Skip to main content
Compliance Reference

21 CFR § 117.130

Hazard analysis

Effective: Last amended: Last reviewed:

See your compliance status for this section

3-minute free audit. CFR-cited gap report. No signup.

Run free audit →

What does 21 CFR § 117.130 require?

21 CFR 117.130 is the FSMA hazard analysis requirement — the foundational HACCP-style risk assessment for food facilities. Every covered food facility must conduct a written hazard analysis identifying biological, chemical, and physical hazards in each product, and determine which require preventive controls. The hazard analysis must be conducted or overseen by a PCQI (Preventive Controls Qualified Individual — typically completed a 2.5-day FDA-approved course). Without a documented hazard analysis, the facility cannot demonstrate it understands its risks — and the entire Food Safety Plan crumbles.

Regulation text (summary)

21 CFR Part 117 implements the Food Safety Modernization Act (FSMA) Preventive Controls for Human Food rule. Section 117.130 requires every covered facility to conduct a written hazard analysis to identify and evaluate, for each type of food manufactured, processed, packed, or held, known or reasonably foreseeable hazards that require a preventive control. Hazards include biological (pathogens, parasites), chemical (drug residues, pesticides, food allergens, mycotoxins, natural toxins), and physical hazards. The hazard analysis must be conducted or overseen by a Preventive Controls Qualified Individual (PCQI).

Read full regulation at eCFR.gov

Who must comply with 21 CFR § 117.130?

All FDA-registered food facilities subject to FSMA preventive controls — generally facilities that manufacture, process, pack, or hold human food. Exemptions: qualified facilities (≤$1 million in sales averaged over 3 years), farms doing only on-farm activities, USDA-regulated facilities (meat, poultry, egg products), low-acid canned food (separate FDA rule), juice/seafood HACCP, alcoholic beverages, dietary supplements.

What happens if you violate 21 CFR § 117.130?

FDA enforcement options: warning letter, FDA injunction, suspended facility registration (effectively stops operations), criminal prosecution for serious violations. After a foodborne illness outbreak linked to a facility without adequate hazard analysis, exposure can include criminal charges, multi-million-dollar settlements, and brand destruction. Annual FDA inspection prioritization elevated for facilities with no hazard analysis on file.

$10,000–$1,000,000

Penalty range

~1,200

Annual citations

+5.9%

YoY penalty trend

How to comply (implementation checklist)

  1. 1Designate a Preventive Controls Qualified Individual (PCQI) — typically completes FDA-approved curriculum.
  2. 2Map each product's process flow from receiving to shipping.
  3. 3Identify hazards at each step: biological, chemical (including allergens), physical.
  4. 4Evaluate likelihood and severity of each hazard.
  5. 5Determine which hazards require preventive controls.
  6. 6Document the hazard analysis in writing, signed and dated.
  7. 7Develop preventive controls for hazards requiring them (process, sanitation, food allergen, supply chain).
  8. 8Establish monitoring, corrective action, and verification procedures (21 CFR 117.140, 117.150, 117.165).
  9. 9Reanalyze hazards at least every 3 years AND whenever significant changes occur.
  10. 10Maintain Food Safety Plan documentation accessible to FDA during inspections.

Common misinterpretations

  • Misinterpretation: 'My HACCP plan from 2010 still covers it.' Reality: FSMA preventive controls (21 CFR 117) significantly expanded the older HACCP framework. Pre-FSMA HACCP plans don't satisfy 117.130 without updating. Hazards must be analyzed under the FSMA framework specifically.
  • Misinterpretation: 'I can do my own hazard analysis.' Reality: A Preventive Controls Qualified Individual (PCQI) must conduct or oversee the hazard analysis per 21 CFR 117.180. PCQI status requires completing an FDA-approved curriculum (2.5 days). Some small businesses can self-certify with limited PCQI courses; most require formal certification.
  • Misinterpretation: 'Only food safety hazards count.' Reality: 21 CFR 117.130(b) covers biological, chemical, AND physical hazards. Physical hazards (metal fragments, glass, foreign objects) and chemical hazards (allergens, pesticide residues) must be analyzed alongside biological hazards (Salmonella, Listeria, etc.).
  • Misinterpretation: 'The hazard analysis is one-and-done.' Reality: 21 CFR 117.170 requires reanalysis at least every 3 years, and whenever there's a significant change (new product, new ingredient, new process, new equipment, new pathogen of concern, etc.). Continuous improvement is required.

