21 CFR § 117.130 — Hazard analysis
21 CFR — Food & Drugs · FDA
21 CFR 117.130 is the FSMA hazard analysis requirement — the foundational HACCP-style risk assessment for food facilities. Every covered food facility must conduct a written hazard analysis identifying biological, chemical, and physical hazards in each product, and determine which require preventive controls. The hazard analysis must be conducted or overseen by a PCQI (Preventive Controls Qualified Individual — typically completed a 2.5-day FDA-approved course). Without a documented hazard analysis, the facility cannot demonstrate it understands its risks — and the entire Food Safety Plan crumbles.
Regulation summary
21 CFR Part 117 implements the Food Safety Modernization Act (FSMA) Preventive Controls for Human Food rule. Section 117.130 requires every covered facility to conduct a written hazard analysis to identify and evaluate, for each type of food manufactured, processed, packed, or held, known or reasonably foreseeable hazards that require a preventive control. Hazards include biological (pathogens, parasites), chemical (drug residues, pesticides, food allergens, mycotoxins, natural toxins), and physical hazards. The hazard analysis must be conducted or overseen by a Preventive Controls Qualified Individual (PCQI).
Who must comply
All FDA-registered food facilities subject to FSMA preventive controls — generally facilities that manufacture, process, pack, or hold human food. Exemptions: qualified facilities (≤$1 million in sales averaged over 3 years), farms doing only on-farm activities, USDA-regulated facilities (meat, poultry, egg products), low-acid canned food (separate FDA rule), juice/seafood HACCP, alcoholic beverages, dietary supplements.
What happens if violated
FDA enforcement options: warning letter, FDA injunction, suspended facility registration (effectively stops operations), criminal prosecution for serious violations. After a foodborne illness outbreak linked to a facility without adequate hazard analysis, exposure can include criminal charges, multi-million-dollar settlements, and brand destruction. Annual FDA inspection prioritization elevated for facilities with no hazard analysis on file.
Implementation checklist
- Designate a Preventive Controls Qualified Individual (PCQI) — typically completes FDA-approved curriculum.
- Map each product's process flow from receiving to shipping.
- Identify hazards at each step: biological, chemical (including allergens), physical.
- Evaluate likelihood and severity of each hazard.
- Determine which hazards require preventive controls.
- Document the hazard analysis in writing, signed and dated.
- Develop preventive controls for hazards requiring them (process, sanitation, food allergen, supply chain).
- Establish monitoring, corrective action, and verification procedures (21 CFR 117.140, 117.150, 117.165).
- Reanalyze hazards at least every 3 years AND whenever significant changes occur.
- Maintain Food Safety Plan documentation accessible to FDA during inspections.
Common misinterpretations
- Misinterpretation: 'My HACCP plan from 2010 still covers it.' Reality: FSMA preventive controls (21 CFR 117) significantly expanded the older HACCP framework. Pre-FSMA HACCP plans don't satisfy 117.130 without updating. Hazards must be analyzed under the FSMA framework specifically.
- Misinterpretation: 'I can do my own hazard analysis.' Reality: A Preventive Controls Qualified Individual (PCQI) must conduct or oversee the hazard analysis per 21 CFR 117.180. PCQI status requires completing an FDA-approved curriculum (2.5 days). Some small businesses can self-certify with limited PCQI courses; most require formal certification.
- Misinterpretation: 'Only food safety hazards count.' Reality: 21 CFR 117.130(b) covers biological, chemical, AND physical hazards. Physical hazards (metal fragments, glass, foreign objects) and chemical hazards (allergens, pesticide residues) must be analyzed alongside biological hazards (Salmonella, Listeria, etc.).
- Misinterpretation: 'The hazard analysis is one-and-done.' Reality: 21 CFR 117.170 requires reanalysis at least every 3 years, and whenever there's a significant change (new product, new ingredient, new process, new equipment, new pathogen of concern, etc.). Continuous improvement is required.
Frequently asked questions
What is FSMA and how does it relate to HACCP?
Food Safety Modernization Act (FSMA, 2011) gave FDA authority to regulate food safety with prevention-focused rules. FSMA's Preventive Controls for Human Food rule (21 CFR 117) is the post-FSMA framework — broader than the older HACCP (Hazard Analysis and Critical Control Points) approach. FSMA preventive controls cover all hazards (biological, chemical, physical) and require Food Safety Plans, while HACCP traditionally focused more narrowly.
Who is a Preventive Controls Qualified Individual (PCQI)?
A PCQI is an individual who has completed FSMA-required training (typically a 2.5-day FDA-approved curriculum, like the FSPCA Preventive Controls for Human Food course) or has job experience that provides equivalent knowledge. PCQI must conduct or oversee the hazard analysis and Food Safety Plan development.
What hazards must I analyze?
Per 21 CFR 117.130(b): biological hazards (pathogens like Salmonella, Listeria, E. coli; parasites), chemical hazards (drug residues, pesticides, food allergens, mycotoxins, natural toxins), physical hazards (metal, glass, foreign objects). For each product and process step.
Are small businesses exempt from FSMA?
QUALIFIED FACILITIES (≤$1 million averaged sales over 3 years, OR very small businesses ≤$1 million averaged sales of human food + ≤500 employees) have a modified compliance pathway under 21 CFR 117.5. Not fully exempt — they must still submit attestations. Other small businesses (under $2.5M but over $1M) may have phased compliance dates.
How is FSMA different from HACCP?
HACCP traditionally focused on critical control points (CCPs) — specific process steps where hazards must be controlled. FSMA Preventive Controls (PC) is broader, including all of: process controls (similar to CCPs), food allergen controls, sanitation controls, and supply chain controls. PC also includes a recall plan and a more rigorous reanalysis cadence.
When must I reanalyze hazards?
At least every 3 years per 21 CFR 117.170. Also: whenever there's a significant change (new product, new ingredient, new process, new equipment, new supplier, new pathogen of concern), or whenever a preventive control is found inadequate.
Cross-references: 21 CFR 117.135 · 21 CFR 117.140 · 21 CFR 117.150 · 21 CFR 117.180
FileFlo tracks documents required by this regulation automatically:
Connect your folder or Drive — FileFlo classifies every document, maps it to the CFR section it satisfies, and alerts you before any expiration becomes a citation. Starter $89/mo, Professional $299/mo. 5-day free trial.
Start the 5-day free trialAuthoritative source: eCFR.gov →