HACCP (Hazard Analysis and Critical Control Points) isn't a document you write once and file away — it's a live system for identifying where food safety hazards can enter your process and controlling them before product reaches a customer. The Codex Alimentarius defines seven principles that every HACCP plan must cover, and auditors check them in order because each one depends on the last.
Principle 1 — Conduct a hazard analysis
List every processing step, then identify the biological, chemical and physical hazards that could occur at each one — and how likely and severe each is. This isn't a generic checklist; it has to reflect your actual process, ingredients and facility.
Example: for a ready-to-eat meal line, biological hazards include Listeria monocytogenes post-cook contamination; chemical hazards include allergen cross-contact; physical hazards include metal fragments from processing equipment.
Principle 2 — Determine the critical control points (CCPs)
A CCP is a step where control can be applied and is essential to prevent or eliminate a hazard, or reduce it to an acceptable level. Not every hazard needs a CCP — some are controlled by prerequisite programs (PRPs) like sanitation or supplier approval instead.
Example: the cook step for the ready-to-eat meal is a CCP for Listeria — it's the last point where a kill step is possible.
Principle 3 — Establish critical limits
For each CCP, set the measurable boundary that separates safe from unsafe — a minimum internal temperature and hold time, a maximum pH, a required metal-detector sensitivity.
Example: internal product temperature must reach 74°C (165°F) for at least 15 seconds during cook.
Principle 4 — Establish monitoring procedures
Define how, how often, and by whom each critical limit is checked — and make sure it's actually observable in real time, not discovered after the fact.
Example: line operator checks and logs core temperature with a calibrated probe thermometer every batch.
Principle 5 — Establish corrective actions
Decide in advance what happens when a critical limit is breached — not improvised in the moment. Who's notified, what's done with the affected product, how is the process brought back under control?
Example: if cook temperature falls short, the batch is held and reprocessed or destroyed; the cooker is inspected before the next run.
Common finding: auditors frequently find corrective actions that address the immediate batch but never investigate why the deviation happened in the first place — that's where a CAPA (root-cause analysis, not just containment) should kick in.
Principle 6 — Establish verification procedures
Verification confirms the whole plan is working, on top of routine monitoring — calibration checks, periodic micro testing, review of monitoring records, and revalidation when the process changes.
Example: monthly calibration of probe thermometers; quarterly environmental swabbing for Listeria in the post-cook zone.
Principle 7 — Establish record-keeping and documentation
Every monitoring result, deviation, corrective action and verification activity needs a record — this is what you actually show an auditor. If it isn't recorded, from a certification standpoint, it didn't happen.
Where HACCP plans usually fall apart
Not at the writing stage — at the maintenance stage. A plan built in a spreadsheet or PDF gets out of sync with reality: a new supplier, a line change, a shift in cook parameters, and nobody updates the hazard analysis or the monitoring log template. A native food-safety system keeps the plan, the CCP monitoring, and the food registers (temperature, allergens, recalls, traceability) connected — so a monitoring breach can raise a task or CAPA automatically instead of waiting for someone to notice.
See HACCP & Food Safety Software in ISOXPERT Compliance360 →