Real enforcement examples

Anonymized from public FDA enforcement summaries. Penalty amounts reflect assessed and final settled values where disclosed.

Food manufacturer received FDA warning letter in 2024 after inspection found no written hazard analysis. Facility had been operating under pre-FSMA HACCP plan that had not been updated. Subsequent recall of product contributed to civil settlement of ~$1.2M.

Source: FDA Warning Letter database, anonymized

How FileFlo handles 21 CFR § 117.130

FileFlo's compliance rule-pack FDA-21CFR117.130 automatically checks every document you upload against this regulation. Auto-detects document type, parses key fields, sets renewal alerts, and surfaces this section in your audit binder if a gap is found.

Run free audit covering this section →

Already evaluating? Start a 5-day free trial →

Frequently asked questions

What is FSMA and how does it relate to HACCP?

Food Safety Modernization Act (FSMA, 2011) gave FDA authority to regulate food safety with prevention-focused rules. FSMA's Preventive Controls for Human Food rule (21 CFR 117) is the post-FSMA framework — broader than the older HACCP (Hazard Analysis and Critical Control Points) approach. FSMA preventive controls cover all hazards (biological, chemical, physical) and require Food Safety Plans, while HACCP traditionally focused more narrowly.

Who is a Preventive Controls Qualified Individual (PCQI)?

A PCQI is an individual who has completed FSMA-required training (typically a 2.5-day FDA-approved curriculum, like the FSPCA Preventive Controls for Human Food course) or has job experience that provides equivalent knowledge. PCQI must conduct or oversee the hazard analysis and Food Safety Plan development.

What hazards must I analyze?

Per 21 CFR 117.130(b): biological hazards (pathogens like Salmonella, Listeria, E. coli; parasites), chemical hazards (drug residues, pesticides, food allergens, mycotoxins, natural toxins), physical hazards (metal, glass, foreign objects). For each product and process step.

Are small businesses exempt from FSMA?

QUALIFIED FACILITIES (≤$1 million averaged sales over 3 years, OR very small businesses ≤$1 million averaged sales of human food + ≤500 employees) have a modified compliance pathway under 21 CFR 117.5. Not fully exempt — they must still submit attestations. Other small businesses (under $2.5M but over $1M) may have phased compliance dates.

How is FSMA different from HACCP?

HACCP traditionally focused on critical control points (CCPs) — specific process steps where hazards must be controlled. FSMA Preventive Controls (PC) is broader, including all of: process controls (similar to CCPs), food allergen controls, sanitation controls, and supply chain controls. PC also includes a recall plan and a more rigorous reanalysis cadence.

When must I reanalyze hazards?

At least every 3 years per 21 CFR 117.170. Also: whenever there's a significant change (new product, new ingredient, new process, new equipment, new supplier, new pathogen of concern), or whenever a preventive control is found inadequate.

Related regulations

21 CFR 117.13521 CFR 117.14021 CFR 117.15021 CFR 117.180

Author

Chad Griffith

Founder + CEO, FileFlo · Defense + Aviation operations background

LinkedIn

Sources + reviewer

Primary source: eCFR.gov: 21 CFR § 117.130

Reviewed by Chad Griffith (Founder + CEO, FileFlo) on

Disclaimer: This page summarizes a federal regulation in plain English. FileFlo is not a law firm; this is not legal advice. The regulation text and primary sources at eCFR.gov are authoritative. Consult qualified counsel for advice specific to your operation.