelf-life risk. The operational lesson is that retention is not a storage problem; it’s an information lifecycle problem: records must be created from real events, preserved without corruption, and retrievable without archaeology. If you want a concrete implementation pattern, start with a Record Retention Policy that is actually enforceable in your operating systems.

Note the operationally important point: electronic recordkeeping is generally acceptable if managed correctly. But “electronic” is not the same as “PDF in a shared drive.” Electronic recordkeeping that survives scrutiny typically has: structured fields, controlled edits, audit trails, role governance, and a reliable way to show who did what, when, and under what authority. That is exactly why Part 1 frequently intersects with 21 CFR Part 11 concepts and data integrity expectations.

8) Subpart K & Q: Administrative detention as a “stop the world” event

Administrative detention is not a “documentation request.” It is an operational constraint event. When detention authority is exercised, your ability to execute is limited until you comply with the legal and procedural obligations around detention, control, and response. That means your internal hold/quarantine mechanics must be real—not just a label in a spreadsheet.

From a systems standpoint, this is where inventory status integrity matters: can you lock product movement across WMS/ERP/shipping? Can you prevent workarounds? Can you show disposition authority and chain-of-custody? Can you prove what was detained, where it was, and how it was controlled during the event?

This is also where organizations discover that they do not have a coherent “single source of truth.” If your warehouse can ship around your QMS hold, or your ERP can issue around your WMS quarantine, you are not ready for a detention scenario. You are relying on compliance by goodwill.

Even if your business is not “pharma,” note that Part 1 also contains a narrow drug detention provision (Subpart Q). The broader message is consistent: enforcement events force you to prove that your operational controls are not theatrical. If you want a supporting control concept for this section, see Quarantine (Quality Hold Status).

9) Subpart L: FSVP—supplier verification as a regulated workflow

FSVP is where “supplier qualification” stops being a procurement preference and becomes a regulated program. Under FSVP, the importer is expected to have a structured approach to supplier verification and to retain records that show it was actually executed.

This matters operationally because it changes the nature of supplier management. You’re no longer only scoring suppliers on lead time and price; you’re establishing a verification logic that can include hazard analysis, supplier performance evaluation, verification activities, and corrective actions. If your supplier management system cannot show the “who/what/when/why” of verification, you don’t have a program—you have a claim.

Two common failure patterns show up repeatedly. First: FSVP is “owned” by one person and executed through email and spreadsheets. That collapses as soon as you scale SKUs, suppliers, or turnover. Second: verification is done, but the evidence is not organized into a retrieval-ready record set.

If you want practical implementation patterns for “supplier verification as workflow,” start with Supplier Quality Agreements and Supplier Quality. The operational goal is simple: make verification an executable workflow with governance, not a “policy document that exists somewhere.”

10) Subpart M: Third-party certification—what it is (and what it isn’t)

Third-party certification under Part 1 is frequently misunderstood. Some teams treat certification as a replacement for internal controls: “If we have an audit certificate, we’re covered.” That’s not how this works.

Subpart M is about accreditation and requirements for third-party certification bodies and their audit agents—how they qualify, how they avoid conflicts of interest, what records they keep, and how FDA can monitor or withdraw accreditation. Operationally, the relevance for manufacturers and importers is that third-party certification can be part of a broader compliance posture, but it does not absolve you of your own recordkeeping, sanitation, traceability, and verification obligations.

Tell it like it is: if your strategy is “rent credibility” via certificates while your internal records are weak, Part 1 will still find you. Certification can support a strong system. It cannot replace one.

11) Subpart O: Sanitary transportation—controls, training, and records

Sanitary transportation is where food safety meets logistics reality. The regulation is not asking for perfect conditions; it’s asking for controlled conditions: equipment suitability, sanitary operations, training, and records that demonstrate responsibilities were met.

The most important operational concept is that responsibilities are distributed across roles—shipper, loader, carrier, receiver—and failures happen at the seams. One party assumes “the other side handles it,” and nobody owns the end-to-end evidence. Subpart O pressures you into writing down role expectations and producing records that prove they were followed.

If your operation is temperature-sensitive or contamination-risk sensitive, treat this subpart as a control design exercise: define requirements, define evidence, and define what triggers an exception/hold. Practical control anchors include Cold Chain Integrity Checks and Temperature Controlled Storage, plus end-to-end role handoffs via the Warehouse & Logistics hub.

In practice, strong programs treat sanitary transportation like a mini quality system: documented specifications (including temperature control when applicable), equipment acceptance criteria, cleaning/sanitation expectations, training evidence, and record retention aligned to a consistent identity model (what shipped, what equipment moved it, what conditions applied, and when custody changed).

12) Subpart R: Laboratory accreditation for certain food analyses

Subpart R is relevant when FDA’s program calls for accredited laboratories for certain analyses and reporting. For many manufacturers, it’s not a daily operating requirement, but it becomes very relevant under specific enforcement or testing scenarios. Operationally, it emphasizes two principles: (1) test results are not “just a PDF,” they are regulated evidence, and (2) the chain between sample, method, lab, and result must be coherent.

If your lab result lifecycle is a shared folder full of attachments, you will struggle to answer basic questions under stress: what sample was tested, what method was used, which lot it represents, whether the lab was appropriate for the test, and how the result ties to release decisions and corrective actions.

For organizations building a long-term compliance posture, the practical lesson is to treat lab data as structured and linkable—not as an afterthought. Even if Subpart R is not your daily constraint, it is a preview of how FDA thinks about evidence quality.

13) Subpart S: FSMA Food Traceability Rule—additional traceability records

Subpart S is the part of Part 1 that has forced many companies to rethink their traceability architecture. The FSMA Food Traceability Rule establishes additional traceability record requirements for certain foods (Food Traceability List, or FTL) and introduces concepts like traceability plans, traceability lot codes, and record capture at critical tracking events.

Here is the operational reality: the rule is not satisfied by “we can usually trace things.” It pushes toward a repeatable, high-confidence, time-bounded traceability response. That means your identity model, event model, and record retention model must be engineered, not improvised.

For implementation patterns aligned to Subpart S outcomes, use: FSMA 204 Traceability and the broader Traceability in Regulated Manufacturing hub.

Operationally, Subpart S is built on four control objects that must be real in your system:

This is why FSMA 204 work is fundamentally a systems and operations design project. It’s not solved by a training session. It’s solved by building an event model that captures CTEs and KDEs as structured records tied to traceability lot codes and transformations.

14) System architecture: building “Part 1-grade” records

Across all Part 1 subparts, the same architecture principle repeats: compliance depends on consistent identity and event-linked evidence. The moment you treat “lot,” “code,” “packaging,” “unit of measure,” or “product description” as free text, you sabotage your ability to answer regulatory questions quickly and reliably.

A “Part 1-grade” record architecture typically has these characteristics:

If you want practical implementation patterns for traceability and record design, the following guides are directly aligned to Part 1 outcomes: FSMA 204 Traceability, Food Traceability Program, and Manufacturing Traceability Software. They address the operational “how” that Part 1 assumes you already solved.

For lot identity specifically, weak lot conventions are a quiet disaster. If lot codes are not stable, not propagated, or not enforced at the event level, your traceability posture will collapse under pressure. A practical operational pattern is to treat lot code assignment and propagation as a governed design, not an operator habit—see Lot Numbering Strategy.

15) Where Part 11 intersects Part 1 (and where it doesn’t)

Part 1 often allows (or expects) recordkeeping. Many of those records are maintained electronically in modern operations. That does not automatically mean “Part 11 applies to everything.” Part 11 applicability is nuance-heavy and depends on the nature of the record and its regulatory use.

But here’s the practical operational truth: even when Part 11 applicability is debated, data integrity expectations do not go away. If you want Part 1 records to be defensible, your system must produce reliable evidence: audit trails, controlled permissions, meaningful signatures/approvals when used, and protected record retention.

This is why teams often pair Part 1 readiness with a Part 11 posture review and a data integrity posture review. If you need an internal anchor for those concepts: 21 CFR Part 11, Data Integrity, and the Data Integrity + Part 11 + Annex 11 + Audit Trails hub.

16) Inspection & incident response: how to avoid chaos

Part 1 failures often show up during stressful moments: an FDA inquiry, an import disruption, a contamination signal, a customer complaint cluster, or a recall. Under those conditions, three things matter more than your written SOPs: record retrievability, identity coherence, and decision governance.

A practical incident posture includes:

1) A prebuilt retrieval playbook. If your first traceability exercise happens in a crisis, it will be slow, noisy, and incomplete.

2) A single authority for “truth.” If ERP says one thing, WMS says another, and the warehouse spreadsheet says a third, you will waste critical time arbitrating instead of responding.

3) Governed holds and releases. When you need to stop product movement, the system must actually stop it. If “hold” is advisory, you don’t have control; you have hope.

Part 1 does not require “perfect operations.” It requires controlled operations with evidence. Your goal is to be able to answer “what happened?” and “what did you do about it?” using records that were generated by normal execution, not reconstructed after the fact.

17) Copy/paste compliance scorecard (self-assessment)

Use this as a practical self-assessment. If you can’t answer these cleanly, your Part 1 posture is fragile.

The goal is not to generate a “score.” The goal is to identify where your operating model depends on reconstruction and replace it with event-driven evidence.

18) Selection pitfalls: how Part 1 compliance gets faked

• PDF-as-a-system. If records are “stored” as scanned documents without structured identity fields, retrieval becomes manual and error-prone.
• Spreadsheet traceability. Spreadsheets can help analysis, but they are not reliable control systems under stress or scale.
• Free-text lots and codes. If lot/code identity is not controlled, you will create ambiguous traces and mismatched records.
• Hold states that don’t hold. If shipping can bypass QA hold via a different system, you’re not controlling distribution.
• Training that isn’t provable. For transportation and other controlled activities, “we trained them” without records becomes “we didn’t.”
• Certification as a substitute. Third-party certificates don’t replace your internal event records and governance.
• No retrieval drills. If you don’t practice pulling records, you will learn you can’t pull them during a real event.

19) How this maps to V5 by SG Systems Global

V5 supports Part 1 outcomes by making records event-linked and retrievable rather than reconstructive. Part 1 compliance success depends on consistent identity, controlled statuses, and fast retrieval. Those are systems properties, not document properties.

• V5 platform + products:
  V5 Solution Overview,
  Manufacturing Execution System (MES),
  Quality Management System (QMS),
  Warehouse Management System (WMS),
  V5 Connect (API).
• Traceability & genealogy: Food Traceability Program and FSMA 204 Traceability implementation patterns support Subpart J and Subpart S outcomes.
• Inventory status integrity: Controlled segregation supports detention/hold posture and prevents “shadow shipping” (see Inventory Segregation Software).
• Documentation discipline: Controlled record creation and correction practices support Part 1 readiness (see Good Documentation Practices (GDP)).
• Lot identity rigor: Stable lot conventions support traceability lot code propagation and recall scope control (see Lot Numbering Strategy).
• Food industry context: If you want a sector landing page to orient scope, see Food Processing.

The point is not “software solves regulations.” The point is that Part 1 assumes you have a record architecture that behaves under pressure. V5 is designed to make that architecture practical and enforceable.

20) Extended FAQ

Q1. Is 21 CFR Part 1 a “food-only” regulation?
It is primarily food-focused in practice because several major FSMA and food program requirements live in Part 1 (registration, recordkeeping, FSVP, sanitary transportation, traceability). Part 1 also contains other enforcement provisions, including a drug detention provision, but most operational attention is on the food subparts.

Q2. If we’re a distributor/warehouse, do we still care?
Often, yes. If you hold, receive, ship, or transform covered foods (and especially foods on the Food Traceability List), Part 1 obligations can apply. The risk is assuming “we don’t manufacture” means “we don’t have record obligations.”

Q3. What is the most common Part 1 failure pattern?
Weak record architecture: unstructured documents, inconsistent lot identity, scattered systems, and reliance on reconstruction. When asked for records, teams discover they can’t produce them quickly or confidently.

Q4. Can we comply with Part 1 using spreadsheets?
You can sometimes get by when volume is low and people are stable. But it is fragile. Under scale, turnover, or incident pressure, spreadsheets create delays and errors—and Part 1 is an “under pressure” regulation.

Q5. How does Part 11 relate to Part 1?
Part 1 frequently allows electronic records and requires records to be available and retained. Part 11 may apply depending on the record context. Regardless, data integrity expectations still apply if you want the records to be defensible.

Q6. What’s the fastest way to tell if our traceability posture is real?
Run retrieval drills. Pick a lot code, then prove you can identify previous sources, recipients, transformations, and shipments from system records. If it takes days and multiple spreadsheets, your posture is not resilient.

Related Reading
• SG Reference Pages: 21 CFR Part 11 | 21 CFR Part 117 | 21 CFR Part 507 | 21 CFR Part 101
• FSMA 204 + Traceability Implementation: FSMA 204 Traceability | Food Traceability Program | Traceability in Regulated Manufacturing hub
• Records & Identity Discipline: Record Retention Policy | Good Documentation Practices (GDP) | Lot Numbering Strategy | Inventory Segregation Software
• Supporting Concepts: KDE | CTE | Lot Traceability | Data Integrity
• V5 Product Pages: V5 Solution Overview | MES | QMS | WMS | V5 Connect (API)